Sophos appliance quarantine functionality

We plan on having all email sent to a 3rd-party sandbox provider who will forward all email not convicted in their sandbox on to our Sophos email gateways.  

We’d like to setup the Sophos boxes to quarantine, on the Sophos appliance, all email with attachments and have the appliance send a notification email to the intended recipient that they have a quarantined email to retrieve. We’d like all email without attachments to flow on through to our Exchange servers – not quarantined.

Is the functionality I mention above supported by the Sophos email appliances?



  • Hi Mike,


    You can do virtually anything you like, however there will be considerations.. 

    if you have an upstream relay accepting and processing emails you will loose ip bases canning protection such as delay queue.  You will also not be able to use the blocker service, so you will need to change your filtering options.

    as for your attachment, just make a an additional policy for attachment and change the size to 1..  you should also omit picture files like .jpg png tiff as well (or set a larger file size)  otherwise every email with someones facebook picture will catch.

    as for quarantine issues, just create another rule to scan headers for whatever X-headers the upstream device is adding

    you will not need any specific rule to deliver downstream to exchange.. granted if you make a delivery immediately rule with all of the above rules your functionality of the appliance may be quite limited. 

    The best way to do what you're trying to do is..

    deploy a VM in front of your fire-eyes server .. configure it to use delay queue and filtering options.. change the spam rules to tag subject "spam" and continue (or add an X-header) then make another rule to quarantine a copy of all email and deliver the copy to your fire eyes server.  Once your fireeyes server processes it have it delivered the message to another virtual sea that is configured with all of your rule sets but has the FE server and the upstream appliance set as trusted relays. The apply the rest of your policy and deliver the message downstream.  (dont cluster the two appliances, the limitation is an email can only have 1 action.. so deliver, quarantine or delete make sure the action is last)

    This would allow you to filter connecting mtas, clone all email and then do the rest of your processing and have your user quarantine on the other appliance.   

    Keep in mind this is a somewhat tricky configuration outside of the "normal" setup, but it is possible.