Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 16 subscribers
  • Views 2364 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with new M365 Mailflow

AlexBruce

I have created a Support ticket for this but thought I would post here also.

I've been testing M365 Mailflow in Sophos Email and I have the following problems:

  1. Sophos in mailflow mode is not detecting Gtube test spam
    https://spamassassin.apache.org/gtube/
    Is this a known issue? I am sending the string and it is happily sending through to my M365 mailbox. going straight through Sophos..
    How can I test the functionality of M365 Mailflow?

  2. IP address of sender is indicating the M365 IP address

    With M365 mailflow the delivery "IP Address" indicated in the "Message History" is the M365 IP address - not the IP address of the original sender?
    Even worse is an admin can click on "add to blocklist" which presumably will start blocking that M365 IP address which could be catastrophic?
    I can see from the headers that Sophos records the Original sender in the header:
    X-Sophos-Sender-IP
    This should be displayed as the "IP address" on the main Message History screen

  3. Smart banners are showing trusted when address is not on allow list

    The Smart banner conditions for showing as trusted are:
    "email sender is in the allowed list and passed DMARC"
    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/EmailSmartBanners.html
    I've tested newly setup accounts from gmail etc .. the addresses are not on the global or any user allow lists in my sub-estate.
    The emails do pass DMARC but both conditions must be TRUE .. unless that has changed?
    I suspect this is because Sophos Email is naturally trusting the M365 IP addresses in the M365 Mailflow mode

  4. Eicar is sort of working BUT M365 picks up first

    The Eicar test virus is picked up by M365 first and quarantined there - after releasing it is picked up by Sophos Email.
    Makes sense, and not necessarily a problem, but is that explained to customers in a KB anywhere?
    Many viruses under default M365 settings will be centrally quarantined and Sophos Email will be unaware -- having this not communicated to Sophos Email may mean problems troubleshooting email delivery.


Added tags
[edited by: Raphael Alganes at 2:51 AM (GMT -7) on 7 Jun 2023]
Parents Reply Children
  • 0 in reply to Tom Foucha

    The way I’m sending gtube means I can’t send the full mime test email available on gtube site but I can simply have the gtube string in the body of the email. Sophos should detect that. 

    I’ve been doing some other tests with recent (one day old ish)  phishtank URLs — interesting here in that M365 was central quarantining the emails as spam — Sophos didn’t get a look in.  So this has the same issues as the eicar test.

Unfiltered HTML