Email Dictionary Attacks in MTA MODE?! (IMAP port 587 connections in MTA MODE displaying Sophos IP for source, not Attackers!)

Question

How do we make XG report Public address of IMAP/SMTP/POP connections when in MTA mode? 
 This week I had to deal with a Dictionary attacker probing our mail server for valid accounts about 20-30 per minute. The logs on the mail server were woefully inadequate while in MTA Mode. Since Sophos intercepts email traffic and reverse proxy's the trafic to the Servers, I only see the Sophos IP doing the IMAP port 587/tcp connections. To stop the attack I had to activate ssh ON the sophos, tcpdump 'port 587', and correlate the time stamp between Sophos & the Mail Server of a dictionary attack. I was then able to block the public address space on the firewall to cease the attack. 
 Is there a way to make Sophos not report itself but the original source addresses while in MTA mode?

FormerMember · Answer

Hi Michael Zietlow , 
 Thank you for reaching out to Sophos Community. 
 In MTA mode XG works as a standalone proxy(additional mail server). 
 It receives an email on SMTP/SMTPS and then routes that email to the internal mail server. 
 As XG itself routes the email to the internal mail server, the server will see the IP address of the local interface.