Here is a short article on the configuration of Sophos UTM Email Protection in conjunction with an internal Exchange 2013 / 2016 server. I use these settings privately, most SPAM is reliably filtered, viruses have not gotten through so far. The question about the configuration of Email Protection came from the article "Conversion from POP retrieval to MX record", so I will briefly describe the configuration here.
In order for the UTM to recognize valid and existing email addresses and directly reject emails to invalid recipients, the UTM must know all of the organization's email addresses. Since Exchange 2013, this is only possible reliably by querying the Active Directory. SMTP CallOut procedure (in Sophos language "server request"), will always deliver a positive result in connection with Exchange from version 2013. The background is that Exchange first checks the recipients in the backend, but the UTM makes the request against the front end and no verification of the recipient takes place at this point.
For the recipient check via Active Directory, AD must first be added as an authentication service:
A domain controller is specified as the server (or several domain controllers as a host group). Unfortunately, SSL has not worked reliably in conjunction with email protection for several UTM versions. The DistinguishedName of the AD domain is specified as the Base DN:
Email protection can now be activated:
The email domains to which the UTM should respond are now specified under the "Routing" tab. These must match the accepted domains of the Exchange server. The mails can be delivered to the Exchange servers using a static host list. The AD can now be used for recipient authentication:
I have configured the other settings in my environment, some of them are already configured by default, so here are just a few screenshots of the configuration:
You need to experiment a little with the privacy settings. For example, I have blocked the sending of account information. However, some rules are too strict and also block valid emails:
So that Exchange can also be used via the UTM, I have allowed the host-based relay for the Exchange server. The "Authenticated Relay" option would also work here:
For the mail transport to work in encrypted form, the UTM must have a valid certificate and the TLS version can also be set. It currently works quite well for me with "TLS 1.1 or higher". Only TLS 1.2 has led to many connections being unencrypted again (fallback to plain SMTP), so I'd rather have a bit of encryption than none at all:
DKIM is also advisable; I have already described the configuration here:
Finally, the quarantine break can also be activated. Users then receive a summary of all mails that have ended up in the quarantine and can release them if necessary:
However, I have restricted the source networks here so that mails can only be shared from internal networks. Which release options are activated depends on the requirements. I would initially only activate "Spam" here:
Exchange can be configured with a corresponding send connector so that all mails are routed centrally via the UTM:
