Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Mailflow setup

I see the new Mailflow functionality is appearing in my Cloud Portal as a released feature. In the help it states:

Sophos Mailflow doesn't currently support the following:

What do you mean by it does not support TLS? What elements of the email transmission are not encrypted using TLS connections exactly?

After switching to the Mailflow method from the Gateway method do I also need to:

1. Remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules?

2. Remove the Secure Connector between Microsoft 365 and Sophos Gateway?

Will the new Mailflow method remove the Sophos Banners on my emails when I reply to them as part of the Outbound process?

Thanks,

Mark.



Edited tags
[edited by: Raphael Alganes at 6:04 AM (GMT -7) on 7 Jun 2023]
Parents
  • Hi Mark,

    With the new Mailflow setup we are giving customers a new way how to integrate Sophos Central Email with M365. Without the Mailflow setup mail would typically be routed inbound as follows: Sending Domain -> Central Email Gateway --> M365. Outbound would use the revers path. With the new Mailflow setup the routing on emails is changed as follows: Sending Domain -> --> M365 --> Central Email Gateway --> M365 (outbound will again use the reverse path).

    Due to the fact that the order of processing has changed (Sending Domain -> --> M365 --> Central Email Gateway --> M365) we can no longer enforce TLS using Sophos Central Email. This is because M365 is the platform that has the links to the external domains.

    Once you start using the new Mailflow setup you should remove the old connector to prevent messages from being scanned twice, you can read more on this in the documentation, see: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/MailflowGatewayDisconnect.html.

    And finally, the Sophos Banners will added (inbound) and removed (outbound) as expected with the new Mailflow setup.

    One final comment, you do not have to move to the new Mailflow setup, the Gateway based approach can be used as well :).

    Marcel

  • Hi Marcel. Thanks for the info. To clarify about TLS, are you saying that the Sophos option for "Email Security - Enforced TLS Connections", for enforcing TLS with particular partners, is no longer available? But that all communications between Sophos and M365 will use TLS as standard?

    The other question that was not answered was, do I need to remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules? It sounds like this would not apply under the new Mailflow method.

    Will the email therefore be scanned by default M365 spam/AV/etc first and then by Sophos?

    Will my users thus start getting quarantine messages from Microsoft and Sophos?

    I'm just trying to understand the changes better. I think the new Mailflow method may be preferable as it removes the need to change MX records to reroute email through Sophos. We are a reseller as well as an end user so interested in the fact that Mailflow sounds easier to setup when first creating an account for a customer.

    Thanks,

    Mark.

  • A couple of points.

    A. You should not turn off the Bypass EOP in M365. In my personal testing I found tons of FP messages sent to junk folder if EOP was left on. 

    B. If you don't turn off spam/AV/etc your users will get 2 quarantine messages as you noted.

    Understand what is happening is that when M365 receives the message it routes it to us (Central) via a connector, we inspect, protect and route it back to the M365 tenant using the MFR (connector) setup.

    As you point out not having to change MX record is often preferable for some.

Reply
  • A couple of points.

    A. You should not turn off the Bypass EOP in M365. In my personal testing I found tons of FP messages sent to junk folder if EOP was left on. 

    B. If you don't turn off spam/AV/etc your users will get 2 quarantine messages as you noted.

    Understand what is happening is that when M365 receives the message it routes it to us (Central) via a connector, we inspect, protect and route it back to the M365 tenant using the MFR (connector) setup.

    As you point out not having to change MX record is often preferable for some.

Children
No Data