Something weird in outbound MTA setting document

Question

Hi All,
I have always been skeptical about the setting of outbound MTA mode.
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailSPXFinancialData/index.html#add-an-smtp-route-and-scan-policy

In the encrypt outbound setting, the configuration manual instructs us to point the routing to the internal mail server.

But the outbound mails were received from internal mail server, The configuration manual instructs us to route outbound mails back to internal mail server? Wouldn't this cause an infinite loop?

I think the routing method should be modified as MX record for outbound domain.

Shunze Lee · Accepted Answer

I opened a case (ID: 06166848), support team give me a clear explanation finally. Regarding your query, the protected domain should always be your internal domain or the domain you want to protect. The behavior is that the firewall applies this SMTP route and scan policy both inbound and outbound. If the recipient is matched from the configured "protected domain" then it is considered an inbound mail, and inbound scanning/policy will perform. If the sender is matched from configured "protected domain" then it is considered an outbound mail then outbound scanning/policy/encryption will perform. And if both sender and recipient match, then recipient takes precedence, and inbound process/scanning will take place. The route by settings should always be pointing in your internal mail servers. This doesn't mean that all emails traverse/flows (either inbound or outbound) through the firewall will forward mails to the configured MX/ internal mail server/domain. Selecting MX, means that the firewall will perform an MX lookup on the recipient domain . Doing this, the firewall will now identify the mail if its an inbound or outbound mail, And inbound or outbound policy and scanning for the mail will now takes place. So if mails were inbound, since you are the recipient, firewall will perform MX look up and confirm the email route from the your domain/internal domain, and now will perform now inbound scanning/policy. Right after this, it will be send to your internal mail servers/domain. So if mails were outbound,, firewall will again perform MX lookup and confirm the email route to the recipient's/external domain, and now it will perform outbound scanning/policy/encryption. Then it will send the mail externally/ outside the network. 
 Judging from support team's statement, when both the sender and the recipient are protected domains, they will be handled in the inbound way, and cannot be done in the outbound way. I suggest that Sophos handle inbound and outbound with different policies, which will increase the stability of the settings and will not cause trouble for the administrator. 
 Shunze

Something weird in outbound MTA setting document

Top Replies