Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central Email Gateway TOC Cannot send this item

My client has been using the email gateway for some years now.

About 6 months ago my client reported that emails would not send, they received a message saying Cannot send this item.

After investigating I found it related to long URL's, once an email chain gets so long the links block the reply emails being sent
We use TOC via the email gateway, this is the cause of the issue as it rewrites the URL every time an email is sent even though it rewrote them previously.

MS released a fix for this in April:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-cannot-send-this-item-email-bug/

This didn't resolve the issue my client is having, the fix may have been for 365 TOC.

I have logged cases with support but not got anywhere, has anyone else seen this problem?



Added tags
[edited by: Raphael Alganes at 11:10 AM (GMT -7) on 2 Jun 2023]
Parents
  • It would be great to see a summary of what top level domains are being processed by Sophos TOC.  The current Time of Click Summary report shows a summary of the number of clicks, but no details.

    If we could see that 50% are from a trusted domain, we could add that domain to the URL allow list to help minimize this problem.

    Or Sophos could just fix the problem and shorten the TOC links...  that would stop this thread from getting the extreme amount of views it is getting.

  • Did you find a solution to this yet? What did you end up doing?

  • The issue seems to be way more prevalent on the current Office channel, so we're switching to the semi-annual enterprise channel, and that seems to help a lot, but doesn't completely eliminate the issue. This means we've also had to whitelist *.safelinks.protection.outlook.com in the Sophos Central portal. So we're not actually using Sophos Time of Click for email protection on sites that have gone through Exchange Online, which defeats the purpose of using Sophos ToC in the first place.

    I wish Sophos could just shorten their ToC links, but for some reason they just don't want to do that, and instead prefer that we stop using their product. 

  • Thanks for your suggestion. You said whitelist *.safelinks.protection.outlook.com in the "URL allow list" only?

  • Yes, that's right: Sophos Central -> Email Security -> Settings -> URL Allow List.

    Good luck! 

  • I've disabled Sophos TOC for the time being and haven't investigated again.  Everytime I think about it I wonder why I don't just scrap Sophos Email and use MS 365 Defender...  Will also look into  Øivind Hagenlund's suggestion of whitelisting safelinks.

  • It's stupid I turned off both "URL re-writes" but left "Time of Click URL Protection" turned on and had issues because it still did re-write urls and I do it see from sophos in Email security policys

    URL re-writes
    Re-write URLs in plain text messages. 
    Re-write URLs within securely signed messages. 
  • So I worked with support several months ago and I believe we found a decent work around. The issue is actually not so much the URL re-writes are long but actually because the O365 has its own URL re-write. Both system re-write each other and you end up with something outlook does not like at all. This is how we resolved it, I have not seen it in our environment in months.

    First you need to whitelist the safelinks URL as stated above. You may also want to consider whitelisting Proofpoint. Next you have to disable the URL re-write from the O365 side, this cannot be done via GUI if you have O365 Business basic like us. Those with Defender licenses actually have a toggle switch. I researched this for days and even contacted microsoft support which told me to go pound sand. I found an article not even related to what I was looking for that had the answer. You need to create a new mail flow rule with the following settings:

    Essentially where the problem originates is your O365 re-writes URLs first then Sophos goes in behind it and does the same thing. It's worth noting we're still using gateway mode and not Sophos Mailflow just yet. Mailflow might fix this issue.

Reply
  • So I worked with support several months ago and I believe we found a decent work around. The issue is actually not so much the URL re-writes are long but actually because the O365 has its own URL re-write. Both system re-write each other and you end up with something outlook does not like at all. This is how we resolved it, I have not seen it in our environment in months.

    First you need to whitelist the safelinks URL as stated above. You may also want to consider whitelisting Proofpoint. Next you have to disable the URL re-write from the O365 side, this cannot be done via GUI if you have O365 Business basic like us. Those with Defender licenses actually have a toggle switch. I researched this for days and even contacted microsoft support which told me to go pound sand. I found an article not even related to what I was looking for that had the answer. You need to create a new mail flow rule with the following settings:

    Essentially where the problem originates is your O365 re-writes URLs first then Sophos goes in behind it and does the same thing. It's worth noting we're still using gateway mode and not Sophos Mailflow just yet. Mailflow might fix this issue.

Children