Home > BLOG > Filtering Office 365 Email Through a Sophos UTM Guide


Microsoft’s Office 365 comes with its own email protection and anti-spam. However, it is often found to let through too much obvious spam and provides little insight and control for both administrators and end-users.
Leveraging the Email Protection module not only provides you, as the administrator, greater visibility and control over your anti-spam system, it also provides superior protection and ease of use for user’s self-managed quarantines.
On top of significantly reducing the chance of malicious messages making it to your end-users, you will also be able to leverage additional security features such as Data Leakage Prevention (DLP) and email encryption that is end-user friendly. This can be accomplished simply by having the Sophos UTM processing your outbound messages as well.
Send Mail to Your Sophos UTM
  • Create the a definition for your Office 365 Server
  • Log into the WebAdmin - Definitions & Users > Network Definitions > New Network Definition
  • Name = O365 Your Domain MX (or whatever you like)
  • Type = DNS host
  • Hostname = Enter your current Office 365 MX record value, usually formatted yourdomain-com.mail.protection.outlook.com
  • Save
Sophos DNS Host Definition for Office 365 MX record
  • If you plan to use outbound scanning (recommended), you will need to add all potential O365 servers. Note: outbound mail can use any random server (*. outbound.protection.outlook.com)
  • To make applying these ranges easier it is recommend to create them directly into a Type: Network group.
Creating Network Range (Subnet) Definitions in the Sophos UTM
Setting up the Email Routing on the UTM
  • Allow the Sophos firewall to receive emails from Office 365
  • Go to WebAdmin - Email Protection > SMTP and Enable
  • Select Simple mode and click Apply. Use Profile mode if you need different rules for multiple email domains.
  • Select the Routing tab and add (+) your email domains to the Domains list and click Apply
Adding email domains in the Sophos UTM
  • Click the folder icon in the Host List and drag the network definition for the your Office 365 MX record that you just created into the box and click Apply
  • Setup Relaying on the UTM - this will be used for in and outbound messaging
  • Select the Relaying tab and scroll down to the Host-based Relay section and add (Click the folder icon) the same network definition that you used in the Host List or the network group definition that you may have created in the earlier steps.
Adding Host-based Relays to the Sophos UTM
Change DNS
  • Change your Office 365 MX record to point to your UTM's public IP address
  • If you are using WAN multilink on UTM, and have multiple ISPs, you may want to add MX records for each ISP. This will provide greater redundancy. DNS related changes may take up to 48 hours to take effect.
  • Add your Sophos UTM’s public IP(s) to your SPF record
  • Add the IP’s directly after the “v=spf1” in the following format ip4:IP_Address1/32 (32 indicates a single IP)
  • Example SPF record that includes the Office 365 Server and your companies public IP’s: “v=spf1 ip4:1xx.2xx.1xx.2xx/32 ip4:2xx.1xx.2xx.1xx/32 include:spf.protection.outlook.com –all”
Turn off the Office 365 Spam Filter (sort of)
Now that you having Sophos providing your inbound email protection you may or may not desire to have Office 365 filtering as well. You cannot turn off the Microsoft protection but you can create mail flow rules to bypass it.
  • Log into the Office 365 administration console - Admin > Exchange > Mail Flow > Rules
  • Click + and select Bypass spam filtering…
  • Name = whatever you like
  • Apply this rule if = [Apply to all messages]
  • Save and move rule to the top priority (if others exist)
Bypassing Office 365 Spam filters
To process outbound messages, (needed for applying DLP –Data Leakage Prevention and encryption), continue with these steps
Set Office 365 to send outbound email to your Sophos UTM to be processed
  • Log into the Office 365 administration console - Admin > Exchange > Mail Flow > Connectors
  • Click the + to create a new connector
  • In the From section, select Office 365, and in the To section, select Partner Organization
Setting Office 365 outbound connectors
  • Click Next
  • Give the new connector a name, optional description, and decide if the connector should be enabled once it has been saved using the Turn it on checkbox
  • Click Next
  • Leave the default Only when email messages are sent to these domains selected and click the plus icon + to add the recipient/your domains
  • To route all outbound email to your UTM, enter * here and click OK, followed by Next
Selecting all domains
  • Choose to either:
  • Use the MX record associated with the partner’s domain and enter a MX record that resolved to the external IP(s) of your UTM
  • or
  • Route email through these smart hosts option, then click the plus icon + and enter the IP address or a DNS name or your UTM’s external IP as the smart host
  • Click Save, followed by Next
  • Leave the default Always use Transport Layer Security (TLS) to secure the connection (recommended) and select Any digital certificate, including self-signed certificate unless you have uploaded a trusted 3rd party certificate to then UTM
TLS settings to connect Office 365 to the Sophos UTM of email filtering
  • Verify your settings and click Next
  • To validate the settings, add an email address of a recipient from a domain, external to your organization and click Validate
  • Once Office 365 has successfully validated your settings, click Save
  • At this point on all emails should be routed to and from your Sophos UTM. If you choose, you can edit your SPF record to remove the Office 365 portion (include:spf.protection.outlook.com –all). I prefer to leave it in for flexibility.
The Network Security Store is a platinum Sophos partner and specializes in Sophos sales, services and renewals for Canada and the USA. For more information please Contact Us