3rd Party Gateway, Exchange hybrid and message header

%3CLINGO-SUB%20id%3D%22lingo-sub-292279%22%20slang%3D%22en-US%22%3E3rd%20Party%20Gateway%2C%20Exchange%20hybrid%20and%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292279%22%20slang%3D%22en-US%22%3EHi%20team%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20like%20to%20know%20and%20clarify%20a%20scenario.%20Imagine%20there%20is%20a%20hybrid%20in%20place.%20In%20the%20exchange%20online%20to%20on-premise%20mail%20routing%20path%2C%20lets%20say%20there%20is%20a%203rd%20party%20spam%20gateway%20in%20the%20middle.%20This%20is%20to%20a%20hard%20requirement%20from%20the%20client.%20%3CBR%20%2F%3E1)%20I%20would%20like%20to%20know%20if%20this%20is%20considered%20a%20supported%20scenario.%20As%20from%20some%20articles%20i%20read%20dated%202016%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftransport-options%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftransport-options%3C%2FA%3E%20%2C%20it%20says%20not%20supported.%20I%20want%20to%20clarify%20if%20this%20is%20still%20valid%20to%20this%20date%20and%20what%20Microsofts%20recommendation%20is%20if%20we%20cant%20bypass%20the%20gateway.%20%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20The%20issue%20is%20that%20when%20mails%20are%20routed%20from%20cloud%20to%20onprem%2C%20the%20%E2%80%9CX-MS-Exchange-Organization-AuthAs%3A%20%E2%80%9C%20is%20shown%20as%20%E2%80%9CAnonymous%E2%80%9D.%20Although%20as%20per%20my%20understanding%20this%20should%20be%20%E2%80%9CInternal%E2%80%9D%20as%20this%20is%20from%20same%20organization.%20%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20Can%20this%20be%20due%20to%20the%20spam%20gateway%3F%20If%20so%20how%20can%20we%20identify%20that%20dpam%20gateway%20is%20changing%20the%20headers%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20help%20is%20appreciated.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you.%20%3CBR%20%2F%3EJude.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-292279%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-293288%22%20slang%3D%22en-US%22%3ERe%3A%203rd%20Party%20Gateway%2C%20Exchange%20hybrid%20and%20message%20header%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293288%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20right%2C%20this%20is%20not%20a%20supported%20scenario.%20One%20of%20the%20consequences%2C%20as%20you%20rightly%20identified%2C%20is%20the%20stripping%20of%20certain%20X-headers%20which%20causes%20the%20'X-MS-Exchange-Organization-AuthAs'%20header%20to%20get%20stamped%20as%20'Anonymous'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20can%20be%20overcome%20by%20creating%20a%20transport%20rule%20in%20your%20on-premise%20Exchange%20to%20stamp%20%22X-MS-Exchange-Organization-AuthAs%3A%20Internal%22%20(for%20mails%20matching%20a%20pattern%20that%20proves%20it's%20originating%20from%20O365).%20However%20that's%20not%20the%20only%20issue%20you'll%20notice%2C%20which%20is%20why%20this%20setup%20is%20not%20supported%20in%20the%20first%20place.%20I'd%20recommend%20by-passing%20the%20spam%20filter%20for%20all%20mail%20traffic%20between%20on-premise%20hybrid%20servers%20and%20O365.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hi team,

I would like to know and clarify a scenario. Imagine there is a hybrid in place. In the exchange online to on-premise mail routing path, lets say there is a 3rd party spam gateway in the middle. This is to a hard requirement from the client.
1) I would like to know if this is considered a supported scenario. As from some articles i read dated 2016 https://docs.microsoft.com/en-us/exchange/transport-options , it says not supported. I want to clarify if this is still valid to this date and what Microsofts recommendation is if we cant bypass the gateway.

2) The issue is that when mails are routed from cloud to onprem, the “X-MS-Exchange-Organization-AuthAs: “ is shown as “Anonymous”. Although as per my understanding this should be “Internal” as this is from same organization.

2) Can this be due to the spam gateway? If so how can we identify that dpam gateway is changing the headers?

Any help is appreciated.

Thank you.
Jude.
1 Reply

That's right, this is not a supported scenario. One of the consequences, as you rightly identified, is the stripping of certain X-headers which causes the 'X-MS-Exchange-Organization-AuthAs' header to get stamped as 'Anonymous'.

 

This can be overcome by creating a transport rule in your on-premise Exchange to stamp "X-MS-Exchange-Organization-AuthAs: Internal" (for mails matching a pattern that proves it's originating from O365). However that's not the only issue you'll notice, which is why this setup is not supported in the first place. I'd recommend by-passing the spam filter for all mail traffic between on-premise hybrid servers and O365.