This article walks through creating a connector and rules in Office 365 (O365) that will ensure all external mail is filtered and allowed by Email Threat Protection (ETP). If you subscribe to O365 services with Zix, you can request this setup by contacting our Support Team. This setup requires that the domain's MX records are pointed to ETP. If the domain's MX records are pointed away from ETP in the future, the rules in O365 must be disabled or a mail loop will occur.
To limit inbound mail:
- Navigate to https://portal.office.com then log in with Global Admin credentials.
- Open https://outlook.office365.com/ecp in a new tab and then select Mail Flow > Connectors.
- Select the + symbol to create a new connector. In the New Connector window set the From: drop-down to Office 365 and the To: drop-down to Partner Organization then select Next.
- Enter the Name and Description as listed below then check the Turn it on check box. Select Next.
- Name: Limit Inbound Mail to ETP
- Description: This connector redirects external email to the MX record if the message was not delivered by ETP. This will ensure that all messages are filtered by ETP as long as the domains MX record points to ETP.
- Select Only when I have a transport rule set up that redirects messages to this connector and then select Next.
- Select the button for Use the MX record associated with the partner's domain and then select Next.
- Select both the Always use Transport Layer Security (TLS) and Issue by a trusted certificate authority (CA) and then select Next.
- Verify your settings and then select Next.
- On the "Validate this connector" page select the + symbol.
- Enter an external email address in the add email window and then select OK.
- Select Validate.
- Select Close on the Validation Result pop up.
- Select Save to save the Limit Inbound Mail to ETP connector. If you receive an additional prompt stating the connector was not validated select Yes.
- Select Mail Flow > Rules in the Exchange Admin Center.
- Select the + symbol then select Create a new rule.
- Select More options... to show all rule options then enter "Limit Inbound Mail to ETP" as the name of the rule.
- Under "Apply this rule if..." select The Sender > Is External/Internal > Outside the Organization then select OK.
- Under "Do the following..." select Redirect the Message To > The Following Connector > Limit Inbound Mail to ETP connector then select OK.
- Under "Except if..." select Add Exception then select The sender... > IP Address is in any of these ranges or exactly matches. Add the following IP ranges then select the + symbol after each one. Once all IP ranges are listed, select OK.
IP address ranges: (You must click the plus sign after each entry)- 5.152.184.128/25
- 5.152.185.128/26
- 8.19.118.0/24
- 8.31.233.0/24
- 69.20.58.224/28
- 5.152.188.0/24
- 199.187.164.0/24
- 199.187.165.0/24
- 199.187.166.0/24
- 199.187.167.0/24
- 69.25.26.128/26
- 204.232.250.0/24
- In the bottom of the new rule window add the comment listed below. Reference the remaining settings in the screen-shot as well to make sure your rule is setup correctly. Once all settings are confirmed select Save.
- Comments: This rule will redirect external email to the domains MX record if the message was not delivered by ETP. This rule should only be active for ETP customers and it must be disabled if ETP is no longer being used.
- Next you need to create another rule that will allow mail from ETP to bypass O365 filtering. Select the + sign on the rules page in the EAC then choose Bypass Spam Filtering from the drop down menu.
- Enter the data listed below in the new rule fields then select Save.
- Name: Allow Inbound Mail from AES
- Apply this rule if: The sender¦ > Ip address is in any of these ranges or exactly matches
- Specify IP address ranges: (You must click the plus sign after each entry)
- 5.152.184.128/25
- 5.152.185.128/26
- 8.19.118.0/24
- 8.31.233.0/24
- 69.20.58.224/28
- 5.152.188.0/24
- 199.187.164.0/24
- 199.187.165.0/24
- 199.187.166.0/24
- 199.187.167.0/24
- 69.25.26.128/26
- 204.232.250.0/24
- Do the following: Should already be set to "Set the spam confidence level (SCL) to..." > Bypass spam filtering (If the value isn't already set for some reason select Modify the message properties > set the spam confidence level (SCL) > select Bypass Spam Filtering > click OK)
- Choose a mode for this rule: Enforce
-
Comments: This rule must remain in place to allow AES traffic to bypass Office 365 filtering.
This setup will ensure all external mail is filtered and allowed by ETP. This setup requires that the domain's MX records are pointed to ETP. If the domain's MX records are pointed away from ETP in the future, the Limit Inbound Mail to ETP rule must be disabled or a mail loop will occur.
Carlos Rios
Comments