I have created a Support ticket for this but thought I would post here also.
I've been testing M365 Mailflow in Sophos Email and I have the following problems:
Thank you for your inputs and feedback.
1 This is not expected and we need to investigate. As you mentioned, you have taken it up with Sophos Support and I believe we will have the resolution…
I just sent the test email from Gtube through MFR and Sophos quarantined it as spam. Be interested in know what is different in yours vs my configuration?
The way I’m sending gtube means I can’t send the full mime test email available on gtube site but I can simply have the gtube string in the body of the email. Sophos should detect that.
I’ve been doing some other tests with recent (one day old ish) phishtank URLs — interesting here in that M365 was central quarantining the emails as spam — Sophos didn’t get a look in. So this has the same issues as the eicar test.
1 This is not expected and we need to investigate. As you mentioned, you have taken it up with Sophos Support and I believe we will have the resolution soon.
2 This is a known issue and a fix is underway
3 This is not expected and we need to investigate. As you mentioned, you have taken it up with Sophos Support and I believe we will have the resolution soon.
4 This is expected. Emails containing high confidence malware and phish are stopped at M365 before they make it to Sophos Mailflow. We are looking at options of making such emails easy to manage.
Thanks good answers and faster than Sophos Support 8) - still no response on support ticket ..
Ok I think I have resolved the gtube issue - with fresh eyes,
Still something that Sophos/Customers will need to be aware of potentially.
The domain I brought over to mailflow was a secondary alias domain not the root domain that my users mailboxes were listed as.
After I removed the alias and created a specific mailbox/user for the domain that was running mailflow - Gtube spam protection AND the issue with Smart Banners appear to be resolved.
This sounds like a license issue - Sophos email being the only Sophos central product that disables protection on non-licenced users - I have plenty of licenses but possibly how mailflow looks to ensure to apply protection on specifically the domain or a subset of users in a domain and how that interacts with the mailbox level licensing.
This might be a common way that Mailflow may be deployed though. Where a secondary domain is targeted at least initially where the other primary domains are not .. will this cause the same interactions in those cases.
Ill do some more testing but the problems I have appear resolved.
Good to know that IP address is a known issue and a fix is underway - thanks for your answers Santosh Barnwal