Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email To/From Microsoft Distribution Lists failing

My organization uses Microsoft 365 with Sophos Central Email Security as the email filter.  The DLs contain both internal and external email addresses, such as Gmail or Yahoo. When I send email from an internal address to the DL, everything gets delivered.  When an external address sends to the DL, the internal addresses receive but the external addresses fail.

I cannot see any error messages from within Sophos.  The external reject message is

Error:

550 5.7.1 XGEMAIL_0011 Command rejected

Message rejected by:

mx-01-us-west-2.prod.hydra.sophos.com

This is a problem for my organization.  Any tips/help?



This thread was automatically locked due to age.
Parents
  • From the sounds of it you are in gateway mode. In gateway mode Sophos Central does not any list of recipients contained inside the DL so when the message for external users is sent we reject since we aren't a relay. In MFR mode, since the message goes to M365 first, Microsoft will unpack/expand the DL and route individual messages to Sophos for inspection and then if permitted in M365 it will deliver to the external recipients.

Reply
  • From the sounds of it you are in gateway mode. In gateway mode Sophos Central does not any list of recipients contained inside the DL so when the message for external users is sent we reject since we aren't a relay. In MFR mode, since the message goes to M365 first, Microsoft will unpack/expand the DL and route individual messages to Sophos for inspection and then if permitted in M365 it will deliver to the external recipients.

Children
  • Thank you so much - I've been going crazy looking for an answer.  Would you be able to point me to something that would give me the steps to move from Gateway to Mailflow?  The things I see in the Community Discussions are several years old.

  • Follow these instructions: https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/SophosMailflow/index.html

    Once you have mail flowing (you've moved your MX to domain-com.protection.outlook.com then you can delete the domain in Central under the current location.

  •   I’d recommend staying with gateway mode. Once you are in mailflow mode, Microsoft will start quarantining and blocking emails before they even reach Sophos. They call it “high phishing spam”. This will mean you’ll have multiple quarantines and unless you issue your users two quarantine digest each day, one from Microsoft and one from Sophos, you’ll have emails falling in to an abyss.

    Each to their own, but I’d never configure an external DL. We’d setup a shared mailbox instead. If you’re trying to achieve an external person sending email to another external person via your tenant (again, we’d never do this as it makes us a relay), you could setup a rule in O365 to redistribute as appropriate.

  • Steve/Stuart, one of the initiatives we are working on is the ability to show a consolidated quarantine where you can see what Microsoft has put into their quarantine along with the ability to release messages from the Microsoft quarantine. As Microsoft made the Secure by Default hard stance last year, i.e. if your mx points to .protection.outlook.com then you cannot disable Defender Spam scanning. We do have thousands of customers using mailflow mode without issues but you have to decide what works best for your organization.