Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with new M365 Mailflow

I have created a Support ticket for this but thought I would post here also.

I've been testing M365 Mailflow in Sophos Email and I have the following problems:

  1. Sophos in mailflow mode is not detecting Gtube test spam
    https://spamassassin.apache.org/gtube/
    Is this a known issue? I am sending the string and it is happily sending through to my M365 mailbox. going straight through Sophos..
    How can I test the functionality of M365 Mailflow?

  2. IP address of sender is indicating the M365 IP address

    With M365 mailflow the delivery "IP Address" indicated in the "Message History" is the M365 IP address - not the IP address of the original sender?
    Even worse is an admin can click on "add to blocklist" which presumably will start blocking that M365 IP address which could be catastrophic?
    I can see from the headers that Sophos records the Original sender in the header:
    X-Sophos-Sender-IP
    This should be displayed as the "IP address" on the main Message History screen

  3. Smart banners are showing trusted when address is not on allow list

    The Smart banner conditions for showing as trusted are:
    "email sender is in the allowed list and passed DMARC"
    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/EmailSmartBanners.html
    I've tested newly setup accounts from gmail etc .. the addresses are not on the global or any user allow lists in my sub-estate.
    The emails do pass DMARC but both conditions must be TRUE .. unless that has changed?
    I suspect this is because Sophos Email is naturally trusting the M365 IP addresses in the M365 Mailflow mode

  4. Eicar is sort of working BUT M365 picks up first

    The Eicar test virus is picked up by M365 first and quarantined there - after releasing it is picked up by Sophos Email.
    Makes sense, and not necessarily a problem, but is that explained to customers in a KB anywhere?
    Many viruses under default M365 settings will be centrally quarantined and Sophos Email will be unaware -- having this not communicated to Sophos Email may mean problems troubleshooting email delivery.


Added tags
[edited by: Raphael Alganes at 2:51 AM (GMT -7) on 7 Jun 2023]
Parents
  • Hello Alex,

    Thank you for your inputs and feedback.

    1 This is not expected and we need to investigate. As you mentioned, you have taken it up with Sophos Support and I believe we will have the resolution soon.

    2 This is a known issue and a fix is underway

    3 This is not expected and we need to investigate. As you mentioned, you have taken it up with Sophos Support and I believe we will have the resolution soon.

    4 This is expected. Emails containing high confidence malware and phish are stopped at M365 before they make it to Sophos Mailflow. We are looking at options of making such emails easy to manage.

Reply
  • Hello Alex,

    Thank you for your inputs and feedback.

    1 This is not expected and we need to investigate. As you mentioned, you have taken it up with Sophos Support and I believe we will have the resolution soon.

    2 This is a known issue and a fix is underway

    3 This is not expected and we need to investigate. As you mentioned, you have taken it up with Sophos Support and I believe we will have the resolution soon.

    4 This is expected. Emails containing high confidence malware and phish are stopped at M365 before they make it to Sophos Mailflow. We are looking at options of making such emails easy to manage.

Children