Sophos Mailflow: Certificate-Based Connector (Part 2)

16 Feb 2024

This is part 2 of the release notification on the Sophos Mailflow Rule (MFR) Certificate Based Connector.

As mentioned in the last release notification, we have enhanced the onboarding flow for Sophos MFR to align with Microsoft’s latest connector policy. Going forward, new MFR onboarding will create and use certificate-based connectors (instead of IP-based ones). This new configuration involves the addition of a subdomain of 'xgeconnector.com' to the accepted domain list of your M365 tenant. There is no change in the product’s capability or user experience.

Migration Status Of Existing Connectors:

The automatic migration has been completed for the customers for whom Sophos had the necessary M365 permission. Note that Sophos needs the ‘domain read/write’ permission in order to add the subdomain of 'xgeconnector.com' to M365.

However, we couldn’t migrate a few customers because Sophos didn’t have this permission for their accounts. Manual migration is required for these customers.

Checking Connector Status:

If your connectors are not migrated to the new configuration, you will see a banner on the Sophos Central Email Dashboard. If you see this banner, you must initiate the manual migration.

Manual Migration:

There are two options to migrate:

OPTION 1: Disconnect and reconnect the domains in (Settings --> M365 Mailflow Domain Settings/Status). This is an easy method. However, this will bypass the protection for a short duration (during the disconnect and reconnect process). Hence, you should execute this during off-peak hours. No emails will be lost.

Note: If you have multiple domains in a single M365 tenant, make sure you disconnect all domains of the tenant before attempting to reconnect one by one.

OPTION 2: Add the necessary permissions in M365 manually and inform Sophos. Sophos will execute an automated script to migrate these connectors.

For detailed instructions on each of the two options above, please refer to this article.

Urgent Deadline:

This is urgent. As per this blog post from Microsoft, the connectors must be updated by 31-Mar-2024. If the migration is not complete by 31-Mar-2024, the outbound email flow may get disrupted.

Sandeep Rai 1 month ago

Hi, We also disconnected and reconnected. But could only see the IP address in reference and not the certificate. PM'd you with more details.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Santosh Barnwal 2 months ago in reply to JamesGolden

Hi James, that shouldn't happen. Can you send the details to Santosh.barnwal@sophos.com, please?
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
JamesGolden 2 months ago

I just went through and disconnected my domain, cleaned up mail flow rules and reconnected, but the new rules created by sophos still use IP addresses. Aren't they supposed to create rules by certificate now?
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel