Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: [Domain settings] The Danger of using MX in the Inbound Destination - Can result in a loop.

Hi Everyone!

I have just encountered an issue where in the customer have somehow got a problem with "Delivery Failed" status as soon as they implemented Central Email into their environment. The error they saw in the Message Details is below:

Also, the originating IP address shows that it came from one of Central Email's IP addresses:

This basically indicates that there is a loop in the system. 

Checking the Inbound Destination within the "Edit Domain" I found that the customer used an "MX" setting instead of "Mail host" and is pointed to their own domain like below:

What is incorrect with this scenario is that they have put their domain's MX record within this Inbound Destination which caused the loop.

Below is basically what should be the correct flow of inbound emails:

Internet ---> MX record ---> Central Email ---> Customer's email server

But since the customer used an MX record for the Inbound destination, below is what the email flow looked like:

Internet ---> MX record ---> Central Email ---> MX record

So as soon as they change the MX record to point to the Central Email servers (for example: mx-01-us-west-2.prod.hydra.sophos.com), the Inbound destination would also be changed to this.

Hence, we recommend to watch out for this type of scenario as even though you can pick the MX setting, you need to make sure that what you put in there is not the Central Email protected domain's own record. 

It would be better set it to "Mail Host" as this points directly to a host.

The only time you should use MX setting is if you want to load balance (or set priority) among several servers via MX records.

Have a good day!



Added tags
[edited by: Raphael Alganes at 6:25 AM (GMT -7) on 7 Jun 2023]