I see the new Mailflow functionality is appearing in my Cloud Portal as a released feature. In the help it states:
Sophos Mailflow doesn't currently support the following:
What do you mean by it does not support TLS? What elements of the email transmission are not encrypted using TLS connections exactly?
After switching to the Mailflow method from the Gateway method do I also need to:
1. Remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules?
2. Remove the Secure Connector between Microsoft 365 and Sophos Gateway?
Will the new Mailflow method remove the Sophos Banners on my emails when I reply to them as part of the Outbound process?
A couple of points.
A. You should not turn off the Bypass EOP in M365. In my personal testing I found tons of FP messages sent to junk folder if EOP was left on.
B. If you don't turn off spam/AV/etc your…
I enabled this recently and had a lot of issues with valid inbound users showing as unverified users due to spf fails because gmail and other common domains don’t designate our custom outlook domain as a valid sender. When Microsoft forwards the email to Sophos, Sophos checks the spf for gmail.com and gmail doesn’t have our outlook domain as a designated sender.
I also noticed issues with emails going to quarantine on the Microsoft side and bypassing Sophos entirely. The way Microsoft handles redirects to aliases bypasses the forwarding to Sophos. I could see in our message traces in exchange that the emails were being routed to the Sophos connector but when you check for the email in Sophos, a log doesn’t exist. Even when I setup the onmicrosoft.com domain in Sophos Mailflow, I experienced the same issue.
I opened a ticket with Sophos on this and was informed by support that they haven’t been trained on Mailflow because it’s still in EAP which makes me wonder why I’m being prompted to set it up in Sophos central; I’m not registered for the Mailflow EAP either. Doesn’t seem fully baked at this point and the issue with spf fails and unverified users needs to be addressed before we can migrate fully to Mailflow. I like the idea though and definitely seems more efficient than redirecting MX. Following this thread to see if others have similar issues.
I have been going back and forth with support for several weeks. this SPF issue persists and they seem unable to escalate the issue and/or address the question head on..
send me an email tom.foucha (at) sophos.com and let's take a look at it. @Caleb Terry you also
Nice meeting and working with you Michael Cassman, to update others monitoring this thread when you are dealing with Banners and click the little (i) icon next to the smart banners for an explanation. The banners are controlled by whether or not DMARC passes or not. There is an order of operation also, in order for DMARC to pass either SPF or DKIM must align, it doesn't require both, but at least one must. Once DMARC passes it doesn't matter if SPF failed or not, because DMARC and DKIM would have passed. or if DMARC passes and SPF passes but DKIM fails, again doesn't matter. The order of precedence is DMARC, SPF, DKIM. If DMARC record exists AND it is in the Allow list it will be considered Trusted and bannered accordingly.