Migrate Firewall Email Policies (MTA Mode) to Sophos Email
The rest of the instructions delve into two separate paths depending on what mode of email protection is being used on the Sophos Firewall; MTA or SMTP deployment (transparent) mode. With the intention of providing equivalent features on Sophos Email, to provide a smooth transition.
Migrating MTA Mode SMTP Policies
If you have multiple SMTP policies on the Sophos Firewall with different configurations, repeat these steps for each policy. An individual Email, Data Protection, or Encryption policy can be applied to specific Users, Groups, or Domains.
Spam protection
Sophos Firewall
Custom RBLs cannot currently be configured on Sophos Email. Greylisting is also not supported, however additional mail handling features such as the Sophos Delay Queue is automatically enabled for Sophos Email Advanced customers.
Sophos Email
Configure the spam settings found under Email Security > Policies > Policy Name > Settings > Anti-Spam
According to the equivalent actions listed below in Sophos Email
| Sophos Firewall | Sophos Email |
|---|---|
| None | Deliver |
| Warn | Tag subject line |
| Quarantine | Quarantine |
| Drop | Delete |
DNS Authentication checks such as SPF, DKIM, and DMARC are found under Email Security > Policies > Policy Name > Settings > Authentication with additional available actions such as: Conform to sender policy (where applicable), tag subject line, quarantine, reject, or deliver.
Malware protection
Sophos Firewall
Sophos Email
Malware protection settings can be configured under Email Security > Policies > Policy Name > Settings > Anti-malware
Emails can be either deleted or quarantined with additional advanced filtering such as Enhanced Email or Intelix Threat Analysis (zero-day protection on the Sophos Firewall). Unscannable emails or attachments are given additional actions such as tag subject line, quarantine, or delete.
File and Data protection
Sophos Firewall
Migrate any existing data protection or data control lists from your Sophos Firewall such as financial information or confidential information.
Sophos Email
Data control policy rules can be controlled through either inbound or outbound directions allowing for even greater flexibility. An equivalent file protection rule can be configured under Email Security > Policies > Data control: Policy Name > Settings > Inbound > Add rule
Selecting the Attachment file types (AFT) template.
Complete the rest of the sections and include any exceptions to the file protection rule by specifying specific Message Attributes or email addresses/domains. Select the action(s) to take on this rule and turn the rule “On” then select Save to commit the new rule.
The same steps can be followed for additional rules using the predefined Financial or Confidential information templates.
Encryption (General settings and SPX)
Sophos Email allows for four different methods of encryption; Send via TLS, Push Encryption (PDF encrypted equivalent to the Sophos Firewall SPX encryption), Portal Encryption (web portal Sophos Secure Message), and S/MIME. For more details on each type, please refer to Secure message methods.
Passwords will always be defined and setup by the recipient when using Push or Portal Encryption methods. Emails can be encrypted through Data control, M365 Outlook Plugin, or Secure Message policies.
Sophos Firewall
Sophos Firewall SPX global encryption settings are used under the Sophos Firewall SMTP policy, data protection actions.
Whereas SMTP TLS configurations are configured under Email > General settings.
Sophos Email
Under Email Security > Policies allows you to choose when and how to encrypt emails. This can be done in two policy types, Data control or Secure Message policies, allowing encrypted emails to be sent between specific emails, domains, containing specific subjects, plug-ins and more! For a more detailed look into additional secure message methods, please refer to Secure message methods.
To configure the equivalent Sophos Firewall TLS settings navigate to Email Security > Policies > Secure Message: “Base Policy – Secure Message” (if you have previously configured a Sophos Central trial account, you may see Migrated rules which are applied top down in precedence). From here the Settings allow you to control what method of TLS is preferred, do note, the connection from your mailserver and Sophos Email does require TLS to be supported.
To enforce different TLS settings to various senders or recipients, please create a new Secure Message Policy defining. Select Email Security > Policies > Add Rule > Secure Message. Then add internal and external selections to whom this rule will apply to, BOTH selections must be present to match.
Outbound banner settings (General settings)
Sophos Email allows for greater options and customization for outbound disclaimers.
Sophos Firewall
Sophos Email
Any existing banners from your Sophos Firewall can be migrated to various Sophos Email policies under Email Security > Policies > Email Security > Policy Name > Settings.
Banners can be added to plain-text only emails or HTML/RTF (rich text), which allows for additional customization such as font size, italics, bold, and more.
Blocked senders (General Settings)
Sophos email allows for emails, domains, or IPs to be added to the global blocklist/allowlist or even for an individual user through the Self Service Portal (SSP). The following steps will review over the globally blocked sender steps, additional details can be found here.
Sophos Firewall
Sophos Email
Domains, Emails, or IP addresses can be added to the global block and allow list under Email Security > Settings > Inbound Allow/Block
Matching any blocked emails will be rejected and be deleted.
DKIM (General Settings)
Sophos Firewall
Sophos Email
DKIM verification checks and desired actions are configured under Email Security > Policies > Email Security > Policy Name > Settings > Authentication.
If DKIM signing for outbound email is required, it can be done so under Email Security > Settings > Domain Settings / Status > Domain Name.
Select Add key and follow the on screen instructions. More information on DKIM Outbound Signing. At this time, you cannot migrate any pre-existing DKIM pairs from the Firewall to Sophos Email.
Quarantine settings (Quarantine digest/summary)
Similar to the Sophos Firewall, Sophos Email can notify end users if emails were quarantined as spam through quarantine summaries. Additional details on this feature can be found here.
Sophos Firewall
Sophos Email
The quarantine summary (digest) can be configured for specific days of the week up to 4 times a day. These will only be sent to mailboxes that apply to the configured policy with valid quarantined email (such as spam or bulk). This can be done under Email Security > Policies > Email Security > Policy Name > Settings > Anti-Spam.
Exceptions
Migrating Sophos Firewall exceptions will be done in multiple areas of Sophos Email. This is a good time to review and/or clean up any unneeded exceptions.
Sophos Firewall
To migrate every applicable exception, the following table will represent where each setting is mapped on Sophos Email compared to the Sophos Firewall.
| Sophos Firewall Exception | Scope | Sophos Email Equivalent |
|---|---|---|
| Antispam exception for specific sender and/or recipient | Specific Sender and/or Recipient |
|
| Antispam exception for all users (global) | Global |
|
| SPF & DKIM verification exception for specific sender and/or recipient | Specific Sender and/or Recipient |
|
| Zero-day protection / Intelix | Specific Sender and/or Recipient |
|
| Data and File Protection | Specific Sender and/or Recipient |
|