Use EOP in Hybrid for incoming and outgoing mailflow

%3CLINGO-SUB%20id%3D%22lingo-sub-56743%22%20slang%3D%22en-US%22%3EUse%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56743%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Ewe%20are%20in%20the%20middle%20of%20a%20hybrid%20setup%20between%20local%20Exchange%202013%20and%20Office%20365.%20All%20mail%20from%20local%20exchange%20mailboxes%20is%20routet%20to%20the%20Internet%20via%203rd%20party%20antispam%2Fantivirus%20appliance.%20We%20have%20configured%20centralized%20mail%20transport%20for%20hybrid%20so%20all%20mail%20from%20Office%20365%20mailboxes%20flows%20through%20the%20on%20premises%20exchange%20organization%20and%20then%20through%20the%203rd%20party%20antispam%2Fantivirus%20appliance%20to%20the%20internet.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EOnly%201%2F3%20of%20mailboxes%20are%20migrated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20now%20need%20to%20get%20rid%20of%20the%203rd%20party%20antispam%2Fantivirus%20appliance%20and%20want%20to%20use%20EOP%20completely%20for%20incoming%20(change%20mx)%20and%20outgoing%20mailflow%20from%20either%20local%20exchange%20mailboxes%20or%20Office%20365%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20good%20documentations%20about%20using%20EOP%20for%20incoming%20mailflow%20in%20hybrid%2C%20would%20work%20without%20a%20problem.%20But%20how%20can%20we%20ensure%20that%20all%20outgoing%20mailflow%20uses%20EOP%20in%20this%20hybrid%20situation%3F%20Is%20this%20supported%2C%20what%20do%20we%20have%20to%20do%20to%20make%20it%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-56743%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-194831%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194831%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20created%20a%20new%20Send%20Connector%20from%20on-prem%20to%20M365.%3C%2FP%3E%3CP%3EAdded%20a%20few%20domains%20to%20%22pilot%22.%3C%2FP%3E%3CP%3ESeems%20to%20be%20working%20OK.%3C%2FP%3E%3CP%3E%3D%3D%3D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192046%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192046%22%20slang%3D%22en-US%22%3E%3CP%3ESeems%20like%20it%20would%20OK%20to%20use%20the%20connector%20that%20already%20exists%20from%20the%20HCW.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20we%20use%20the%20on-premises%20Exchange%202013%20ECP%20%26gt%3B%20mail%20flow%26nbsp%3B%20%26gt%3B%26nbsp%3B%20send%20connectors%20%26gt%3B%20Outbound%20to%20Office%20365%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20step-1%26nbsp%3B%26nbsp%3B%26nbsp%3B%20add%20one%20low-impact%20domain%20to%20verify%20this%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20step-2%26nbsp%3B%26nbsp%3B%26nbsp%3B%20later%20on%2C%26nbsp%3B%20add%26nbsp%3B%26nbsp%3B%20*%26nbsp%3B%26nbsp%3B%26nbsp%3B%20(%22all%20other%20domains%22)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%3D%3D%3D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-57707%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-57707%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20are%20the%20highlevel%20steps-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20First%20if%20you%20have%20centralized%20email%20flow%20configured%20in%20Hybrid%20Setup%2C%20change%20it%20to%20decentralized%20email%20flow.%20In%20this%20options%2C%20all%20your%20emails%20excpet%20your%20accpted%20domain%20will%20be%20delivered%20directly%20from%20Office%20365%20for%20the%20users%20whos%20mailbox's%20are%20moved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Add%20new%20internet%20connector%20which%20will%20be%20sending%20email%20to%20Internet%20and%20disable%20existing%20internet%20sending%20connector%2C%20add%20smart%20host%20entry%20pointing%20to%20%3CSPAN%3EMX%20record%20of%20your%20O365%20Domain%20or%26nbsp%3B%3C%2FSPAN%3Echange%20your%20on-premise%20send%20connector%20which%20is%20being%20used%20for%20sending%20email%20to%20Internet%20and%20add%20smart%20host%20entry%20point%20to%20MX%20record%20of%20your%20O365%20Domain.%20You%20don't%20need%20connector%20for%20sending%20email%20out%20from%20Office%20365%20to%20Internet%20and%20verify%20the%20functionality%20for%20mail%20flow.%20You%20can%20use%20Exchange%20test%20connectivity%20analyzer%20to%20verify%20the%20header%20of%20incoming%20and%20outgoing%20emails.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Move%20your%20MX%20record%20to%20Office%20365%20to%20receive%20emails.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-57451%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-57451%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Mark%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20change%20your%20send%20connector%20to%20Internet%20*%20pointing%20to%20Office%20365%20(MX)%20record%20to%20route%20all%20email%20to%20Internet%20using%20Office%20365%20EOP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20approach%20to%20test%20you%20can%20create%20new%20Send%20Connector%2C%20put%20only%20one%20domain%20that%20you%20could%20test%20and%20after%20test%20with%20success%20change%20the%20send%20connector%20to%20all.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56829%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56829%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20of%20all%2C%20big%20thanks%20for%20replying%20on%20this%20topic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EO.K.%2C%20so%20looking%20at%20the%20link%20Paul%20provided%20this%20seems%20to%20be%20a%20supported%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELast%20question%20would%20be%20how%20to%20modify%20local%20exchange%20to%20route%20all%20outbound%20mail%20through%20EOP%20and%20get%20rid%20of%20the%203rd%20party%20antispam-appliance.%20Hybrid%20wizard%20created%20send%20connector%20with%20scope%20(tenant.mail.onmicrosoft.com).%20Other%20send%20connector%20with%20scope%20*%20points%20to%203rd%20party%20antispam-appliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20do%20we%20have%20to%20modify%20the%20hybrid%20send%20connector%20with%20scope%20*%20then%20to%20route%20all%20outbound%20mail%20through%20O365%3F%20What%20would%20be%20the%20value%20for%20the%20smarthost%20were%20sending%20to%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56824%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56824%22%20slang%3D%22en-US%22%3E%3CP%3ESounds%20like%20you're%20aiming%20for%20this%20scenario%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fe1da5f2f-c732-4010-85c9-878b2cef3fb3(v%3Dexchg.150)%23scenario1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fe1da5f2f-c732-4010-85c9-878b2cef3fb3(v%3Dexchg.150)%23scenario1%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20your%20description%20it%20sounds%20like%20you'll%20need%20to%20re-run%20the%20HCW%20to%20turn%20off%20centralised%20transport%2C%20and%20remove%20your%20send%20connectors%20from%20on-prem%20(just%20the%20ones%20that%20route%20to%20your%20third%20party%20service%2C%20leave%20the%20O365%20ones%20alone).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56822%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56822%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20you%20can%20use%20that%2C%20see%20the%20article%20below.%20But%20you%20need%20to%20have%20EOP%20licences%20to%20mail%20routing%20your%20email.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMail%20Flow%20-%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj659055(v%3Dexchg.150).aspx%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj659055(v%3Dexchg.150).aspx%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56781%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56781%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20an%20official%20statement%20from%20MS%20that%20you%20cannot%20use%20EOP%20in%20hybrid%20mode%20%3CSPAN%3Eto%20send%20mails%20from%20your%20on-premises%20organization%3C%2FSPAN%3E%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20pointing%20MX%20to%20O365%20in%20hybrid%20running%20centralized%20mailflow%20should%20be%20fine%20or%20am%20i%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThink%20i%20read%20that%20this%20will%20work%26nbsp%3Bhere%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Fexchange-server%2Fswitching-hybrid-mail-flow-use-exchange-online-protection-inbound-email%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Fexchange-server%2Fswitching-hybrid-mail-flow-use-exchange-online-protection-inbound-email%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56760%22%20slang%3D%22en-US%22%3ERe%3A%20Use%20EOP%20in%20Hybrid%20for%20incoming%20and%20outgoing%20mailflow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56760%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Mark%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20archive%20the%20mail%20flow%20that%20you%20want%20you%20need%20to%20do%20the%20following%20in%20this%20order%3A%3C%2FP%3E%3CUL%3E%3CLI%3EChange%20TTL%20of%20MX%20record%20to%20300%20sec%20or%205%20min%3B%3C%2FLI%3E%3CLI%3EReview%20your%20SPF%20record%20to%20have%20your%20ip's%20addresses%20and%20Office%20365%20protection.outlook.com%3B%3C%2FLI%3E%3CLI%3ERe-run%20Hybrid%20Configuration%20Wizzard%20to%20change%20the%20mail%20flow%20from%20centralized%20transport%20to%20users%20on%20Office%20365%20send%20directly%20from%20Office%20365%3B%3C%2FLI%3E%3CLI%3ETest%20Mail%20Flow%3B%3C%2FLI%3E%3CLI%3EChange%20your%20Send%20Connector%20on%20Your%20Exchange%20Server%20to%20send%20directly%20to%20Internet%3B%3C%2FLI%3E%3CLI%3ETest%20Mail%20Flow%3B%3C%2FLI%3E%3CLI%3EChange%20MX%20record%20to%20Office%20365%3B%3C%2FLI%3E%3CLI%3ETest%20Mail%20Flow%3B%3C%2FLI%3E%3CLI%3EChange%20the%20TTL%20of%20MX%20record%20to%2060%20min%20or%203600%20sec%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20You%20cannot%20use%20the%20EOP%20to%20send%20mails%20from%20your%20on-premises%20organization%20is%20not%20supported.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

we are in the middle of a hybrid setup between local Exchange 2013 and Office 365. All mail from local exchange mailboxes is routet to the Internet via 3rd party antispam/antivirus appliance. We have configured centralized mail transport for hybrid so all mail from Office 365 mailboxes flows through the on premises exchange organization and then through the 3rd party antispam/antivirus appliance to the internet.


Only 1/3 of mailboxes are migrated.

 

We now need to get rid of the 3rd party antispam/antivirus appliance and want to use EOP completely for incoming (change mx) and outgoing mailflow from either local exchange mailboxes or Office 365 mailboxes.

 

There are good documentations about using EOP for incoming mailflow in hybrid, would work without a problem. But how can we ensure that all outgoing mailflow uses EOP in this hybrid situation? Is this supported, what do we have to do to make it work?

9 Replies
Highlighted

Hi Mark,

 

To archive the mail flow that you want you need to do the following in this order:

  • Change TTL of MX record to 300 sec or 5 min;
  • Review your SPF record to have your ip's addresses and Office 365 protection.outlook.com;
  • Re-run Hybrid Configuration Wizzard to change the mail flow from centralized transport to users on Office 365 send directly from Office 365;
  • Test Mail Flow;
  • Change your Send Connector on Your Exchange Server to send directly to Internet;
  • Test Mail Flow;
  • Change MX record to Office 365;
  • Test Mail Flow;
  • Change the TTL of MX record to 60 min or 3600 sec

 

Note: You cannot use the EOP to send mails from your on-premises organization is not supported. 

Highlighted

Is there an official statement from MS that you cannot use EOP in hybrid mode to send mails from your on-premises organization?

 

When pointing MX to O365 in hybrid running centralized mailflow should be fine or am i wrong?

 

Think i read that this will work here:

https://practical365.com/exchange-server/switching-hybrid-mail-flow-use-exchange-online-protection-i...

Highlighted

Yes you can use that, see the article below. But you need to have EOP licences to mail routing your email.

 

Mail Flow - https://technet.microsoft.com/en-us/library/jj659055(v=exchg.150).aspx 

Highlighted

Sounds like you're aiming for this scenario:

 

https://technet.microsoft.com/en-us/library/e1da5f2f-c732-4010-85c9-878b2cef3fb3(v=exchg.150)#scenar...

 

From your description it sounds like you'll need to re-run the HCW to turn off centralised transport, and remove your send connectors from on-prem (just the ones that route to your third party service, leave the O365 ones alone).

Highlighted

First of all, big thanks for replying on this topic.

 

O.K., so looking at the link Paul provided this seems to be a supported scenario.

 

Last question would be how to modify local exchange to route all outbound mail through EOP and get rid of the 3rd party antispam-appliance. Hybrid wizard created send connector with scope (tenant.mail.onmicrosoft.com). Other send connector with scope * points to 3rd party antispam-appliance.

 

So do we have to modify the hybrid send connector with scope * then to route all outbound mail through O365? What would be the value for the smarthost were sending to?

Highlighted

Hi Mark,

 

You can change your send connector to Internet * pointing to Office 365 (MX) record to route all email to Internet using Office 365 EOP.

 

The best approach to test you can create new Send Connector, put only one domain that you could test and after test with success change the send connector to all. 

 

Highlighted

Hi,

 

Below are the highlevel steps-

 

1. First if you have centralized email flow configured in Hybrid Setup, change it to decentralized email flow. In this options, all your emails excpet your accpted domain will be delivered directly from Office 365 for the users whos mailbox's are moved.

 

2. Add new internet connector which will be sending email to Internet and disable existing internet sending connector, add smart host entry pointing to MX record of your O365 Domain or change your on-premise send connector which is being used for sending email to Internet and add smart host entry point to MX record of your O365 Domain. You don't need connector for sending email out from Office 365 to Internet and verify the functionality for mail flow. You can use Exchange test connectivity analyzer to verify the header of incoming and outgoing emails.

 

3. Move your MX record to Office 365 to receive emails.

Highlighted

Seems like it would OK to use the connector that already exists from the HCW.

 

Can we use the on-premises Exchange 2013 ECP > mail flow  >  send connectors > Outbound to Office 365     ...

    step-1    add one low-impact domain to verify this works.

    step-2    later on,  add   *    ("all other domains")

 

Thanks.

===

Highlighted

We created a new Send Connector from on-prem to M365.

Added a few domains to "pilot".

Seems to be working OK.

===