Sophos XG: secure emails


In this tutorial, we will see how to secure emails with a Sophos XG firewall.

The firewall offers two modes of operation for filtering emails:

  • MTA : the firewall will act as an SMTP relay
  • Legacy : it will be placed in transparent mode, which we will see in this tutorial.

In both modes the security options are the same:

  • Antivirus filtering
  • Antispam filtering with possible quarantine
  • Filtering rules.

In the tutorial, we will take a tour of the various protection options available, the Sophos site offers a complete documentation of each available element.


  • Your sophos license must include email protection.
  • Mail servers must have been added to the hosts.

Add a rule for incoming emails

1. On the Web interface go to the list of rules (Firewall) 1 then click Add firewall rule 2 and choose Business application rule 3 .

New rule

2. In Application Template choose Email Servers (SMTP) 1 .

SMTP rule

3. Configure the rule:

  • 1 Name the rule.
  • 2 Source Wan.
  • 3 Public IP address for receiving emails.
  • 4 SMTP Services (S) port 25 and 587.
  • 5 Internal server that will receive emails.
  • 6 Zone where the server is located
  • 7 Check, check both boxes to enable security
  • 8 Check Log firewall traffic to have logs
  • 9 Click on Save.
SMTP rule

4. The rule is added 1 .

Rule added

Configure email protection

The protection of emails is accessible through the menu by clicking on Email.

General Settings

In this part is the general configuration of the SMTP security behavior.

I’m only going to introduce the modules that are used in the LEGACY mode

SMTP deployment mode

Change the function mode of SMTP MTA or LEGACY protection.

SMTP mode

SMTP settings

Adjusts the behavior for scanning attachments and enables reputation control and behavior.

Param SMTP

Messaging journal

This option allows you to configure sending incoming copy of email to another mailbox.

email log

I personally use this option to transfer messages from person leaving the company to the replacement. This will remove the box on the mail server.

Spam verification exceptions

Allows you to configure domains that will not be scanned by the antispam engine.

Spam verification exceptions

Anti-malware protection

Allows you to choose the antivirus engine (sophos or avira).



This section contains the control rules that incoming emails will undergo to know if they are sent to the mail server, quarantined or blocked.

They work like firewall rules, they are read from top to bottom. If an email is not filtered by any of the rules, then it is forwarded to the server.

Strategies rules

When adding a strategy, there are two choices

SMTP antimalware control

This control adjusts the antivirus behavior (single / double) depending on the type of attachment.

SMTP antispam control

This control makes it possible to configure the behavior of the antispam according to several criteria and to choose an action.


Quarantine report

This option allows you to set the email alerts sent to users if emails are quarantined on the firewall.

quarantine report configuration

Access to quarantine is not the user portal.

Portail user

Leave a Comment