This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 73%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
I have setup Exchange hybrid mode with option centralized mail transport, so all internet inbound and outbound mail is routed via the on-premises 3rd party Antispam/SMTP appliances.
In order to ensure no mail from the Internet can bypass the on-premises 3rd party Antispam/SMTP appliances, I would like to configure a restriction, so that no e-mail from internet can be delivered via the EOP/Exchange online infrastructure.
I am thinking of the following approach: Create a new inbound connector with the following configuration:
From: Partner Organization
To: Office365
Identify Partner Organisation: Use the sender's IP address
SenderIPAddresses : {Exchange On-premises external IPs, other company IPs required}
SenderDomains : {smtp:wildcard;1}
RestrictDomainsToIPAddresses : True
Now the question i have is: Is this the correct approach or does this new inbound connector with "ConnectorType : Partner" interfere with the inbound connector created by the hybrid configuration ("ConnectorType : OnPremises") and used to receive mails from on-premises Exchange?
Thanks for your feedback in advance. Cheers
HaileSelassie
You can do that and it won't affect the other inbound connector because its Connector Type is "OnPremises"
If you already have an OnPremises inbound connector for the same certificate or sender IP addresses, you still need to create the Partner inbound connector (the RestrictDomainsToCertificate and RestrictDomainsToIPAddresses parameters are only applied to Partner connectors). The two connectors can coexist without problems.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 71%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELZ%3C/text%3E%3C/svg%3E)
In general, since centralized mail transport is enabled, EOP routes inbound messages to on-premises Exchange server. It's no need to create additional connectors in Exchange Online.
If you want to lock down your Exchange Online organization to only accept mail from on-premises, you only have to set on-premises or the application IPs for SenderIPAddresses. Why you want to add other company IPs?
Its to ensure the messages only come from the anti-spam solution.
@HaileSelassie Did you create the connector successfully? Does everything works well in your organization?
Any updates so far? Please let us know if you get useful information from replies above. If there is anything else we can do for you, please feel free to post in the forum.