On the SMTP > Advanced tab you can configure additional security options of the SMTP proxy such as smarthost settings or transparent mode skiplist, among others.
SMTP header content of emails passing through Sophos UTM on AWS can be changed and/or deleted in Header Modifications.
Add/delete a header:
- Click on the Plus icon.
The Add Header Modification rule dialog opens.
- Select the requested Operation.
- Enter the Header name you want to change/delete.
1-255 ASCII characters are allowed.
- If you add a header, enter the Value the new header should have.
0-255 characters are allowed.
- On demand add a Comment.
Your settings will be saved.
To edit or delete a header rule click on the concerning icons next to the rule.
In transparent mode, the SMTP proxy intercepts email traffic transparently.
To enable transparent mode for SMTP, select the checkbox, select one or more ports to listen for SMTP traffic, and click Apply.
Additionally, you can add hosts and networks to the Skip Transparent Mode Hosts/Nets box that should not be subject to the transparent interception of SMTP traffic. To still allow SMTP traffic for these hosts and networks, select the Allow SMTP traffic for listed hosts/nets checkbox. If you do not select this checkbox, you must define specific firewall rules for the hosts and networks listed here to allow SMTP traffic for them. Click Apply to save your settings.
TLS certificate: Select a certificate from the drop-down list which will be used to negotiate TLS encryption with all remote hosts supporting it. You can create or upload certificates on the Site-to-site VPN > Certificate Management > Certificates tab.
TLS version: Select a TLS version to accept for SMTP connections. We recommend to use only the latest version for security reasons.
Require TLS negotiation host/nets: Add or select hosts or nets here which always require TLS encryption for email communication. Sophos UTM on AWS will then hold back emails if TLS encryption is not available for those hosts/nets for some reason, that means messages will stay in the mail queue until TLS becomes available again. In case TLS is not available within a reasonable period of time, sending attempts will be stopped and users will get a notification that their email could not be sent.
Require TLS negotiation sender domains: If you want to enforce TLS encryption for incoming emails for certain domains, enter those domains here. Emails sent from those domains without TLS will be rejected immediately.
Skip TLS negotiation host/nets: If a particular host or network should encounter problems with TLS encryption, you can enter it in the box and select the appropriate TLS certificate from the drop-down menu. This will cause Sophos UTM on AWS to skip TLS negotiation for this host or network. Click Apply to save your settings.
DKIM is a method to cryptographically sign outgoing messages. To use DKIM signing, enter your private RSA key (512–2048 bits) and the corresponding key selector into the respective fields and add the domains you want to sign emails for to the DKIM Domains box. Click Apply to save your settings.
For each outgoing email, you can add and customize a confidentiality footer informing users, for example, that the email may contain confidential or privileged information. However, the confidentiality footer will not be appended to the email if the email is a reply (i.e. having an In-Reply-To header) or if the content type of the email could not be determined.
Note – Adding a footer to messages already signed or encrypted by an email client (e.g., Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render them invalid. If you want to create digital signatures on the client side, disable the antivirus check footer option. However, if you do not wish to forgo the privacy and authentication of your email communication and still want to apply a general antivirus check footer, consider using the built-in email encryption feature of Sophos UTM on AWS. Email encryption done on the gateway means that the footer is added to the message prior to creating the digital signature, thus leaving the signature intact.
Here you can configure the SMTP hostname and the postmaster address, among other things.
Postmaster address: Specify the email address of the postmaster of Sophos UTM on AWS to whom messages are to be forwarded that are sent in the form of firstname.lastname@example.org, where the IP literal address is one of the IP addresses of Sophos UTM on AWS. Accepting such messages is an RFC requirement.
BATV secret: Here you can change the automatically generated BATV secret used by the SMTP proxy. The BATV secret is a shared key used to sign an email's envelope MailFrom address, thus enabling detection of invalid bounce addresses. If you are using several MXs for your domains, you can change the BATV secret to be the same on all systems.
Max message size: The maximum message size that is accepted by the proxy. This setting applies to both incoming and outgoing emails. If your backend server has a limitation with regard to message sizes, you should set the same or a lower value here. Default is 50 megabytes.
Note – The maximum message size limit is 250 megabytes.
Max connections/host: The maximum number of connections per host the proxy allows. Default is 10.
Note – If the value is 0 the connection number per host is unlimited.
Max mails/connection: The maximum number of mails per connection the proxy allows. Default is 1000.
Max rcpt/mail: The maximum number of recipients per mail the proxy allows. Default is 100.
Footers mode: Here you can define how footers will be added to mails. MIME part will add the footer as extra MIME part. Existing part encodings are not changed and national language characters are preserved. The other method is Inline which means that the footer is separated from the main mail by the -- separator. With this mode you can choose whether the footer should be Unicode (UTF-8) converted or not. Unicode conversion upgrades the message to preserve national language characters in the footer.
A smarthost is a type of mail relay server which allows an SMTP server to route mail to an upstream mail server rather than directly to the recipient’s server. Often this smarthost requires authentication from the sender to verify that the sender has privileges to have mail forwarded through the smarthost.
Use a smarthost: If you want to use a smarthost to send mail, select the checkbox. In that case, the proxy will never deliver mail itself, but rather send anything to the smarthost.
- Smarthost: Select or add a smarthost object. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
- Smarthost port: The default port for the smarthost connection is 25. You can change it if required.
- This smarthost requires authentication: Select this checkbox if the smarthost requires authentication. Both Plain and Login authentication types are supported. Enter a username and password into the respective fields.