Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 20 replies
  • Subscribers 21 subscribers
  • Views 16124 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Mailflow setup

Mark Stringer

I see the new Mailflow functionality is appearing in my Cloud Portal as a released feature. In the help it states:

Sophos Mailflow doesn't currently support the following:

What do you mean by it does not support TLS? What elements of the email transmission are not encrypted using TLS connections exactly?

After switching to the Mailflow method from the Gateway method do I also need to:

1. Remove the Bypass Exchange Online Protection in Microsoft 365 rule in O365 Mailflow Rules?

2. Remove the Secure Connector between Microsoft 365 and Sophos Gateway?

Will the new Mailflow method remove the Sophos Banners on my emails when I reply to them as part of the Outbound process?

Thanks,

Mark.



Edited tags
[edited by: Raphael Alganes at 6:04 AM (GMT -7) on 7 Jun 2023]
  • 0 in reply to Caleb Terry

    No worries, seems like the support engineer is not up to date. https://news.sophos.com/en-us/2022/03/03/say-goodbye-to-mx-records-with-sophos-email/ :) Since I'm the Sr. Director for Central Email, basically I own the product here at Sophos, I can assure it is now GA. I will ask someone to dig into the case. Feel free to send me an email if you like to, thanks for being a Sophos Email customer. How's that for getting our attention Slight smile

  • 0 in reply to Tom Foucha

    Sounds like the right person is involved now :) Thanks, Tom. I appreciate you for responding so quickly and looking into the issue.

    I'll be happy to give Mailflow another try as I prefer that method over the MX redirection. Huge Sophos fan btw. Chose you guys over Bitdefender and Trend Micro. 

  • 0 in reply to Caleb Terry

    I run my personal domain through MFR, I just sent a message from my gmail.com through MFR with no issues. Yes you will see a softfail but you will also find an SPF=pass in the headers. example:

    Authentication-Results-Original spf=pass (sender IP is 209.85.128.49) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com; dmarc=pass action=none header.from=gmail.com; compauth=pass reason=100

    later in the conversation you will see this one which is M365 saying we aren't permitted to send on behalf of gmail as you noted.

    Authentication-Results spf=softfail (sender IP is 104.47.57.177) smtp.mailfrom=gmail.com; dkim=fail (body hash did not verify) header.d=gmail.com;dmarc=fail action=none header.from=gmail.com;compauth=fail reason=001

    One of the reasons why I find it important to turn off EOP because EOP will trigger on this failure (softfail) and dump it into the junk folder as an unauthenticated message (based on my testing).

    I looked at the ticket in our system and I'd hope you give it a shot but please make sure you update your SPF records. My SPF for my home domain:  v=spf1 include:spf.protection.outlook.com -all

  • 0 in reply to Caleb Terry

    I have been going back and forth with support for several weeks.  this SPF issue persists and they seem unable to escalate the issue and/or address the question head on..

  • 0 in reply to Tom Foucha

    Case 05134281 is the same SPF issue.  I don't see a way out of the SPF issue because domains that do not use O365 and do not use SOPHOS will always get flagged as 'unverified' because of the SPF record of the sending domain will never include O365 or SOPHOS netblocks. 

  • 0 in reply to Tom Foucha

    Sending domains with a strict SPF record, that do not use O365, will not pass the SPF test resulting in an 'unverified sender' banner.

  • 0 in reply to Michael Cassman

    send me an email tom.foucha (at) sophos.com and let's take a look at it. @Caleb Terry you also

  • 0 in reply to Tom Foucha

    Nice meeting and working with you Michael Cassman, to update others monitoring this thread when you are dealing with Banners and click the little (i) icon next to the smart banners for an explanation. The banners are controlled by whether or not DMARC passes or not. There is an order of operation also, in order for DMARC to pass either SPF or DKIM must align, it doesn't require both, but at least one must. Once DMARC passes it doesn't matter if SPF failed or not, because DMARC and DKIM would have passed. or if DMARC passes and SPF passes but DKIM fails, again doesn't matter. The order of precedence is DMARC, SPF, DKIM. If DMARC record exists AND it is in the Allow list it will be considered Trusted and bannered accordingly. 

  • 0 in reply to Tom Foucha

    I'm just trying to understand the changes better. I think the new Mailflow method may be preferable as it removes the need to change MX records to reroute email through Sophos. We are a reseller as well as an end user so interested in the fact that Mailflow sounds easier to setup when first creating an account for a customer.

    19216811.bid

    panorama charter com

  • 0 in reply to garkbeda garkbeda

    The changes are we automatically setup the Connectors and Rules in M365 to redirect traffic from M365 to Central and then we inspect and deliver the message back to M365 via a connector. You setup SPF, DKIM and MX to point to M365 so to the outside world Sophos is not visible in the path. 

Unfiltered HTML