cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Enhanced Filtering for Connectors not working

Jeremy Bradshaw
Regular Contributor

‎Oct 04 2021 05:23 AM - edited ‎Oct 18 2021 11:26 AM

‎Oct 04 2021 05:23 AM - edited ‎Oct 18 2021 11:26 AM

Enhanced Filtering for Connectors not working

Our mail flow is like this:

  1. MX: on-premises Barracuda
  2. Barracuda sends into Exchange on-premises.
  3. Exchange on-premises sends to EXO via HCW-created "Outbound to Office 365" Send Connector.

We have listed our Barracuda IP (Skip-IP-#1), and our Exchange on-premises servers' outbound/external IP (Skip-IP-#2) into our Enhanced Filtering for Connectors "skip list".  However, we still get tons of incoming emails quarantined, CAT=PHISH, and when I check them in the quarantine (i.e., review their headers), I can see the SPF test is being done against our Exchange on-premises IP (Skip-IP-#2).  There are no signs of the two headers being added - X-MS-Exchange-ExternalOriginalInternetSender and X-MS-Exchange-SkipListedInternetSender - which I understand should be getting added if Enhanced Filtering is working (per this).

 

<removed no-longer-relevant text>

2,185 Views
0 Likes
4 Replies
Reply
4 Replies
Jeremy Bradshaw

‎Oct 07 2021 10:16 AM - edited ‎Oct 18 2021 11:27 AM

‎Oct 07 2021 10:16 AM - edited ‎Oct 18 2021 11:27 AM

Re: Enhanced Filtering for Connectors not working

This issue ended up being that Enhanced Filtering for Connectors was enabled via the Defender for Office 365 90-day Evaluation Mode, which puts it into Test Mode only. This can be seen by looking at the Inbound Connector itself in EXO PowerShell:

 

Get-InboundConnector <Connector of Choice> | fl Name, EF*

# Output:

Name              : # Removed for privacy.
EFTestMode        : False #<--: Right here.
EFSkipLastIP      : False
EFSkipIPs         : {1.2.3.4, 5.6.7.8}
EFSkipMailGateway : {}
EFUsers           : {}

 

0 Likes
Reply
Jeremy Bradshaw

‎Oct 18 2021 11:28 AM

‎Oct 18 2021 11:28 AM

Re: Enhanced Filtering for Connectors not working

PS, even with Test Mode disabled, and for over a week, Enhanced Filtering for Connectors still intermittently doesn't skip our IP's. Still investigating with MS Support.
0 Likes
Reply
Scott Landry

‎Oct 18 2021 02:41 PM

‎Oct 18 2021 02:41 PM

Re: Enhanced Filtering for Connectors not working

@Jeremy Bradshaw  Can you send me your support ticket id so I can have a look?  Thanks!

0 Likes
Reply
best response confirmed by Jeremy Bradshaw (Regular Contributor)
Jeremy Bradshaw

‎Nov 25 2021 06:45 AM

‎Nov 25 2021 06:45 AM

Solution

Re: Enhanced Filtering for Connectors not working

FYI in case this helps anyone else, the reason our Enhanced Filtering wasn't working / wasn't "skipping" our EFSkipIP's, is that our Inbound Connector's TlsSenderCertificateName was set to a fully-typed FQDN (derived from the last page ("Organization FQDN") in the HCW), meanwhile our Exchange servers' certificate didn't explicitly include that FQDN, as it was a wildcard cert.

 

We had two options to fix this:

 

1.  Change the TlsSenderCertificateName to be *.<domain>.<tld>

or

2. Replace our Exchange servers' certificate with one that explicitly includes the FQDN from the Inbound Connector's TlsSenderCertificateName.

 

We were able to spot the issue using the "Inbound Message Report" from the new EXO Admin Center, where we could see that our messages were coming in via "From the internet without a connector", rather than "Inbound via connector <our Inbound Connector's name>".  @Scott Landry deserves the credit as he essentially gave me the answer which I just had to go and confirm.

1 Like
Reply