Sep 27 2016 03:36 AM
Hello,
I'm looking for some help. I'm facing the customer's security department. We plan to configure hybrid configuration in our current Exchange 2010 deployment to ensure a smooth migration to Office 365. Everything is pretty clear except for one thing. That is the inbound mail flow from EO to on-prem.
We've set up hybrid using the HCW. After that I was forced to demonstrate to the security department how is the whole solution secured from the outside. Please keep in mind that the EO is still considered as outside. Now I get the point. There is a standard receive connector set up by the HCW which handles the inbound mail flow. I was asked how the connector is secured from receiving emails from the other tenants. Inbound emails except the hybrid have to be handled on the Cisco IronPort boxes. So the question is, how to ensure that the inbound emails can be send only from specific tenant or domain.
Thanks for any tips!
D.
Sep 27 2016 04:00 AM
Not sure what you mean here, the outbound connector will be used to redirect *any* messages received for mailboxes still hosted on-prem. This includes both internal mail, sent from O365 mailboxes in the same tenant, and external mail, sent from other O365 tenants or internet users.
Where is your MX pointing at?
Sep 27 2016 04:26 AM
I'm talking about the red line which shows the SMTP between EO and on-prem. Basicaly We need to set up the receive connector on the Edge servers to not accepts emails from any other tenant exepct our. Is that clear?
Sep 27 2016 05:15 AM
If your MX is pointing to on-prem, internet senders and O365 users outside of your tenant will not be hitting the connector. Generally speaking, you can restrict the connector to only specific domain, or even scope it based on a transport rule (for example with the "sender is internal" condition), but it should not be needed in your scenario.
Sep 27 2016 06:02 AM
I wish I could agree with you :) We've set up a custom outbound connector in another tenant which points to the Edge server. At this case emails are delivered. Is it possible to filter inbound messages only from a specific domain?
Sep 27 2016 10:45 AM
Sep 30 2016 02:25 AM
Thanks for the replies, but that's not what I'm trying to achieve. It's about the senders not recipients domain . I 've had to use Exchange Edge as a SMTP gateway in the perimeter network, because putting non-exchange SMTP server between Exchange on-premise and Exchange Online it's not supported. It's against the company policy to allow the Ex Edge in the perimeter to accept from "non-authorized" organization which is only the companys tenant nad not the others. If I create a custom Outbound connector in the another tenant and points it to the Edge server then emails are received :( I found a header X-MS-Exchange-CrossTenant-id which could help. Do you know anything about this?
Thanks in advance.
D.
Oct 07 2016 12:58 PM