Forum Widgets
Latest Discussions
Security Considerations for SMTP Add-on Service Receiving Emails from Exchange Online
Hello everyone, I'm developing an email processing service for Microsoft 365 / Exchange Online customers. This service acts as an SMTP endpoint that receives all outbound emails from our customers' Exchange Online tenants via Outbound Connectors, processes them, and then relays the messages back to Exchange Online for final delivery. I found the Scenario: Integrate Exchange Online with an email add-on service page with suggestions. We're currently evaluating security risks and would like to clarify how much trust can be placed in messages coming from Exchange Online. Scenario Summary Our customers configure an Exchange Online Outbound Connector to route outbound emails to our service. We process these emails and then reinject them to Exchange Online, possibly via a smart host or authenticated SMTP relay. All emails received by our service originate from Exchange Online IP ranges, and our SMTP service is restricted to accept connections only from those IPs. Questions Can messages from Exchange Online IPs be spoofed? Given that all customers share Exchange Online's IP ranges, can an attacker: Forge the MAIL FROM envelope address? Spoof the From: header field? Impersonate another customer (tenant) using the shared infrastructure? What level of trust can we place in the envelope sender (MAIL FROM) and header From address? What security signals or headers should we rely on? Are there Exchange Online-specific SMTP headers or identifiers we can use to validate the authenticity and origin of the message? For example: Is the tenant ID or authenticated user available in the headers? Can we reliably identify the sending customer? What authentication or validation mechanisms are recommended? What are Microsoft's best practices for: Validating tenant identity for messages received via connector? Preventing cross-tenant spoofing, especially when IPs are shared? Verifying message integrity (e.g., should we re-verify DKIM, SPF?) Any other Microsoft-recommended protections? Thanks in advance to anyone from the Microsoft team or the community who can provide insights or suggestions!
Both The Owner & I Have Requested Assistance Regarding A Domain Transfer But Have Had No Updates.
Both the owner & I have requested assistance in regards to a domain transfer. There is a phantom account holding our already verified domain.... We have lost a full month of service for over 150 users due to the errors on Microsoft's side. Please answer one of our cases so that we can finish up the migration. We were not anticipating such a difficult experience. One of the cases is registered to the associated email. Thanks. Microsoft 365 Migrations Microsoft Entra
Arbitration Mailboxes not available
I have an environment with an Exchange 2013 (15.00.1497.048) and an Exchange 2019 CU14 server installed. The new 2019 server appears to be fully operational with the exception of the system mailboxes, which means I cannot migrate the mailboxes off the 2013 server. What I have tried to resolve this issue: Re-run /PrepareAD - This did create the AD accounts; however, the system mailboxes were not created and when attempting to enable them getting the following error: "The user's Active Directory account must be logon-disabled for linked, shared, or resource mailbox." Checked for disabled or soft-deleted mailboxes - none that match the GUIDs for the system mailboxes Deleted the system accounts from Active Directory and re-ran /PrepareAD. It ran successfully and created the AD accounts; however, still getting the same error when attempting to enable the mailboxes. Looking for any insight into how to resolve this issue.
Fully Migrating Exchange Server 2019 to O365
We currently have a Hybrid Exchange environment with Exchange Server 2019 on-premises and Office 365 (Exchange Online). All user mailboxes have already been migrated to Exchange Online, but we are still using the on-prem Exchange 2019 server for SMTP relay services. We are now planning to fully transition to Office 365 and decommission the on-prem Exchange server. Could someone please provide a detailed list of steps, considerations, and any dependencies we should be aware of to complete this migration successfully?Blotched Exchange 2019 CU15 64 update.
Dear Microsoft The current update to Exchange 2019 CU15 64 installs .Net ver 4.0.0.0 32 bit as 64 bit. This broke most of the .Net programs on my Server. All .Net programs now run in 32 bit *x86) mode INCLUDING all the Exchange services !!!! Several other programs like Malware byte Firewall helper failed instantly running in x86 modes. See screenshots below. You need to withdraw the CU 15 update immediately. Provide a fix to sort this mess or instruct admins to restore backups. Regards JohanHow to Delete a Composing Email Attachment via Outlook Add-in?
Context: Server: Exchange Server 2019 on premise Client: OWA Category: Outlook Add-in Office JS API Set: Supported up to 1.5 only Problem Details: Delete an attachment added manually or through EWS API to an email item. Limitations: 1. Limitation of makeEWSRequestAsync() Office JS method: The makeEWSRequestAsync method in Office.js does not support the DeleteAttachment SOAP operation, which is required from outlook add in. -> Attempted Workaround - Using fetch with EWS SOAP Request: I tried invoking the DeleteAttachment operation via a fetch call to the EWS endpoint. However, EWS response states "requested web method is not allowed for this application". 2. OWA Limitation: As OWA in this environment only supports Office.js up to version 1.5, the modern attachment Office JS APIs and Graph APIs are not an option. Question: In an Exchange On-Premises scenario, how can I programmatically delete attachments via my add-in? Specifically, is there a recommended approach to obtain a valid token for EWS requests, or any supported alternative to perform DeleteAttachment? Any way to convert EWS attachment ID to Office JS attachment UUID? Additional Notes: I am aware that Exchange Online supports more modern APIs (Graph/REST), but my current deployment is strictly Exchange On-Premises. The add-in works well for reading attachments and other operations, except for deletion. Any guidance or recommendations would be highly appreciated! Thank you in advance.High Volume Email accounts and sign-in logs
When looking at the Entra ID sign-in logs for a High Volume Email account I noticed that it seems that after the first succesful login from a certain public IP subsequent logins are no longer logged that day (or at least a number of hours after). This makes it cumbersome to test how Conditional Access affect the login via the sign-in logs. Has anyone else experienced this?I'm receiving emails not addressed to me
Its been 2 months now since i noticed this and raised it with Microsoft support. I'm an office 365 admin and i noticed that some of us that belong to a certain group receive emails that weren't addressed to us. We're not in the TO, CC or BCC field. I've run several traces and sent to support but still no luck. I've collected sample emails from the senders mailbox for investigation. I've checked the rules on the admin center but nothing is configured to forward emails to any group account. Like i said its 2 months of back and forth, phone calls, remote sessions, email exchange and I'm frustrated. so far I've had to deal with 4 separate support agents. Has anyone experienced this? If not, is there a way to escalate to a senior support person who might be an subject matter expert? Thank youSPAM + Quarantine
Hi all, need help with Quarantined emails. Issue: sender "A" forwards emails to recipient "B". B never receives these emails because they end up in Quarantine marked as PHISH. Sender "A" email address & domain are both white-listed. Recipient B has no rules in the mailbox that would block these messages. Message trace has "Quarantine: no additional info provided". In "Message Analyzer" I've found AntiSPAM-Report - SFV:SPM which means "The message was marked as spam by the content filter." I can't find the responsible "filter" that is causing this issue. I've tried to search by "domain" in rules, but nothing comes up. Any ideas?
