Forwarding Email from Exchange 2019 not working

I have outbound emails filtered through Sophos and in the outbound gateway I have the ip of the firewall.  The client can send emails out normally using outlook.  The issue is when we have a mailbox set up to forward mail to a contact through the recipient / mail flow in the exchange admin center the email gets rejected by Sophos.

This is not an issue with the exchange server as it used to work when filtered through Reflexion. The minute we moved to Sophos Email it started to block any forwarded messages.  Any help would be appreciated.

Thanks!

  • Something has changed on Email Gateway. I guess autoforward is now threated as relay somhow. I don't see it in the post-delivery queue either.

    In the past I used autoforward rules locally in Outlook. Specific external senders were forwarded also externally. No problem. Just worked.

    Yesterday I had to enable an autoforward on the exchange server mailbox for a certain mailbox and that did not work. I ran into the message that we do not have permission and recipient is relay-eu-central-1.prod.hydra.sophos.com. I enabled bulk sender on the mailbox in Central but the volume is not the issue.

    I removed the server side autoforward and tried with a outlook forward and that now gives the same error message:

    Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.

    The following organization rejected your message: relay-eu-central-1.prod.hydra.sophos.com.

    Thanks,

    Fred

  • When the forwarded message is internal, Sophos will allow it through.

    When the forwarded nessage is external, Sophos will not accept it. The mail log shows no entry of the forwarded e-mail. 

  • This is an intended behavior of Central Email.

    The reason is, Exchange somewhat act ugly in a sense.

    Because if you do a auto forward on the Exchange, Exchange will forward the email in the name of the original sender. Which means, if somebody is sending you a email from @sophos.com Exchange will try to send this email with "FROM: @sophos.com" which of course breaks with a lot of stuff like SFP etc. 

    To prevent this blocking and potential blacklisting of Central IPs, CEMA is blocking the email directly.

    If you press in Outlook "Forward" the user is sending the email in a "nice manner", which means, the original recipient is the new "sender". 

    I cannot comment on "why Exchange is doing this". But we tested this several times and cannot get any way of "admin way" to get this forwarding working. 

    __________________________________________________________________________________________________________________

  • Hi

    Thanks for the update. I guessed that much.

    I have it working now with the Outlook rule. Have to check Exchange server Mailflow rules.

    In Outlook rules you have an option of forwarding to specific users or groups and forwarding the message to specific users or groups. It might look the same but the first relays the message with the original sender as email sender and the second forwards the message by adding FWD: and the forwarders e-mail adress (the original recipient) as e-mail sender. The difference for Sophos is obvious. The first is relay and not allowed and the second is allowed as it send from a domain email user.

    I have to check if Exchange server side has this difference also in the actions when creating a Mailflow rule.

    So you can't use the setting in Exchange to autoforward on the mailbox itself. You would have to check if the action in Mailflow rules also has a forward the message action. Another option is sending it autoforward as an attachment. 

    Outlook needs to be open (RDS session) for rules to work otherwise it won't autoforward.

    Exchange Mailflow rules are always on.

    Regards,

    Fred

  • The Mailflow rule action option has three options:

    1. Forward message for approval… This option allows you to stop the message from leaving your organization until it is accepted by an authorized person.
    2. Redirect the message to… The message is not delivered to the original recipient and is redirected to the one defined in the rule.
    3. Add recipients… As the name suggests this action allows you to add more recipients to the message in the ToBcc, or Cc field.

    And I am afraid that all three will not pass Email Gateway for external delivery. Microsoft needs to fix this. We can check at the Ms Exchange forums if someone has a workaround without going for third part solutions as codetwo.com.

    Let me know if you find a way.

    Regards,

    Fred

  • Thanks all for the replies.  I found out the exact same thing through trial and error.  Forwarding via an outlook rule seems to work.   not sure what version of Exchange your running but I know you had to have outlook open in the past but I set this up with outlook online and it seems to be working without having outlook open.  I also thought they were on at least 2016 but it seems to be 2013 with the latest service packs.

    Also for anyone running 2013, 2016 or 2019 the ability to allow forwarding to remote domains is disabled by default and your can't change it in the gui.  You have to run the following code to enable it:

    Set-RemoteDomain Default –AutoForwardEnabled $true

    That is of course if your policy is still named default.

    So now I just have to determine which mailboxes have forwarding enabled on.  Reset the passwords, log in through outlook web and setup the same rule to forward the message which then comes from the mailbox and not the original sender.

    Thanks!

  • So now of course the issue is since the email is no longer sent as the original sender when it goes to their ticketing solution it can't open the ticket as the original sender because it is forwarded as the email account that received it on Exchange :/.

  • We are using on premise Exchange. 

    The problem is only with remote domain delivery. You could check if you could set up another email connector to deliver e-mail directly (not via Sophos Email Gateway) for certain autoforwarded email accounts. As LuCar Toni pointed out the receiving remote domain may consider it spam as it can violate SPF and DMARC settings of the original sender.