Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 3373 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with new M365 Mailflow

AlexBruce

I have created a Support ticket for this but thought I would post here also.

I've been testing M365 Mailflow in Sophos Email and I have the following problems:

  1. Sophos in mailflow mode is not detecting Gtube test spam
    https://spamassassin.apache.org/gtube/
    Is this a known issue? I am sending the string and it is happily sending through to my M365 mailbox. going straight through Sophos..
    How can I test the functionality of M365 Mailflow?

  2. IP address of sender is indicating the M365 IP address

    With M365 mailflow the delivery "IP Address" indicated in the "Message History" is the M365 IP address - not the IP address of the original sender?
    Even worse is an admin can click on "add to blocklist" which presumably will start blocking that M365 IP address which could be catastrophic?
    I can see from the headers that Sophos records the Original sender in the header:
    X-Sophos-Sender-IP
    This should be displayed as the "IP address" on the main Message History screen

  3. Smart banners are showing trusted when address is not on allow list

    The Smart banner conditions for showing as trusted are:
    "email sender is in the allowed list and passed DMARC"
    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/EmailSmartBanners.html
    I've tested newly setup accounts from gmail etc .. the addresses are not on the global or any user allow lists in my sub-estate.
    The emails do pass DMARC but both conditions must be TRUE .. unless that has changed?
    I suspect this is because Sophos Email is naturally trusting the M365 IP addresses in the M365 Mailflow mode

  4. Eicar is sort of working BUT M365 picks up first

    The Eicar test virus is picked up by M365 first and quarantined there - after releasing it is picked up by Sophos Email.
    Makes sense, and not necessarily a problem, but is that explained to customers in a KB anywhere?
    Many viruses under default M365 settings will be centrally quarantined and Sophos Email will be unaware -- having this not communicated to Sophos Email may mean problems troubleshooting email delivery.


Added tags
[edited by: Raphael Alganes at 2:51 AM (GMT -7) on 7 Jun 2023]
Parents
  • 0

    Ok I think I have resolved the gtube issue  - with fresh eyes,

    Still something that Sophos/Customers will need to be aware of potentially.

    The domain I brought over to mailflow was a secondary alias domain not the root domain that my users mailboxes were listed as. 

    After I removed the alias and created a specific mailbox/user for the domain that was running mailflow - Gtube spam protection AND the issue with Smart Banners appear to be resolved.

    This sounds like a license issue - Sophos email being the only Sophos central product that disables protection on non-licenced users - I have plenty of licenses but possibly how mailflow looks to ensure to apply protection on specifically the domain or a subset of users in a domain and how that interacts with the mailbox level licensing.

    This might be a common way that Mailflow may be deployed though. Where a secondary domain is targeted at least initially where the other primary domains are not .. will this cause the same interactions in those cases.

    Ill do some more testing but the problems I have appear resolved.

    Good to know that IP address is a known issue and a fix is underway - thanks for your answers

Reply
  • 0

    Ok I think I have resolved the gtube issue  - with fresh eyes,

    Still something that Sophos/Customers will need to be aware of potentially.

    The domain I brought over to mailflow was a secondary alias domain not the root domain that my users mailboxes were listed as. 

    After I removed the alias and created a specific mailbox/user for the domain that was running mailflow - Gtube spam protection AND the issue with Smart Banners appear to be resolved.

    This sounds like a license issue - Sophos email being the only Sophos central product that disables protection on non-licenced users - I have plenty of licenses but possibly how mailflow looks to ensure to apply protection on specifically the domain or a subset of users in a domain and how that interacts with the mailbox level licensing.

    This might be a common way that Mailflow may be deployed though. Where a secondary domain is targeted at least initially where the other primary domains are not .. will this cause the same interactions in those cases.

    Ill do some more testing but the problems I have appear resolved.

    Good to know that IP address is a known issue and a fix is underway - thanks for your answers

Children
No Data
Unfiltered HTML