Scanning E-mail traffic with "Hosted Exchange" ?

Question

Hi, 
 we will change our e-mail system from POP3/SMTP to "Hosted Echange" (Exchange cloud mailboxes). 
 Is it possible to use the E-Mail protection to scan incoming and outgoing E-mail traffic ? 
 Or must we have an internal Exchange/Mailserver ? 
 Thanks for your help.

Emile Belcourt · Answer

Hi Gooni, 
 Are you asking if you can scan the flow of emails between your client devices and your Cloud email host, presuming it's Office365 or an Azure Exchange Server? 
 If so, then that would be a yes and a no. Connection to exchange is done over HTTPS so that would fall under HTTPS decrypt and scan settings. And no the email scanning engine cannot be used to intercept the flow of communications between client and Exchange unless emails were being sent over POP3/SMTP (unlikely unless you have a hybrid setup). 
 However, what you can do is set up the XG as a mail transport agent between the internet and your cloud email host which would be as the following: 
 
 Incoming email: Internet > XG > Send email out to Cloud Email Provider 
 Outgoing email: Cloud Email Provider pushes email as outgoing relay > XG sends email out to the internet as itself > Internet 
 
 This is far better served on v16 where you have the full capability of configuring the XG as a Mail Transport Agent wherein the XG becomes another hop in the chain of the incoming/outgoing mail delivery. 
 Is that what you were asking? 
 Emile

lferrara · Answer

BradC, 
 make sure to 
 
 have the latest version v16 
 Go to Email > General Settings and switch to MTA Mode 
 Once it is applied, make sure to refresh the Webadmin page or click on another menu 
 Automatically a Firewall Rule will be created at the top to allow SMTP/S traffic 
 Create an SMTP Policy (adjust the policy as you want and make sure to insert the Domain and the Route by (IP of your Cloud Email Server) 
 Go to Tab Relay Setting and add the Cloud email Server inside the "allow relay from" 
 Inside the General Settings TAB, adjust the STMP Hostname with the Public RDNS you have published for your public MX record 
 If you need to use SMTPS, in the same tab, select the Certificate to be used (TLS certificate drop-down menu). You should buy and upload the certificate using the Certificate Menu

These are the basic settings. Of course inside your Cloud email server you should relay email to XG Public IP and relay from XG Public IP.

Emile Belcourt · Answer

It's like I can psychically reply to an information request directed at myself without even being awake, thanks Luk! 
 Brad, if you need any more information on the setup considerations and pitfalls, feel free to ask but what Luk has roughly outlined is pretty much there: 
 -point MX record at XG 
 -point XG as route email by Host to the cloud email server 
 -allow cloud email server to route emails via XG by entering it into the allowed relay settingz 
 -set up a PTR record for the mail host FQDN so basic spam checks won't fail 
 -configure that hostname as thw XG mail hostname under general settings 
 -if you can set this in your cloud email provider, set the email provider to only allow incoming emails from the XG 
 Hope that helps! :) 
 Emile

Aditya Patel · Answer

Hi Gooni , 
 If you are using External mail server , XG would scan the emails if Scanning is Enabled. The incoming emails would be either POP or IMAP , as per RFC standard you can scan the emails , alter the Subject lines but cannot drop/reject them . If you have an internal Mail server then the incoming traffic would be SMTP and SMTPs and SMTP is applicable to outbound messages to your external mail server from your local systems . 
 If you are using an exchange server internally, kindly check if the mail communication between your Mail server operated on Standard mail ports . 
 Thanks and Regards 
 Aditya Patel | Network and Security Engineer.

Emile Belcourt · Answer

Hi Gooni, 
 Ah, if it's 1&1 then you will be connecting to them via IMAP/POP3 in which case you can do transparent scanning between client and MailServer but for best results you will have to purchase an SSL Certificate from a third party (recommend GoDaddy as they're generally the cheapests). 
 In addition to Adityas post, the Knowledgebase article which tells you all this (and is very short) is here: 
 https://community.sophos.com/kb/en-us/123274 
 Hope that helps! And by the way, avoid calling your MailServer that's hosted by 1&1 as Exchange as that name is generally used for the Microsoft Product Exchange and can cause confusion :) 
 Emile