New Mailflow setup

Question

I see the new Mailflow functionality is appearing in my Cloud Portal as a released feature. In the help it states: 
 Sophos Mailflow doesn't currently support the following: 
 
 Transport Layer Security (TLS) 
 Remote block lists (RBL) 
 Sophos Central Self Service Portal Emergency inbox . See Manage settings for Sophos Central Self Service . 
 S/MIME (coming in Q1 2022)

What do you mean by it does not support TLS? What elements of the email transmission are not encrypted using TLS connections exactly? 
 
 After switching to the Mailflow method from the Gateway method do I also need to: 
 1. Remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules? 
 2. Remove the Secure Connector between Microsoft 365 and Sophos Gateway? 
 
 Will the new Mailflow method remove the Sophos Banners on my emails when I reply to them as part of the Outbound process? 
 Thanks, 
 Mark.

Tom Foucha · Accepted Answer

A couple of points. 
 A. You should not turn off the Bypass EOP in M365. In my personal testing I found tons of FP messages sent to junk folder if EOP was left on. 
 B. If you don't turn off spam/AV/etc your users will get 2 quarantine messages as you noted. 
 Understand what is happening is that when M365 receives the message it routes it to us (Central) via a connector, we inspect, protect and route it back to the M365 tenant using the MFR (connector) setup. 
 As you point out not having to change MX record is often preferable for some.

Marcel · Answer

Hi Mark, 
 With the new Mailflow setup we are giving customers a new way how to integrate Sophos Central Email with M365. Without the Mailflow setup mail would typically be routed inbound as follows: Sending Domain -> Central Email Gateway --> M365. Outbound would use the revers path. With the new Mailflow setup the routing on emails is changed as follows: Sending Domain -> --> M365 --> Central Email Gateway --> M365 (outbound will again use the reverse path). 
 Due to the fact that the order of processing has changed (Sending Domain -> --> M365 --> Central Email Gateway --> M365) we can no longer enforce TLS using Sophos Central Email. This is because M365 is the platform that has the links to the external domains. 
 Once you start using the new Mailflow setup you should remove the old connector to prevent messages from being scanned twice, you can read more on this in the documentation, see: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/tasks/MailflowGatewayDisconnect.html . 
 And finally, the Sophos Banners will added (inbound) and removed (outbound) as expected with the new Mailflow setup. 
 One final comment, you do not have to move to the new Mailflow setup, the Gateway based approach can be used as well :). 
 Marcel

New Mailflow setup

Top Replies