cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange Hybrid centralized email flow bypass issue

Mirel Popa
Copper Contributor

‎Apr 18 2018 09:45 AM

‎Apr 18 2018 09:45 AM

Exchange Hybrid centralized email flow bypass issue

We have deployed the Exchange hybrid scenario where all emails received from Internet get filtered through an on-premises Spam appliance.  MX records are pointing to on-premises Spam appliance so the email flow is as follows: Email from Internet -> on-premises Spam Appliance -> on-premises Exchange Server - > on-premises  Hybrid Server -> Exchange Online mailbox.  Exchange Online has an Inbound connector to verify incoming emails from Exchange Hybrid by checking the SSL certificate.

 

All runs well as long as the sender uses the MX records to send through on-premises Spam appliance, but how about the scenario where the sender (let's call him/her "Spammer") connects directly to EOP service port 25 and starts sending messages to Exchange Online users?

 

It looks like EOP is "happy" to accept those messages from Internet and sends them to on-premises Exchange Hybrid server that just relays them back to Exchange Online. The new email flow is Email from Internet -> Exchange Online EOP-> on-premises  Hybrid Server -> Exchange Online mailbox.

 

The question is how to block EOP from accepting these messages in the first place? As far as I can see in Exchange Online, we can't define an "Internet" connector.

 

Also, what is the point of doing a SSL cert check on Hybrid connector if EOP is relaying Internet messages through Exchange Hybrid therefore with no security or validation. 

 

Scenario described can be easily validated by doing a telnet to a EOP server (e.g. mail-to1can010042.inbound.protection.outlook.com ) on port 25 and sending a message manually.

5,180 Views
0 Likes
9 Replies
Reply
9 Replies
Vasil Michev

‎Apr 18 2018 10:46 AM

‎Apr 18 2018 10:46 AM

Re: Exchange Hybrid centralized email flow bypass issue

So point the connector to your Spam appliance? Or am I missing something here?

0 Likes
Reply
Mitch King

‎Apr 23 2018 03:13 AM

‎Apr 23 2018 03:13 AM

Re: Exchange Hybrid centralized email flow bypass issue

The inbound connector should be locked down depending on what you entered into the hybrid wizard, can you post the output of get-inboundconnector | fl

0 Likes
Reply
Mirel Popa

‎Apr 23 2018 04:22 AM

‎Apr 23 2018 04:22 AM

Re: Exchange Hybrid centralized email flow bypass issue

Please see command output. Note that I have a domain set under "TlsSenderCertificateName" but I now see that "RestrictDomainstoCertificate" is set to "False", is this the option to change to only accept emails from Hybrid Exchange?

Preview file
175 KB
0 Likes
Reply
Mirel Popa

‎Apr 23 2018 04:30 AM

‎Apr 23 2018 04:30 AM

Re: Exchange Hybrid centralized email flow bypass issue

We still have users on-premises so we do not want to do Spam scanning for Internal emails between Office365 users and Exchange on-premises users. 

0 Likes
Reply
Mitch King

‎Apr 23 2018 04:50 AM

‎Apr 23 2018 04:50 AM

Re: Exchange Hybrid centralized email flow bypass issue

I believe this needs to be set to true else this is just accepting any email as long as its TLS, you will need to test as much as possible because im not sure how this will handle the wildcard. See the value settings below.

 

https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/new-inboundconnector?view=exch...

0 Likes
Reply
Mitch King

‎Apr 25 2018 03:01 AM

‎Apr 25 2018 03:01 AM

Re: Exchange Hybrid centralized email flow bypass issue

Did this resolve your issue?

0 Likes
Reply
Mirel Popa

‎Apr 25 2018 06:04 AM

‎Apr 25 2018 06:04 AM

Re: Exchange Hybrid centralized email flow bypass issue

I did not get a chance to test the change but please take a look at this link that provides a different solution for exactly the same scenario https://o365info.com/configure-exchange-online-inbound-mail-flow-to-accept-smtp-connection-only-from...

 

0 Likes
Reply
Mitch King

‎Apr 26 2018 01:40 AM

‎Apr 26 2018 01:40 AM

Re: Exchange Hybrid centralized email flow bypass issue

Ok but remember connectors are cumulative, all you are doing here is adding additional ways to receive and not restricting anything as per your original question.

You need to do something with the original connector that is accepting internet mail.

0 Likes
Reply
Robert Roberts

‎Jun 25 2018 06:19 AM

‎Jun 25 2018 06:19 AM

Re: Exchange Hybrid centralized email flow bypass issue

We created a transport rule which intercepted messages with "onmicrosoft.com" in the "to" header and rejected them with the status code 5.7.1 except if the sender IP address belonged to our on-premises SMTP gateways or if the sender was in our organization's smtp domain. This stops unknown senders sending in 'directly' to our EOL mailboxes.

0 Likes
Reply