question

HaileSelassie avatar image
0 Votes"
HaileSelassie asked ·

Block internet inbound mails via EOP in Exchange hybrid-mode with centralized mail transport

I have setup Exchange hybrid mode with option centralized mail transport, so all internet inbound and outbound mail is routed via the on-premises 3rd party Antispam/SMTP appliances.

In order to ensure no mail from the Internet can bypass the on-premises 3rd party Antispam/SMTP appliances, I would like to configure a restriction, so that no e-mail from internet can be delivered via the EOP/Exchange online infrastructure.

I am thinking of the following approach: Create a new inbound connector with the following configuration:

From: Partner Organization
To: Office365
Identify Partner Organisation: Use the sender's IP address
SenderIPAddresses : {Exchange On-premises external IPs, other company IPs required}
SenderDomains : {smtp:wildcard;1}
RestrictDomainsToIPAddresses : True

Now the question i have is: Is this the correct approach or does this new inbound connector with "ConnectorType : Partner" interfere with the inbound connector created by the hybrid configuration ("ConnectorType : OnPremises") and used to receive mails from on-premises Exchange?

Thanks for your feedback in advance. Cheers
HaileSelassie





office-exchange-online-itprooffice-exchange-server-mailflowoffice-exchange-hybrid-itpro
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

You can do that and it won't affect the other inbound connector because its Connector Type is "OnPremises"

See:
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud

If you already have an OnPremises inbound connector for the same certificate or sender IP addresses, you still need to create the Partner inbound connector (the RestrictDomainsToCertificate and RestrictDomainsToIPAddresses parameters are only applied to Partner connectors). The two connectors can coexist without problems.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LydiaZhou-MSFT avatar image
0 Votes"
LydiaZhou-MSFT answered ·

In general, since centralized mail transport is enabled, EOP routes inbound messages to on-premises Exchange server. It's no need to create additional connectors in Exchange Online.

If you want to lock down your Exchange Online organization to only accept mail from on-premises, you only have to set on-premises or the application IPs for SenderIPAddresses. Why you want to add other company IPs?

· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Its to ensure the messages only come from the anti-spam solution.

0 Votes 0 ·

@HaileSelassie Did you create the connector successfully? Does everything works well in your organization?

0 Votes 0 ·

Any updates so far? Please let us know if you get useful information from replies above. If there is anything else we can do for you, please feel free to post in the forum.

0 Votes 0 ·