New Mailflow setup

Hi Mark,

With the new Mailflow setup we are giving customers a new way how to integrate Sophos Central Email with M365. Without the Mailflow setup mail would typically be routed inbound as follows: Sending Domain -> Central Email Gateway --> M365. Outbound would use the revers path. With the new Mailflow setup the routing on emails is changed as follows: Sending Domain -> --> M365 --> Central Email Gateway --> M365 (outbound will again use the reverse path).

Due to the fact that the order of processing has changed (Sending Domain -> --> M365 --> Central Email Gateway --> M365) we can no longer enforce TLS using Sophos Central Email. This is because M365 is the platform that has the links to the external domains.

Once you start using the new Mailflow setup you should remove the old connector to prevent messages from being scanned twice, you can read more on this in the documentation, see: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/MailflowGatewayDisconnect.html.

And finally, the Sophos Banners will added (inbound) and removed (outbound) as expected with the new Mailflow setup.

One final comment, you do not have to move to the new Mailflow setup, the Gateway based approach can be used as well :).

Marcel

Hi Mark,

With the new Mailflow setup we are giving customers a new way how to integrate Sophos Central Email with M365. Without the Mailflow setup mail would typically be routed inbound as follows: Sending Domain -> Central Email Gateway --> M365. Outbound would use the revers path. With the new Mailflow setup the routing on emails is changed as follows: Sending Domain -> --> M365 --> Central Email Gateway --> M365 (outbound will again use the reverse path).

Due to the fact that the order of processing has changed (Sending Domain -> --> M365 --> Central Email Gateway --> M365) we can no longer enforce TLS using Sophos Central Email. This is because M365 is the platform that has the links to the external domains.

Once you start using the new Mailflow setup you should remove the old connector to prevent messages from being scanned twice, you can read more on this in the documentation, see: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/MailflowGatewayDisconnect.html.

And finally, the Sophos Banners will added (inbound) and removed (outbound) as expected with the new Mailflow setup.

One final comment, you do not have to move to the new Mailflow setup, the Gateway based approach can be used as well :).

Marcel

Hi Marcel. Thanks for the info. To clarify about TLS, are you saying that the Sophos option for "Email Security - Enforced TLS Connections", for enforcing TLS with particular partners, is no longer available? But that all communications between Sophos and M365 will use TLS as standard?

The other question that was not answered was, do I need to remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules? It sounds like this would not apply under the new Mailflow method.

Will the email therefore be scanned by default M365 spam/AV/etc first and then by Sophos?

Will my users thus start getting quarantine messages from Microsoft and Sophos?

I'm just trying to understand the changes better. I think the new Mailflow method may be preferable as it removes the need to change MX records to reroute email through Sophos. We are a reseller as well as an end user so interested in the fact that Mailflow sounds easier to setup when first creating an account for a customer.

Thanks,

Mark.

A couple of points.

A. You should not turn off the Bypass EOP in M365. In my personal testing I found tons of FP messages sent to junk folder if EOP was left on. 

B. If you don't turn off spam/AV/etc your users will get 2 quarantine messages as you noted.

Understand what is happening is that when M365 receives the message it routes it to us (Central) via a connector, we inspect, protect and route it back to the M365 tenant using the MFR (connector) setup.

As you point out not having to change MX record is often preferable for some.

As Tom already answered the Bypass EOP part I will only focus on the TLS part.

Your assumptions are correct, we will still use TLS between M365 and Central Email but cannot enforce TLS between M365 and certain external domains. This can only be enforced when using the Central Email in Gateway mode.

Mailflow is definitely easier to setup

Thanks both. I think it would be worth updating the help to clarify that it means "Email Security - Enforced TLS Connections" is not supported rather than TLS in general.

I will try switching to the Mailflow method one weekend soon. I currently only have Inbound MX configured so am keen to get the Outbound scanning and use Banners more. I think it would be better to move to Mailflow to achieve this.

One area that I have found issues with is that Sophos regularly misses phishing emails of the type where it links to an external website. I often get several "Phish delivered due to an ETR override" alerts from M365 each day. Is there any way to allow M365 to apply Phishing scanning to the emails but not anti-spam or does the bypass EOP not allow this? I can create this as a new Post of you prefer.