Follow These 3 Tips to Avoid Your Sophos XG IP Being Blacklisted

* This post may have affiliate links. Please see my disclosure 


Learn some best practices settings to avoid Sophos XG IP Being Blacklisted

The increase of spam campaigns and malicious activities has many security administrators increase their security measures to avoid suspicious IPs traffic. They also block traffic sources from well-known blacklists, which use various criteria to catalog IP addresses of email spammers.

If your IP ends up being marked by well-known blacklist providers, such as Spamhaus, getting your IP removed is very difficult, and your emails will be blocked.

Of course, there are other factors that impact your emails’ deliverability. However, it is imperative always to consider the best practice when configuring your gateway protection to avoid your public IP being blacklisted.

For those who use Sophos XG firewall as the primary gateway protection, I have created a list of best practices that can certainly help you reduce the risk of your public IP being blacklisted.

Configure These 3 Settings in Your XG Firewall:

Although the steps below are performed on the Sophos XG firewall, these best-practice concepts and settings are also applicable to other firewall vendors.

1 – Don’t  Allow Relay for Other IP Address Other Than Your  Email server

Don’t neglect this setting by leaving the option “any” as the allowed host IP or network. In fact, try to restrict this list as much as possible to make sure that only your email server or trustable managed network device relay emails on behalf of your main domain name. Also, check if the relay settings are allowing the entire WAN interface to open to the relay. If so, spammers will be able to relay emails from the domain.


Under Email > Relay settings > Host-based relay on this example below, note that only the exchange server IP is on the list of allowed hosts, while any others are set to block.

Relay- Exchange IP only

The second example below is not recommended since it allows the whole LAN network to relay emails:

Relay the LAN IP

LEARN MORE: More information on how to set up Sophos email protection here with MTA mode here

2 – Restrict or Block Outbound Port 25 on Your Network


Add a firewall rule only to allow outbound traffic connection on port 25 from your mail server. In general, there’s no reason to have another host be allowed to send outbound data on port 25. Keep it restricted only to your email server.


Upon configuration of email settings, XG creates an automatic firewall policy to handle inbound and outbound email traffic that contains all the security profiles for email protection. Make sure to position this policy on the very top of the list of firewall rules. This avoids the possibility of SMTP traffic not being inspected by the scan profiles.

SMTP auto rule sophos XG


3 – Enable Scan Outbound Emails

Under Email> General Settings >Advanced SMTP settings, select the checkbox  “Scan outbound mails”. By doing this, emails from inside of your network will be scanned for the same vulnerabilities as inbound emails.

Scan outgoing emails


Although addressing the three configuration components in your Sophos XG will give you better protection towards the avoidance of your IP be included in a blacklist, that doesn’t mean that your IP is invulnerable to being listed on a blacklist.

Keep in mind, other variables can also lead your IP to be blacklisted, such as email server settings, endpoint settings, DNS settings, etc. These variables will play an essential role in keeping your IP with a good reputation. However, I will not be covering those in this article.

I hope you found this information helpful. Let me know in the comments sections below if you have any other tips to complement this list.


Read more:  Tell-Tale Signs of Phishing Emails 2021

Juana Melo

I'm a self-taught security network engineer and blogger, sharing everything I'm learning along the way.

Leave a Reply

Your email address will not be published. Required fields are marked *