How to configure Sophos Email for Office 365

This topic explains how to set up Microsoft Office 365 to route email through Sophos Email.

Add your domain and verify ownership

You need to add your domain.

Note You will need to provide the following information when configuring Sophos Email to process and deliver email for your domain:
  • Your email domain name
  • Your mail delivery destination host as a Fully Qualified Domain Name (FQDN) or IP address
  • The port number used to listen for SMTP traffic on the mail delivery destination host

To find your FQDN for Office 365:

  • Log into the Office portal.
  • Select Domains.
  • Copy the value displayed for the expected MX record.
    Note The format is normally <yourdomain-com>.mail.protection.outlook.com

To add a domain in Sophos Central, do as follows:

  1. Click Email Gateway > Settings.
  2. Click Domain Settings/Status.
  3. Click Add Domain.
  4. Enter your email domain details, the direction of traffic, and delivery destination details.
  5. Next, click Verify Domain Ownership.
  6. Copy the TXT value presented in the Verify Domain Ownership dialog.

    This value is specific to your email domain.

  7. Create a TXT DNS record in the root level of the domain name you entered earlier and paste the TXT value that you copied earlier.You can give it the same TXT name as shown or use @. If you're not sure how to do this, contact the organization that registered your domain name.
  8. Once the new TXT DNS record entry is saved, click Verify.

Once the DNS update with the correct TXT value is propagated, a message is returned indicating that domain verification was successful.

If the DNS update has not yet propagated, or if the value entered is incorrect, a failure message is returned. Confirm that the value entered is correct.

Note The domain verification process may take some time to complete.

Add mailboxes to Email Gateway

You can add mailboxes to Email Gateway.

You can add mailboxes in the following ways:

  1. Automatically using Active Directory Sync. You can choose from the following Active Directory services:
    • AD Sync
    • Azure Sync
  2. Manually using the UI.
  3. Manually using .csv import.

Add users or mailboxes using AD Sync

You can add mailboxes using AD Sync.

Before you can set up synchronization, you need .NET Framework 4.5 or later installed on the computer where you will run the Sophos Central Active Directory Synchronization Utility.

To set up synchronization with Active Directory:

  1. On the Active Directory Sync Status page, click the link to download the Sophos Central Active Directory Synchronization Utility installer, then run it.
  2. In the setup wizard, enter the information required. On the last page, select Launch Sophos Central AD Sync Utility and click Finish.

    Alternatively, go to the Windows Start menu > All Programs > Sophos > Central > AD Sync. If you're running Windows 8 or later, in the Apps list, find the app AD Sync listed under Sophos.

    Follow the instructions in the Sophos Central Active Directory Synchronization Setup assistant.

  3. On the Central Credentials page, enter your Sophos Central account credentials.
  4. On the AD Configuration page, specify your Active Directory LDAP server and credentials for a user account that has read access to the entire Active Directory forest with which you want to synchronize. To stay secure, use an account with the least rights that will give this access.

    We recommend using a secure LDAP connection, encrypted via SSL, and leaving Use LDAP over an SSL connection selected. If your LDAP environment doesn’t support SSL, clear Use LDAP over an SSL connection, and change the port number accordingly. Usually, the port number is 636 for SSL connections and 389 for insecure connections.

  5. If you don’t want to synchronize the entire forest, you can specify which domains to include in the synchronization on the AD Filters page. You can also specify additional search options for each domain, for example search bases and LDAP query filters. You can specify distinct options for users and groups.
    Note AD Sync will only create groups that have members with discovered users, regardless of group filter settings.
    1. Searchbases: You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format:
      OU=Finance,DC=myCompany,DC=com
    2. LDAP query filters To filter users, for example, by group membership, you can define a user query filter in this format:

      memberOf=CN=testGroup,DC=myCompany,DC=com

      The above query will limit user discovery to users belonging to “testGroup”. Note that if you don't also specify a group query filter, AD Sync will discover all groups to which these discovered users belong. If you wish group discovery to also be limited to “testGroup”, you could define the following group query filter:

      CN=testGroup

      Note If you include base distinguished names in your search options or change your filter settings, some of the existing Sophos Central users and groups created during previous synchronizations may fall outside the search scope. They may be deleted from Sophos Central.
  6. On the Sync Schedule page, define the times at which the synchronization will be performed automatically.
    Note A background service performs a scheduled synchronization. The AD Sync utility does not need to be running for the scheduled synchronizations to occur.

    If you want to synchronize manually by running the AD Sync utility and don't want the synchronization to run automatically on a regular basis, select Never. Only sync when manually initiated.

  7. To synchronize immediately, click Preview and Sync. Review the changes that will be made during the synchronization. If you are happy with the changes, click Approve Changes and Continue.

    The Active Directory users and groups are imported from the Active Directory to the Sophos Central Admin console.

    1. To stop the synchronization in progress, click Stop.

Add a mailbox manually

Sophos Email allows you to add single mailboxes manually via the user interface.

To add a mailbox manually:

  1. Click Mailboxes.
  2. On the Mailboxes screen, click Add.
  3. Select Add Mailbox.

    There are three types of mailbox:

    • User Email: a mailbox for a person. Example: firstname.lastname@companyname.com.
      Tip For a User Email mailbox you can click on the mailbox name to view the user's details.
    • Distribution List: a mailbox for a group of people. Example: support@companyname.com.
    • Public Folder: a mailbox for collecting information such as surveys or feedback. Example: survey@companyname.com.
  4. Select a mailbox type.
  5. Enter a name for the mailbox.
  6. Enter the SMTP address for the mailbox.
  7. Click Save to create a single mailbox and exit, or Save and Add Another to create additional mailboxes.

Import Mailboxes

Sophos Email allows you to import mailboxes in bulk.

To import mailboxes:

  1. Create your import .csv file using the following format:

    Name

    Email Address

    Type

    Robert Alamar

    robert.alamar@test.com

    User

    Support DL

    support@test.com

    DL

    Vacation Calendar

    vacation@test.com

    PF
  2. Click Add Mailbox and select Import Mailboxes.
  3. Click Browse and navigate to your import file.
  4. Click Add to start the import process.

    Import will run and display results after it completes.

To verify mailbox creation, you can search for new users in the People section or browse the list of mailboxes under the Mailboxes section for Distribution Lists and Public Folders.

Bypass Exchange Online Protection in Office 365

If you are using Sophos Email for your spam filtering and clean email is delivered to Office 365, you need to bypass Exchange Online Protection (EOP) to ensure smooth delivery of your mail.

To bypass Exchange Online Protection:

  1. Log in to the office portal.
  2. Under Admin Centers, choose Exchange.
  3. Under Mailflow, select Rules.
  4. Click the + to add a new rule and choose Bypass Spam Filtering from the menu.
  5. Set the following values:
    OptionDescription

    Name

    Sophos Central EOP Bypass

    Apply this rule if

    Apply to all messages

    Do the following

    Set the spam confidence level (SCL) to...

    Audit this rule with severity level

    Low

    Choose a mode for this rule

    Enforce
  6. Click Save to add the rule.

Restrict delivery to Sophos IP addresses

You can configure the connection to your mail host to be restricted to our delivery IPs.

Restricting delivery IPs adds additional security to the integration between Sophos Email and your mail host.

Note Before you proceed, we strongly recommend testing mail flow and domain configuration in a non-production or test environment, before making any changes to your company's mail flow.

The specific delivery IP you need to use depends on the region where your Sophos Central account is hosted. When your Sophos Central account was created, you would have chosen to store your data in the United States, Germany, or Ireland.

Warning You must also add the Sophos IPs to the IP allow list for your mail server. If you don't, your users won't receive their emails.

Region

IPs

US (West)

52.41.236.76

50.112.39.248

US (East)

18.220.12.142

18.216.7.10

Germany

52.58.166.242

52.29.100.147

Ireland

52.208.126.243

52.31.106.198
Note Using an IP other than the one specified for your region will prevent mail from flowing correctly.

Configure a Secure Connector between Office 365 and Sophos Email

You need to configure a secure connector to Sophos Email.

To configure the secure connector:

  1. Log in to your Office 365 Admin Portal.
  2. Click Exchange then go to Exchange Admin Center.
  3. Click mail flow then click connectors.
  4. Click the + to add a new connector.
  5. Select Partner Organization in the From field.
  6. Select Office 365 in the To field.
  7. Click Next.
  8. Enter a name for the connector. Sophos Email Connector is recommended.
  9. Enter a description (optional).
  10. If you want to turn the connector on immediately after saving, leave the box labeled, Turn it on checked. Otherwise, uncheck the box to turn it on later.
  11. Click Next.
  12. Select Use the sender's domain.
  13. Click the + to add a sender domain.
  14. Enter * to apply the settings to all sender domains.
  15. Click Next.
  16. Select Reject email messages if they aren't sent over TLS and Reject email messages if they aren’t sent from within this IP address range.
  17. Click the + to add sender IP addresses.
  18. Enter the Sophos Email Delivery IP address for your region here.

    To find out which IP address to use, see Restrict delivery to Sophos IP addresses.

  19. Click Next.
  20. Verify the new connector settings and click Save.
When you configure a connector this way, only mail coming from Sophos Central IPs will be accepted by Office 365.

Modify MX records to point to Sophos Email

Modifying your domain's MX records to point to Sophos Email is crucial to the successful deployment of the solution and ensures all email is filtered and delivered.

If you can't make these changes yourself, contact your IT department, hosting provider, ISP or Domain Name Service provider and arrange for the MX records for your domain(s) to be modified.

When you created your Sophos Central account, you selected a region in which you wanted to store your data. Your MX records are dependent on this region.

Modify your MX records to include the record names associated to the region that you chose to store your data in.

Region

MX Records

United States (West)

10, mx-01-us-west-2.prod.hydra.sophos.com

20, mx-02-us-west-2.prod.hydra.sophos.com

United States (East)

10, mx-01-us-east-2.prod.hydra.sophos.com

20, mx-02-us-east-2.prod.hydra.sophos.com

Germany

10, mx-01-eu-central-1.prod.hydra.sophos.com

20, mx-02-eu-central-1.prod.hydra.sophos.com

Ireland

10, mx-01-eu-west-1.prod.hydra.sophos.com

20, mx-02-eu-west-1.prod.hydra.sophos.com

Notes

Please take care with all options to ensure that the spelling and numbers are correct.

Using MX record names other than those provided will prevent mail from flowing properly.

It is always recommended when changing DNS entries like MX records to lower the TTL (to 600 ms or less) on the records well in advance of updating the entries. This will allow the change to propagate in minimum time and provides a quick way to revert the change should there be any issues encountered during testing.

Test and confirm mail flow

Once you have updated your MX records, send a test message to any of your mailboxes protected by Sophos Email. For a true test, you should send your test message from an address outside of your email domain.

To confirm that the message flowed through Sophos Email, you can view the Message History Report.

To access the report:

  1. In Sophos Central, click Logs and Reports.
  2. Click Message History.

    If messages are flowing through the system, you will see entries in this report.

If mail is not flowing, meaning you are not receiving email to your test inbox, take the following steps:

  1. Verify that your MX records are correct for your region.
  2. Verify that you set up the Sophos Delivery IPs correctly in your gateway, firewall or connector.
  3. Verify that the mailbox that you are sending to exists in Sophos Email.

If you have taken all these steps and mail is still not flowing for your domain, you should contact Sophos Email Support.