"Complete IT solutions, Unquestionable Trust"

Blog

Filtering Office 365 Email Through a Sophos XG Firewalls

January 5th, 2018 (1 Comment)

Microsoft’s Office 365 comes with its own email protection and anti-spam. However, it is often found to let through too much obvious spam and provides little insight and control for both administrators and end-users.  

Leveraging the Email Protection module in the Sophos XG firewalls, not only provides you as the administrator greater visibility, and control over your anti-spam system, it also provides superior protection and ease of use for user’s self-managed quarantines.
On top of significantly reducing the chance of malicious messages making it to your end-users, you will also be able to leverage additional security features such as Data Leakage Prevention (DLP) and email encryption that is end-user friendly. This can be accomplished simply by having the Sophos XG processing your outbound messages as well. 

  1. Make sure the firewall is running firmware v17 or greater
  2. Make sure the firewall is set to MTA (Mail Transfer Agent) mode Protect / Email / General Settings / SMTP Deployment mode
  3. You should have a default firewall rule called “Auto added firewall policy for MTA” If not, change the SMTP deployment mode “Switch to Legacy Mode” then change back to “MTA” to have the rule auto-created.
  4. Ensure that SMTP Relay is enabled on the WAN System / Administration / Device Access
  5. Add the IP address ranges for Office 365 to the “Allow Relay from Host/Network” section. Protect / Email / Relay Setting / Host Based Relay / Allow Relay from Hosts/Network https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx
    • Recommend creating them ahead of time in System / Hosts and Services / IP Host, adding a prefix to the description such as O365 will make them easier to find during configuration.
  6. Under Protect / Email / Relay Settings / Upstream Host / Allow Relay from Host/NetworksAdd New Item - Any
  7. Create the SMTP policy. Protect / Email / Policies - Add Policy / SMTP Route & Scan
    • Protected Domain - email domain (i.e. internalit.ca)
    • Global Action - Accept
    • Route By - Static Host
      • Perform an NSLOOKUP or find the IP address used by your Office 365 MX record (i.e. internalit-ca.mail.protect.outlook.com) and Create and/or Selected Host
    • Adjust other security settings as desired.
  8. Set the Office 365 connector. https://technet.microsoft.com/en-us/library/dn751020(v=exchg.150).aspx
    • Log into the Office 365. Go to Admin / Admin centers and select Exchange
    • Go to mail flow / connectors and add new connector (+)
      • From - Office 365
      • To = Partner organization - Next
      • Give the connector a name - Next
      • When do you want to use this connector - Only when email messages are sent to these domains - Enter “*” for the value - Next
      • How do you want to route email messages - Route email through these smart hosts - Enter the public IP for XG WAN or FQDN - Next
      • How should Office 365 connect to your partner organization's email server - Always use Transport Layer Security (TLS) to secure the connection (recommended) - Add Any digital certificates, including self-signed certificates (if using the Sophos self-signed cert)-> Next
      • Validate and Finish (Might not successfully Validate until MX and SPF are changed)
  9. Make sure that a FQDN is set for the XG under Protect / Email / General Settings / SMTP Settings / SMTP Hostname
  10. DNS – Change MX record to point to the Sophos XG (IP or FQDN)
    • Update SPF record to include the Sophos XG or +mx (v=spf1 +include:spf.protection.outlook.com +mx -all) - This adds the Sophos (new MX record) but also allows for 0ffice 365 direct.

Reader Comments (1)

Pieter Van Kampen said on June 6, 2018

Hi, thanks this is a very clear story, with easy to follow steps. One question though. I would only like to use the Sophos to handle only incoming mail (spam, antivirus, sandbox) for Exchange, and leave the outbound email to Exchange. So changing the MX record will have the mail delivered to the Sophos, but how does it end up in Exchange 365? What of the above can I drop when leaving out the outbound email? Thanks, Pieter

Leave a comment:

"All of you have done a TOP NOTCH job for us. We love seeing Max on the rare times that he needs to come in."

Tina Best - The Alberta Library

"The guys have been lifesavers, they answer when I phone, they respond quickly when a crisis develops and they talk to me in layman’s terms."

Nancy Buchko - Barrister & Solicitor