WatchGuard Support Center

Knowledge Base - Article

000015830
 Configure the Firebox SMTP proxy to work with Office 365 and other cloud-based email services

Information
How do I configure my Firebox SMTP-proxy to work with cloud-based email servers such as Office 365 / Exchange Online?
Many organizations are moving their core email infrastructure to cloud-based email services such as Office 365 / Exchange Online. To maintain control and security of your cloud-based email communications, we recommend you route your email connections through your Firebox SMTP-proxy before they connect to cloud services. 

Note: This functionality requires Fireware OS v11.10.2 Update 1 or higher. 

 

Before you begin

For this to function, you must update the MX records for your email domain to the Firebox IP address.

Configure the SMTP-proxy 

To configure an SMTP-proxy policy on your Firebox to use cloud-based email servers:
  1. Connect to your Firebox and open Policy Manager.
  2. Add an incoming SMTP-proxy policy.
User-added image
  1. In the From: field of your policy, select Any-External.
  2. In the To: field of your policy, add an SNAT entry.
  3. In the Set source IP field, configure the source IP as the external IP address of your Firebox. The responses from the cloud-based email server will be sent to this address and not the client that initiated the request.
  4. In the Internal IP Address text box, type the IP address of your cloud-based email server.
If your cloud-based email server uses multiple IP addresses, you can create an SNAT rule for each address if you have enough external IP addresses available on your Firebox to support this configuration. 

​If you have only one external IP address, you can apply a server load balancing configuration through SNAT and add the IP addresses of the cloud-based email server.

Note: Mail will not be delivered if your provider changes the IP address of the cloud-based email server.

If you use Multi-WAN capabilities on your Firebox, the Firebox applies Multi-WAN rules to the connection. With failover enabled, the primary interface will send the traffic, and not necessarily the interface on which the Firebox received the connection. This can cause a connection to fail if one of your Internet connections does not allowed SMTP traffic.
 
User-added image
Single IP address in an SNAT rule

User-added image
Multiple IP addresses in a Server Load Balancing NAT configuration
 
After you apply this configuration, you can then configure your proxy security settings for email services, including SpamBlocker, Gateway Anti-Virus, and APT Blocker.

To make full use of this configuration, you must enable deep inspection of SMTP traffic because communications will primarily be sent using TLS over SMTP. In some cases, you may have to enable SSLv3 for compatibility with older mail servers.
 
User-added image