Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Strict enforcement of TLS for Encryption


To improve the security, Sophos Email implemented a stricter enforcement of TLS connection in accounts where the encryption or decryption was configured. The improvement worked well for a large majority of customer. However, it caused disruptions in email flow for a handful of customers who had not configured the TLS on their on-premise mail servers. To help those customers cope with this change, we have temporarily rolled back the changes.

Applies to the following Sophos product

Sophos Email


If you had not configured your mail server to accept TLS connection but you had configured Sophos Email to encrypt or decrypt, then you would have encountered "TLS Delivery Failed" error message for encryption emails.

What to do

From 26th October, we plan to resume the strict enforcement of TLS connection, if encryption or decryption is configured in your account.

You should configure encryption or decryption in Sophos Email, only after you have configured your mail server to accept TLS connection. The “Enforced TLS Connections”, “Encryption settings”, and  "S/MIME settings" options will require TLS v1.2 to be enabled on your on-premise mail servers and configured with the appropriate ciphers.

However, if you need more time to configure TLS on your mail server, then please do not configure the encryption or decryption in your Sophos Email account.

We expect on-premise mail servers to be more likely than M365 or G-Suite, to require configuration to accept TLS connection. However, we encourage all customers to check whether their mail servers are properly configured to accept TLS connection, before they configure encryption or decryption in Sophos Email.

Related Information

The relevant Sophos Email documentation page:

A screenshot showing the warning about mail flow disruption that will result, if the TLS connection is not accepted by your mail server.