Home

Securing mailflow in the hybrid configuration

%3CLINGO-SUB%20id%3D%22lingo-sub-15750%22%20slang%3D%22en-US%22%3ESecuring%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15750%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI'm%20looking%20for%20some%20help.%20I'm%20facing%20the%20customer's%20security%20department.%20We%20plan%20to%20configure%20hybrid%20configuration%20in%20our%20current%20Exchange%202010%20deployment%20to%20ensure%20a%20smooth%20migration%20to%20Office%20365.%20Everything%20is%20pretty%20clear%20except%20for%20one%20thing.%20That%20is%20the%20inbound%20mail%20flow%20from%20EO%20to%20on-prem.%3C%2FP%3E%3CP%3EWe've%20set%20up%20hybrid%20using%20the%20HCW.%20After%20that%20I%20was%20forced%20to%20demonstrate%20to%20the%20security%20department%20how%20is%20the%20whole%20solution%20secured%20from%20the%20outside.%20Please%20keep%20in%20mind%20that%20the%20EO%20is%20still%20considered%20as%20outside.%20Now%20I%20get%20the%20point.%20There%20is%20a%20standard%20receive%20connector%20set%20up%20by%20the%20HCW%20which%20handles%20the%20inbound%20mail%20flow.%20I%20was%20asked%20how%20the%20connector%20is%26nbsp%3Bsecured%20from%20receiving%20emails%20from%20the%20other%20tenants.%20Inbound%20emails%20except%20the%20hybrid%20have%20to%20be%20handled%20on%20the%20Cisco%20IronPort%20boxes.%20So%20the%20question%20is%2C%20how%20to%20ensure%20that%20the%20inbound%20emails%20can%20be%20send%20only%20from%20specific%20tenant%20or%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20tips!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ED.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-15750%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-19937%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-19937%22%20slang%3D%22en-US%22%3EI%20think%20what%20you're%20trying%20to%20do%20is%20impossible%20because%20of%20the%20shared%20nature%20of%20Office365.%20You%20would%20have%20to%20create%20a%20Receive%20connector%20with%20only%20the%20IPs%20you%20want%20to%20accept%20connections%20from%2C%20but%20since%20those%20IPs%20are%20shared%20it%20won't%20help%20you%20in%20this%20case.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20looked%20at%20that%20CrossTenant-ID%20and%20it%20seems%20to%20be%20Tenant%20ID%20of%20the%20person%20receiving%20the%20email%20not%20the%20sender%2C%20so%20I%20don't%20think%20it's%20going%20to%20help%20in%20this%20case.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-16595%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-16595%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20replies%2C%20but%20that's%20not%26nbsp%3Bwhat%20I'm%20trying%20to%20achieve.%20It's%20about%20the%20senders%20not%20recipients%20domain%20.%20I%20've%20had%20to%20use%20Exchange%20Edge%20as%20a%20SMTP%20gateway%20in%20the%20perimeter%20network%2C%20because%20putting%20non-exchange%20SMTP%20server%20between%20Exchange%20on-premise%20and%20Exchange%20Online%20it's%20not%20supported.%26nbsp%3BIt's%20against%20the%20company%20policy%20to%20allow%20the%20Ex%20Edge%20in%20the%20perimeter%20to%20accept%20from%20%22non-authorized%22%20organization%20which%20is%20only%20the%20companys%20tenant%20nad%26nbsp%3Bnot%20the%20others.%26nbsp%3BIf%20I%20create%20a%20custom%20Outbound%20connector%20in%20the%26nbsp%3Banother%20tenant%20and%20points%20it%20to%20the%20Edge%20server%20then%20emails%20are%20received%20%3A(%3C%2Fimg%3E%20I%20found%20a%20header%20X-MS-Exchange-CrossTenant-id%20which%20could%20help.%20%3CSPAN%3EDo%20you%20know%3C%2FSPAN%3E%20%3CSPAN%3Eanything%20about%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ED.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15869%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15869%22%20slang%3D%22en-US%22%3EReceive%20connectors%20can't%20filter%20by%20domain.%20You're%20also%20already%20filtering%20by%20domain%20by%20way%20of%20%22Accepted%20Domains%22.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20someone%20tries%20to%20send%20you%20an%20email%20to%20a%20domain%20that's%20not%20on%20that%20list%2C%20exchange%20is%20going%20to%20reject%20it%20regardless%20whether%20it's%20coming%20from.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15785%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15785%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wish%20I%20could%20agree%20with%20you%20%3A)%3C%2Fimg%3E%20We've%20set%20up%20a%20custom%20outbound%20connector%20in%20another%20tenant%20which%20points%20to%20the%20Edge%20server.%20At%20this%20case%20emails%20are%20delivered.%20Is%20it%20possible%20to%20filter%20inbound%20messages%20only%26nbsp%3Bfrom%20a%20specific%20domain%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15770%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15770%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20your%20MX%20is%20pointing%20to%20on-prem%2C%20internet%20senders%20and%20O365%20users%20outside%20of%20your%20tenant%20will%20not%20be%20hitting%20the%20connector.%20Generally%20speaking%2C%20you%20can%20restrict%20the%20connector%20to%20only%20specific%20domain%2C%20or%20even%20scope%20it%20based%20on%20a%20transport%20rule%20(for%20example%20with%20the%20%22sender%20is%20internal%22%20condition)%2C%20but%20it%20should%20not%20be%20needed%20in%20your%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15766%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15766%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20talking%20about%20the%20red%20line%20which%20shows%20the%20SMTP%20between%20EO%20and%20on-prem.%20Basicaly%20We%20need%20to%20set%20up%20the%20receive%20connector%20on%20the%20Edge%20servers%20to%20not%20accepts%20emails%20from%20any%20other%20tenant%20exepct%20our.%20Is%20that%20clear%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15764%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15764%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BHere's%20the%20picture.%26nbsp%3B%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F4764i36568A85C3B643B2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22flow.png%22%20title%3D%22flow.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%3E%3CIMG%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15756%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20mailflow%20in%20the%20hybrid%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15756%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20you%20mean%20here%2C%20the%20outbound%20connector%20will%20be%20used%20to%20redirect%20*any*%20messages%20received%20for%20mailboxes%20still%20hosted%20on-prem.%20This%20includes%20both%20internal%20mail%2C%20sent%20from%20O365%20mailboxes%20in%20the%20same%20tenant%2C%20and%20external%20mail%2C%20sent%20from%20other%20O365%20tenants%20or%20internet%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20is%20your%20MX%20pointing%20at%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Dušan Řezníček
Occasional Contributor

Hello,

I'm looking for some help. I'm facing the customer's security department. We plan to configure hybrid configuration in our current Exchange 2010 deployment to ensure a smooth migration to Office 365. Everything is pretty clear except for one thing. That is the inbound mail flow from EO to on-prem.

We've set up hybrid using the HCW. After that I was forced to demonstrate to the security department how is the whole solution secured from the outside. Please keep in mind that the EO is still considered as outside. Now I get the point. There is a standard receive connector set up by the HCW which handles the inbound mail flow. I was asked how the connector is secured from receiving emails from the other tenants. Inbound emails except the hybrid have to be handled on the Cisco IronPort boxes. So the question is, how to ensure that the inbound emails can be send only from specific tenant or domain.

 

Thanks for any tips!

 

D.

8 Replies

Not sure what you mean here, the outbound connector will be used to redirect *any* messages received for mailboxes still hosted on-prem. This includes both internal mail, sent from O365 mailboxes in the same tenant, and external mail, sent from other O365 tenants or internet users.

 

Where is your MX pointing at?

 Here's the picture.  flow.png

I'm talking about the red line which shows the SMTP between EO and on-prem. Basicaly We need to set up the receive connector on the Edge servers to not accepts emails from any other tenant exepct our. Is that clear?

If your MX is pointing to on-prem, internet senders and O365 users outside of your tenant will not be hitting the connector. Generally speaking, you can restrict the connector to only specific domain, or even scope it based on a transport rule (for example with the "sender is internal" condition), but it should not be needed in your scenario.

I wish I could agree with you :) We've set up a custom outbound connector in another tenant which points to the Edge server. At this case emails are delivered. Is it possible to filter inbound messages only from a specific domain?

Receive connectors can't filter by domain. You're also already filtering by domain by way of "Accepted Domains".

If someone tries to send you an email to a domain that's not on that list, exchange is going to reject it regardless whether it's coming from.

Thanks for the replies, but that's not what I'm trying to achieve. It's about the senders not recipients domain . I 've had to use Exchange Edge as a SMTP gateway in the perimeter network, because putting non-exchange SMTP server between Exchange on-premise and Exchange Online it's not supported. It's against the company policy to allow the Ex Edge in the perimeter to accept from "non-authorized" organization which is only the companys tenant nad not the others. If I create a custom Outbound connector in the another tenant and points it to the Edge server then emails are received :( I found a header X-MS-Exchange-CrossTenant-id which could help. Do you know anything about this?

 

Thanks in advance.

 

D.

I think what you're trying to do is impossible because of the shared nature of Office365. You would have to create a Receive connector with only the IPs you want to accept connections from, but since those IPs are shared it won't help you in this case.

I looked at that CrossTenant-ID and it seems to be Tenant ID of the person receiving the email not the sender, so I don't think it's going to help in this case.