"Complete IT solutions, Unquestionable Trust"

Blog

Filtering Office 365 Email Through a Sophos UTM Guide

September 4th, 2015 (22 Comments)

Sophos and Office 365

Microsoft’s Office 365 comes with its own email protection and anti-spam. However, it is often found to let through too much obvious spam and provides little insight and control for both administrators and end-users.  

Leveraging the Email Protection module not only provides you, as the administrator, greater visibility and control over your anti-spam system, it also provides superior protection and ease of use for user’s self-managed quarantines.
On top of significantly reducing the chance of malicious messages making it to your end-users, you will also be able to leverage additional security features such as Data Leakage Prevention (DLP) and email encryption that is end-user friendly. This can be accomplished simply by having the Sophos UTM processing your outbound messages as well.

Send Mail to Your Sophos UTM

  • Create the a definition for your Office 365 Server
    • Log into the WebAdmin - Definitions & Users > Network Definitions > New Network Definition
    • Name = O365 Your Domain MX (or whatever you like)
    • Type = DNS host
    • Hostname =  Enter your current Office 365 MX record value, usually formatted yourdomain-com.mail.protection.outlook.com
    • Save
      Sophos DNS Host Definition for Office 365 MX record
  • If you plan to use outbound scanning (recommended), you will need to add all potential O365 servers. Note: outbound mail can use any random server (*. outbound.protection.outlook.com)
    • You can add server ranges by adding Network Definitions on the UTM for the subnets found on this list:  https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx (regional network breakdown found at the bottom of the page)
    • To make applying these ranges easier it is recommend to create them directly into a Type: Network group.
      Creating Network Range (Subnet) Definitions in the Sophos UTM

 

Setting up the Email Routing on the UTM

  • Allow the Sophos firewall to receive emails from Office 365
    • Go to WebAdmin - Email Protection > SMTP and Enable
    • Select Simple mode and click Apply.  Use Profile mode if you need different rules for multiple email domains.
    • Select the Routing tab and add (+) your email domains to the Domains list and click Apply
      Adding email domains in the Sophos UTM
    • Click the folder icon in the Host List and drag the network definition for the your Office 365 MX record that you just created into the box and click Apply
  • Setup Relaying on the UTM - this will be used for in and outbound messaging
    • Select the Relaying tab and scroll down to the Host-based Relay section and add (Click the folder icon) the same network definition that you used in the Host List or the network group definition that you may have created in the earlier steps.
      Adding Host-based Relays to the Sophos UTM

Change DNS

  • Change your Office 365 MX record to point to your UTM's public IP address
  • If you are using WAN multilink on UTM, and have multiple ISPs, you may want to add MX records for each ISP. This will provide greater redundancy. DNS related changes may take up to 48 hours to take effect.
  • Add your Sophos UTM’s public IP(s) to your SPF record
    • Add the IP’s directly after the “v=spf1” in the following format ip4:IP_Address1/32 (32 indicates a single IP)
    • Example SPF record that includes the Office 365 Server and your companies public IP’s:  “v=spf1 ip4:1xx.2xx.1xx.2xx/32 ip4:2xx.1xx.2xx.1xx/32 include:spf.protection.outlook.com –all”
    • You can use the following to validate your SPF formatting: http://www.kitterman.com/spf/validate.html

 

Turn off the Office 365 Spam Filter (sort of)

Now that you having Sophos providing your inbound email protection you may or may not desire to have Office 365 filtering as well.  You cannot turn off the Microsoft protection but you can create mail flow rules to bypass it.

  • Log into the Office 365 administration console -  Admin > Exchange > Mail Flow > Rules
    • Click + and select Bypass spam filtering…
    • Name = whatever you like
    • Apply this rule if = [Apply to all messages]
    • Save and move rule to the top priority (if others exist)
      Bypassing Office 365 Spam filters

To process outbound messages, (needed for applying DLP –Data Leakage Prevention and encryption), continue with these steps

Set Office 365 to send outbound email to your Sophos UTM to be processed

  • Log into the Office 365 administration console -  Admin > Exchange > Mail Flow > Connectors
    •  Click the + to create a new connector
    • In the From section, select Office 365, and in the To section, select Partner Organization
      Setting Office 365 outbound connectors
    • Click Next
    • Give the new connector a name, optional description, and decide if the connector should be enabled once it has been saved using the Turn it on checkbox
    • Click Next
    • Leave the default Only when email messages are sent to these domains selected and click the plus icon + to add the recipient/your domains
    • To route all outbound email to your UTM, enter * here and click OK, followed by Next
      Selecting all domains
    • Choose to either:
      • Use the MX record associated with the partner’s domain and enter a MX record that resolved to the external IP(s) of your UTM
        or
        Route email through these smart hosts option, then click the plus icon + and enter the IP address or a DNS name or your UTM’s external IP as the smart host
    • Click Save, followed by Next
    • Leave the default Always use Transport Layer Security (TLS) to secure the connection (recommended) and select Any digital certificate, including self-signed certificate unless you have uploaded a trusted 3rd party certificate to then UTM
      TLS settings to connect Office 365 to the Sophos UTM of email filtering
    • Verify your settings and click Next
    • To validate the settings, add an email address of a recipient from a domain, external to your organization and click Validate
    • Once Office 365 has successfully validated your settings, click Save
  • At this point on all emails should be routed to and from your Sophos UTM. If you choose, you can edit your SPF record to remove the Office 365 portion (include:spf.protection.outlook.com –all).  I prefer to leave it in for flexibility.

Internal I.T. Ltd. is a platinum Sophos partner and specializes in Sophos sales, services and renewals. For more information please Contact Us

 

Reader Comments (22)

Anthony said on September 22, 2015

I came across your blog "Filtering Office 365 Email Through a Sophos UTM Guide" via the Sophos Bulletin Board because I want to setup our users to utilize Outlook Web in O365. Microsoft is saying I need to delete the MX in my DNS settings (registrar) and only use theirs. I just finished setting up our email protection in our UTM and don't want to change it because it works so well. So do I need to delete the MX record? Not sure how to change the Office 365 MX record to point to the UTM's public IP address...in the registrar? Thanks

Brad said on September 23, 2015

Hey Anthony, If you have followed these instructions then you should be good. You are getting this MX record message from Microsoft because it is part of their system to check to make sure that your MX records point to them, thus allowing email to go to their servers. In this case you can ignore the warning since your MX record is pointing to your Sophos UTM which in turns forwards the message on to Microsoft once it is processed. Hope this helps ~Brad

Lukas said on December 8, 2015

Hi Brad, just for me understanding your Setup. You did an on-Premise UTM Mail Protection which forwards inbound to the Cloud Based Exchange and outbound the Cloud Exchange forwards to UTM?

Brad said on December 8, 2015

That is correct Lukas. Of course this same process would work if you were hosting your Sophos UTM on the cloud with a service like Amazon AWS

Mark Stoopman said on February 24, 2016

Great blog Brad thanx. Wish I'd found this one earlier (we have done it from scratch ourselfes :) It seems that O365 has changed something however, I don;t see the option "Set the spam confidence level". If I add the ip-adress of the UTM('s) to the trusted ip-adresse in the conenctionfilter setting, it could also bypas the spamfilter? I'll definately try and get back as soon as I know if this is the actual workaround)

Brad said on February 24, 2016

@Mark I just check and I still have those options (though o365 has been known to change things up). Try selecting "Modify the message proteries" then "set the spam confidence level (SCL)" form the "Do the following" section. I look forward to hearing how your test goes

Andrew said on March 3, 2016

Thanks for the article. really helpful. One thing we have noticed is that now the UTM is scanning for Av and AntiSpam, the sender IP in the email header changes to the public IP of the UTM. Office 365 then 'soft-fails' the SPF check. Is there a way to ensure the original header record is kept intact?

Brad said on March 3, 2016

@Andrew I very glad to hear that you found this guide helpful. Because of this I add the public IP of the UTM to the SPF record (see "Change DNS"). You might be able to achieve your desired method via the "Header Modifications" section of the UTM found under Webamin -> Email Protection -> SMTP -> Advanced. I have not played with that setting so I'd greatly appreciate you updating this tread with what you find.

Mark Stoopman said on March 3, 2016

I want to add a couple of things: You cab add redunancy if you have moren than one UTM, simply by adding two connectors. Also you can use encypted mail-flow between O365 and your UTM's by enabling a send connector to yr UTM's and having them encrypt using TLS and a valid certicate installed on your UTM. Another best practice thing is that you should use the send connector only when you send mail to external domains, otherwise you will not be able to send email internally.Alternative procedure: Make your send connectors dependant on a rule. Rule settings: If sender - domain is: add all your domainnames, Redirect the message to - the following connector: select your send connector. Except if...: teh recipient domain is: add your own domains again. I'm sure this helps to get it even better! :)

Brad said on March 3, 2016

@Mark Greet suggestions especially in regards to TLS, it never hurt to at the extra security were possible, even if it is just the last leg of the race:) As for adding the connector for external domain only, I do not see the need for this step as O365 by its nature will keep internal mail to its servers anyway, thus not sending it externally to begin with. - Please correct me if I'm wrong.

Mark Stoopman said on March 9, 2016

Hi Brad, I found out that sending internal emails were also sent to the send connector thus creating a SMTP loop. That's why I added the exception for internal domains. By the way, a complete other thing, but interesting as well I think: To secure everything on O365 to an airtight secure system, take a look at Bittitan.This product encrypts everything at Microsofts datacenters. Even MS could never access your data. Haven't tested with it yet, but I know a couple other products of Bittitan which work excellent. (No I'm not affiliated with them, it just works great)

Rob Corder said on October 5, 2016

Do you have a similar guide for setting this up with the XG? I am having some difficulty with this and am fairly new to this sort of thing! Thanks Rob

Brad said on October 11, 2016

@Rob, I have yet to create documentation on this process for the XG

Alan Mayer said on February 28, 2017

After configuring this I ran into a lot of SPF fails for incoming emails. Also, outbound email was being bounced back from external servers because I don't have reverse DNS setup on our Public IP address. Our ISP won't create a reverse lookup zone so I'm essentially out of look utilizing the UTM. Just a couple of things to consider when implementing this set up!

Brad said on February 28, 2017

Wow that's very odd for a business class ISP to not create a reverse DNS entry... I'd go higher up their technical food chain.

shahin said on July 7, 2017

@Brad, currently our UTM is configure with WAF to publish our exchange server, my queston is should we leave the WAF as it is or beside your configuration we should setup a DNAT rule to allow connection from outside to our exchange server? @Alan Hi Alan Iam also in process of checking how to use our UTM as the virus and spam detection. any luck with your setup?

Brad said on July 18, 2017

Hey @Shahin, I would not setup the DNAT, that would defeat the purpose of having the WAF and Firewall processing mail. The DNAT would (for lack of a better description) expose exchange server directly on the internet. Both the WAF and Email Protection creates a layer of separation between your server and the outside world.

limkapin said on September 29, 2017

Good write up and we are trying to setup a similar configuration with mailbox with Office 365 but all the mail filter is done our UTM email protection. I have gone through the guide 3 time but i cant figure out how to modify the Office 365 mx records to point to the UTM public IP. Our DNS host creates the records like this, domain "limkapin.com" MX record is like this "@ 3600 MX 0 limkapin.mail.protection.outlook.com". Question according to your guide how do you modify limkapin.mail.protection.outlook.com to point your UTM public interface.

Brad said on October 2, 2017

@limkapin you need to change your MX record to be the public IP of your UTM. Using your example your MX record should read similar to this: "@ 3600 MX 0 1.2.3.4" were 1.2.3.4 equals your public IP. Your UTM would them send the messages to your O365 account after they have been processed.

Simon Outing said on October 9, 2017

Hi Brad: Thanks for the guide, it worked great. My only slight concern is the end part where I had to change my MX record to be the IP address of my UTM. I did that and everything seemed to be fine and mail arrived but some peoples email refused to be sent to us with their email being rejected with the following message, "all relevant MX records point to non-existent hosts or (invalidly) to IP addresses". So the way around this was to create an "A" record which I called O365MAIL.DOMAIN.COM. I then re-edited the MX record to point to 0365MAIL.DOMAIN.COM and after a few hours that error has gone away. Hopefully I have done the correct thing as the multitude of external tests I have done seem to be 100% all okay.

Brad said on October 24, 2017

@Simon it sounds like you need to double check all your settings, there must be a typo or step skipped along the way

Benni said on July 24, 2018

Hey Brad, awesome post (and blog altogether). I actually set up our new environment up like that. Works like a charm :) Semi-related question: is it somehow possible to squeeze SPX in somewhere? I thought the UTM might apply SPX on the "way out", i.e. when my O365 sendconnector uses UTM to send mails outward. That doesnt work, hell, these outgoing mails are not even showing in the SMTP Proxy log... Any thoughts?

Leave a comment:

"After you guys set up our server and workstations everything just works. We hardly ever get to see you guys"

Tyler Wilson - Performance Compression and Sealing

"All of you have done a TOP NOTCH job for us. We love seeing Max on the rare times that he needs to come in."

Tina Best - The Alberta Library