Forum Discussion

Mirel Popa's avatar
Mirel Popa
Copper Contributor
Apr 18, 2018

Exchange Hybrid centralized email flow bypass issue

We have deployed the Exchange hybrid scenario where all emails received from Internet get filtered through an on-premises Spam appliance.  MX records are pointing to on-premises Spam appliance so the email flow is as follows: Email from Internet -> on-premises Spam Appliance -> on-premises Exchange Server - > on-premises  Hybrid Server -> Exchange Online mailbox.  Exchange Online has an Inbound connector to verify incoming emails from Exchange Hybrid by checking the SSL certificate.

 

All runs well as long as the sender uses the MX records to send through on-premises Spam appliance, but how about the scenario where the sender (let's call him/her "Spammer") connects directly to EOP service port 25 and starts sending messages to Exchange Online users?

 

It looks like EOP is "happy" to accept those messages from Internet and sends them to on-premises Exchange Hybrid server that just relays them back to Exchange Online. The new email flow is Email from Internet -> Exchange Online EOP-> on-premises  Hybrid Server -> Exchange Online mailbox.

 

The question is how to block EOP from accepting these messages in the first place? As far as I can see in Exchange Online, we can't define an "Internet" connector.

 

Also, what is the point of doing a SSL cert check on Hybrid connector if EOP is relaying Internet messages through Exchange Hybrid therefore with no security or validation. 

 

Scenario described can be easily validated by doing a telnet to a EOP server (e.g. mail-to1can010042.inbound.protection.outlook.com ) on port 25 and sending a message manually.

  • Robert Roberts's avatar
    Robert Roberts
    Copper Contributor

    We created a transport rule which intercepted messages with "onmicrosoft.com" in the "to" header and rejected them with the status code 5.7.1 except if the sender IP address belonged to our on-premises SMTP gateways or if the sender was in our organization's smtp domain. This stops unknown senders sending in 'directly' to our EOL mailboxes.

  • Mitch King's avatar
    Mitch King
    Iron Contributor

    The inbound connector should be locked down depending on what you entered into the hybrid wizard, can you post the output of get-inboundconnector | fl

    • Mirel Popa's avatar
      Mirel Popa
      Copper Contributor

      We still have users on-premises so we do not want to do Spam scanning for Internal emails between Office365 users and Exchange on-premises users. 

Resources