New Mailflow setup

Hi Mark,

With the new Mailflow setup we are giving customers a new way how to integrate Sophos Central Email with M365. Without the Mailflow setup mail would typically be routed inbound as follows: Sending Domain -> Central Email Gateway --> M365. Outbound would use the revers path. With the new Mailflow setup the routing on emails is changed as follows: Sending Domain -> --> M365 --> Central Email Gateway --> M365 (outbound will again use the reverse path).

Due to the fact that the order of processing has changed (Sending Domain -> --> M365 --> Central Email Gateway --> M365) we can no longer enforce TLS using Sophos Central Email. This is because M365 is the platform that has the links to the external domains.

Once you start using the new Mailflow setup you should remove the old connector to prevent messages from being scanned twice, you can read more on this in the documentation, see: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/MailflowGatewayDisconnect.html.

And finally, the Sophos Banners will added (inbound) and removed (outbound) as expected with the new Mailflow setup.

One final comment, you do not have to move to the new Mailflow setup, the Gateway based approach can be used as well :).

Marcel

Hi Marcel. Thanks for the info. To clarify about TLS, are you saying that the Sophos option for "Email Security - Enforced TLS Connections", for enforcing TLS with particular partners, is no longer available? But that all communications between Sophos and M365 will use TLS as standard?

The other question that was not answered was, do I need to remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules? It sounds like this would not apply under the new Mailflow method.

Will the email therefore be scanned by default M365 spam/AV/etc first and then by Sophos?

Will my users thus start getting quarantine messages from Microsoft and Sophos?

I'm just trying to understand the changes better. I think the new Mailflow method may be preferable as it removes the need to change MX records to reroute email through Sophos. We are a reseller as well as an end user so interested in the fact that Mailflow sounds easier to setup when first creating an account for a customer.

Thanks,

Mark.

A couple of points.

A. You should not turn off the Bypass EOP in M365. In my personal testing I found tons of FP messages sent to junk folder if EOP was left on. 

B. If you don't turn off spam/AV/etc your users will get 2 quarantine messages as you noted.

Understand what is happening is that when M365 receives the message it routes it to us (Central) via a connector, we inspect, protect and route it back to the M365 tenant using the MFR (connector) setup.

As you point out not having to change MX record is often preferable for some.

As Tom already answered the Bypass EOP part I will only focus on the TLS part.

Your assumptions are correct, we will still use TLS between M365 and Central Email but cannot enforce TLS between M365 and certain external domains. This can only be enforced when using the Central Email in Gateway mode.

Mailflow is definitely easier to setup

Thanks both. I think it would be worth updating the help to clarify that it means "Email Security - Enforced TLS Connections" is not supported rather than TLS in general.

I will try switching to the Mailflow method one weekend soon. I currently only have Inbound MX configured so am keen to get the Outbound scanning and use Banners more. I think it would be better to move to Mailflow to achieve this.

One area that I have found issues with is that Sophos regularly misses phishing emails of the type where it links to an external website. I often get several "Phish delivered due to an ETR override" alerts from M365 each day. Is there any way to allow M365 to apply Phishing scanning to the emails but not anti-spam or does the bypass EOP not allow this? I can create this as a new Post of you prefer.

I enabled this recently and had a lot of issues with valid inbound users showing as unverified users due to spf fails because gmail and other common domains don’t designate our custom outlook domain as a valid sender. When Microsoft forwards the email to Sophos, Sophos checks the spf for gmail.com and gmail doesn’t have our outlook domain as a designated sender.

I also noticed issues with emails going to quarantine on the Microsoft side and bypassing Sophos entirely. The way Microsoft handles redirects to aliases bypasses the forwarding to Sophos. I could see in our message traces in exchange that the emails were being routed to the Sophos connector but when you check for the email in Sophos, a log doesn’t exist. Even when I setup the onmicrosoft.com domain in Sophos Mailflow, I experienced the same issue.

I opened a ticket with Sophos on this and was informed by support that they haven’t been trained on Mailflow because it’s still in EAP which makes me wonder why I’m being prompted to set it up in Sophos central; I’m not registered for the Mailflow EAP either. Doesn’t seem fully baked at this point and the issue with spf fails and unverified users needs to be addressed before we can migrate fully to Mailflow. I like the idea though and definitely seems more efficient than redirecting MX. Following this thread to see if others have similar issues. 

Thanks for the info Caleb. It sounds like I should maybe hold off on converting for a while then whilst any early issues are fixed. I might try enabling the outbound Gateway option instead and see if that works ok for me. The Mailflow option would be better for us when onboarding new customers though as the fact it means the MX record does not need changed is a big help.

It went GA on Feb 28th so no longer in EAP which would explain why you are being prompted to configure it. Since with Mailflow configuration SPF and DKIM have to be aligned in M365 or with whomever handles your DNS records, have you changed those to reflect the new configuration since the MX now points to protection.outlook.com? The emails going to quarantine on the Microsoft side likely have to do with still having EOP in the mix. I found that there were plenty of FP when I left EOP turn on, once I turned off / set the M365 SCL to -1 that stopped happening and messages were no longer misclassified by M365 and put in the junk folder. If you send me the ticket number I'll ask someone to dig a bit deeper.

Tom,

Our SPF and DKIM are aligned with Microsoft with each of our domains. Our MX records for each domain are pointed to the custom domain that Microsoft 365 provides:
<domain>-com.mail.protection.outlook.com

We weren't using Sophos Email Gateway before and this was a brand new setup. I will agree that EOP was probably still in the mix yet when Sophos Mailflow configures itself, it creates the spam filter bypass rule which sets everything inbound to -1 and also creates an enhanced filter that smart detects the last IP in the header.

Even the Sophos test email was failing SPF and getting flagged as an unverified user in Outlook:

Authentication-Results: spf=permerror (sender IP is 198.154.181.194)
smtp.mailfrom=sophosemail.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none
header.from=sophosemail.com;compauth=fail reason=001
Received-SPF: PermError (protection.outlook.com: domain of sophosemail.com
used an invalid SPF mechanism
Received: from mfid-usw2.prod.hydra.sophos.com (198.154.181.194) by
 SN1NAM02FT0063.mail.protection.outlook.com (10.97.5.98) with Microsoft SMTP

The case number is 04964707. I was informed by the engineer yesterday that it was still in EAP so forgive me for being misinformed. 

I also reached out to our CSP and an Inside Sales Engineer from Sophos said that Mailflow was still in EAP and won't go GA until end of this qtr/start of next qtr and that email was sent to me today. 

I replied with information regarding the issues we experienced but it got flagged as spam in here.

Here's the case:
04964707

As of yesterday, the engineer I spoke with told me that Mailflow was still in EAP and they weren't supporting it yet. Another inside sales engineer from Sophos sent me this in an email today:

Thu 3/3/2022 12:02 PM

The new feature message is auto set to display for a certain amount of time, and cannot be removed. I will stop showing after a certain period they set.

As for full GA of mailflow, it is set to be at the end of this qtr/start of next qtr.