Sophos Email Appliance Policy Message Workflow
Each email that the appliance receives from external mail relays (1) is processed to determine how it will be handled. Messages are processed in the following order:
(2) Perimeter Protection: Denial of Service and Directory Harvest Attack protection, and rate control occurs at the Mail Transfer Agent (MTA) layer. You can configure this in Filtering options.
Recipient verification is also performed at the MTA level. This is done either by synchronizing a list of valid recipients from a Directory Server, or verifying recipient addresses at the relevant downstream mail server. A message sent to an invalid recipient will be rejected during the SMTP connection, so that the message is never accepted or stored on the Sophos Email Appliance.
(3) Sender Genotype: Sender Genotype filtering uses data from SophosLabs to block email from known bad senders. When enabled, this improves overall performance by reducing the number of spam messages processed. Sophos Sender Genotype filtering is responsible for blocking and rejecting anywhere from 70-85% of unwanted email before it even reaches the Sophos Spam Engine.
(4) Threat Protection: The Threat Protection feature tests both content and reputation of a message. If a virus, encrypted attachment, unscannable attachment, or SophosLabs suspected attachments is found, the message will be discarded or quarantined by default. Threat protection also does DMARC, SPF and DKIM checks to validate the authenticity of a message, Sandstorm analysis and Time-of-Click scanning.
(5) Data Control: Next, messages are checked against your Data Control policies to prevent data leakage.
- Mail sent or received from specific users or groups.
- Offensive language.
- Specific keywords.
- Specific attachments or file types.
- Specific hostnames or IP addresses.
- Add banners to messages.
- Enforce appropriate use policies.
Messages are processed in the following order:
- Allowed hosts/senders (Global)
- Blocked hosts/senders (Global)
- Allowed senders (per-user)
- Blocked senders (per-user)
This ensures that Global settings always take precedence over end-user settings.
(8) Anti-Spam Policy: Finally, a cumulative spam score is assigned to each scanned message based on results of anti-spam tests. This score determines the relative likelihood that a message is spam and classifies messages in one of three ways: not spam, medium probability of being spam, or high probability of being spam.
Within each Policy section, individual rules are processed in the order in which they are listed. Depending on how each policy rule is configured, a message may be placed in the quarantine (9), delivered to the appropriate recipient(s), or it may be discarded.