Select which public IP MTA responds to
When running MTA, MTA responds to all the public IP addresses available on the XG. To stop the MTA working on those public ips, you can create a firewall rule that does port forwarding to a non-existent IP address. This stops the MTA working on those public ip addresses.
When you do a port scan on those public IP addresses, port 25 still shows as open.
I think it should be possible to configure which public ip addresses MTA actually listens on.
Support suggested I should raise this as a feature request.
In configuration of MTA, you never specify the Public IP on which the MX record is punished. As per the architecture of XG, once you configure the MTA mode, it will start listing on all the Public IPs configured (Primary + Alias).
As of now the you will need to go with the Dummy DNAT configuration only and this requirement to allow selection of the Public IP in the MTA configuration needs to be raised as a feature request on https://ideas.sophos.com/
For Sophos, assigning Built-in services to only a single IP is already possible:
How????? Under ACL not all the services are listed.
This can be done with local-in Policies in CLI.