将连接器设置为确保与合作伙伴组织之间实现安全的邮件流Set up connectors for secure mail flow with a partner organization

您可以创建连接器,将安全限制应用于与合作伙伴组织或服务提供商进行的邮件交换。合作伙伴可以是您与之有业务往来的组织(如银行),也可以是提供存档、反垃圾邮件和过滤等服务的第三方云服务。You can create connectors to apply security restrictions to mail exchanges with a partner organization or service provider. A partner can be an organization you do business with, such as a bank. It can also be a third-party cloud service that provides services such as archiving, anti-spam, and filtering.

您可以将连接器创建为通过传输层安全性 (TLS) 强制执行加密。您还可以应用其他安全限制,如指定您合作伙伴组织发送邮件时使用的域名或 IP 地址范围。You can create a connector to enforce encryption via transport layer security (TLS). You can also apply other security restrictions such as specifying domain names or IP address ranges that your partner organization sends mail from.

备注

您可以视需要选择设置用于与合作伙伴组织交换邮件的连接器;与合作伙伴组织之间的邮件往来无需连接器即可实现。Setting up a connector to exchange mail with a partner organization is optional; mail flows to and from your partner organization without connectors.

如果使用第三方云服务进行电子邮件筛选,并需要有关在 Microsoft 365 或 Office 365 中进行此操作的说明,请参阅适用于 Exchange Online 和 microsoft 365 或 office 365 的邮件流最佳做法(概述)If you use a third-party cloud service for email filtering and need instructions for making this work with Microsoft 365 or Office 365, see Mail flow best practices for Exchange Online and Microsoft 365 or Office 365 (overview).

使用连接器与合作伙伴组织交换电子邮件Using connectors to exchange email with a partner organization

默认情况下,Microsoft 365 或 Office 365 将使用 TLS 加密发送邮件,前提是目标服务器也支持 TLS。By default, Microsoft 365 or Office 365 sends mail using TLS encryption, provided that the destination server also supports TLS. 如果您的合作伙伴组织支持 TLS,那么如果您想要强制执行某些安全限制(例如,您希望始终应用 TLS,或者您需要在合作伙伴向您的组织发送邮件时进行证书验证),您只需创建一个连接器即可。If your partner organization supports TLS, you only need to create a connector if you want to enforce certain security restrictions - for example, you always want TLS applied, or you require certificate verification whenever mail is sent from your partner to your organization.

备注

有关 TLS 的信息,请参阅Exchange Online 如何使用 tls 来保护电子邮件连接,有关 exchange online 如何使用 tls 和密码套件排序的详细技术信息,请参阅增强 exchange online 的邮件流安全性For information about TLS, see How Exchange Online uses TLS to secure email connections and for detailed technical information about how Exchange Online uses TLS with cipher suite ordering, see Enhancing mail flow security for Exchange Online.

在您设置连接器后,系统会检查电子邮件,以确保它们符合您指定的安全限制。如果电子邮件不符合您指定的安全限制,则连接器会拒绝它们,并且这些邮件也不会得到传递。这样,便可以与合作伙伴组织建立安全的通信通道。When you set up a connector, email messages are checked to make sure they meet the security restrictions that you specify. If email messages don't meet the security restrictions that you specify, the connector will reject them, and those messages will not be delivered. This makes it possible to set up a secure communication channel with a partner organization.

您可以根据自身需求进行以下设置:You can set up one or both of the following depending on your requirements:

本文内容还涉及:Also in this article:

查看此节可帮助您确定您业务所需的特定设置。Review this section to help you determine the specific settings you need for your business.

设置连接器以将安全限制应用于从 Microsoft 365 或 Office 365 发送到合作伙伴组织的邮件Set up a connector to apply security restrictions to mail sent from Microsoft 365 or Office 365 to your partner organization

若要在 Microsoft 365 或 Office 365 中创建连接器,请选择 "管理员",然后选择 " exchange " 以转到exchange 管理中心To create a connector in Microsoft 365 or Office 365, select Admin, and then select Exchange to go to the Exchange admin center. 接下来,选择 "邮件流" 和 "连接器"。Next, select mail flow and then connectors. 如果你的组织已有连接器,那么系统会在此处列出。If any connectors already exist for your organization, you can see them listed here.

Microsoft 365 和 Office 365 连接器合作伙伴组织示例

在设置新的连接器之前,检查此处列出的您组织已有的任何连接器。例如,如果您已为合作伙伴组织设置了连接器,那么系统会在此处列出。请勿为单个组织合作伙伴创建重复的连接器,否则会出错,并且可能会导致您的邮件无法传递。Before you set up a new connector, check any connectors that are already listed here for your organization. For example, if you already have a connector set up for a partner organization, you'll see it listed. Make sure you don't create duplicate connectors for a single organizational partner; when this happens, it can cause errors, and your mail might not be delivered.

To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the following screenshot:To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the following screenshot:

Microsoft 365 和 Office 365 到合作伙伴组织连接器选项

Click Next, and follow the instructions in the wizard.Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more information.Click the Help or Learn More links if you need more information. The wizard will guide you through setup.The wizard will guide you through setup. At the end, make sure your connector validates.At the end, make sure your connector validates. 如果连接器未验证,请参阅验证连接器以获取解决问题的帮助。If the connector does not validate, see Validate connectors for help resolving issues.

如果要在两个方向上创建与合作伙伴组织的安全通道,请设置将邮件流从您的合作伙伴组织限制为 Microsoft 365 或 Office 365 的连接器。If you want to create a secure channel with your partner organization in both directions, set up a connector that restricts mail flow from your partner organization to Microsoft 365 or Office 365.

设置连接器以将安全限制应用于从合作伙伴组织发送到 Microsoft 365 或 Office 365 的邮件Set up a connector to apply security restrictions to mail sent from your partner organization to Microsoft 365 or Office 365

You can set up a connector to apply security restrictions to email that your partner organization sends to you. To start the wizard, click the plus symbol +. On the first screen, choose the following options:You can set up a connector to apply security restrictions to email that your partner organization sends to you. To start the wizard, click the plus symbol +. On the first screen, choose the following options:

从合作伙伴组织到 Microsoft 365 或 Office 365 的连接器

Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more information. The wizard will guide you through setup. At the end, save your connector.Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more information. The wizard will guide you through setup. At the end, save your connector.

让您的合作伙伴组织发送一封测试电子邮件。请确保您的合作伙伴组织发送的电子邮件能够使此连接器得以应用。例如,如果您为发送自特定合作伙伴域的邮件指定了安全限制,请确保此合作伙伴能够从相应的域发送测试邮件。检查测试电子邮件是否已传递,从而确认此连接器能否正常运行。Ask your partner organization to send a test email. Make sure the email your partner organization sends will cause the connector to be applied. For example, if you specified security restrictions for mail sent from a specific partner domain, make sure they send test mail from that domain. Check that the test email is delivered to confirm that the connector works correctly.

更改 Microsoft 365 或 Office 365 正在为邮件流使用的连接器Change a connector that Microsoft 365 or Office 365 is using for mail flow

若要更改连接器的设置,请选择您要编辑的连接器,然后选择下面屏幕截图中所示的编辑图标。To change settings for a connector, select the connector you want to edit and then select the edit icon as shown in the following screen shot.

显示已选择连接器和已突出显示编辑(铅笔)图标的屏幕快照。

连接器向导将打开,并且您可以更改现有的连接器设置。The connector wizard opens, and you can make changes to the existing connector settings. 更改连接器设置时,Microsoft 365 或 Office 365 将继续使用邮件流的现有连接器设置。While you change the connector settings, Microsoft 365 or Office 365 continues to use the existing connector settings for mail flow. 当您保存对连接器的更改时,Microsoft 365 或 Office 365 将使用新设置启动。When you save changes to the connector, Microsoft 365 or Office 365 starts using the new settings.

您可以向合作伙伴组织发送的电子邮件应用的示例安全限制Example security restrictions you can apply to email sent from a partner organization

查看这些连接器示例可以帮助您决定是否要将安全限制应用于合作伙伴组织发送的电子邮件,并了解哪些设置会满足您的业务需求。Review these connector examples to help you decide whether you want to apply security restrictions to email sent by a partner organization, and understand what settings will meet your business needs:

创建合作伙伴组织连接器Create a partner organization connector

若要在 Microsoft 365 或 Office 365 中创建连接器,请选择 "管理员",然后选择 " exchange " 以转到exchange 管理中心To create a connector in Microsoft 365 or Office 365, select Admin, and then select Exchange to go to the Exchange admin center. 接下来,选择 "邮件流" 和 "连接器"。Next, select mail flow and then connectors. If any connectors already exist for your organization, you can see them listed here.If any connectors already exist for your organization, you can see them listed here.

To start the wizard, click the plus symbol +. To create a connector for email you receive from a partner organization, use the options depicted in the following screenshot:To start the wizard, click the plus symbol +. To create a connector for email you receive from a partner organization, use the options depicted in the following screenshot:

从合作伙伴组织到 Microsoft 365 或 Office 365 的连接器

在选择此邮件流方案后,您便可以设置一个连接器,将安全限制应用于合作伙伴组织发送给您的电子邮件。对于某些安全限制,您可能必须与合作伙伴组织联系,才能获取信息来完成一些设置。 查找最能满足您需求的示例,从而参考这些示例设置您的合作伙伴连接器。Once you choose this mail flow scenario, you can set up a connector that will apply security restrictions to email that your partner organization sends to you. For some security restrictions, you might need to talk to your partner organization to obtain information to complete some settings. Look for the examples that best meet your needs to help you set up your partner connector.

备注

只要合作伙伴组织发送的电子邮件不符合您指定的安全限制,系统就不会传递此电子邮件。Any email sent from your partner organization that does not meet security restrictions that you specify will not be delivered.

示例 1:要求使用传输层安全性 (TLS) 对发送自合作伙伴组织域 contosobank.com 的电子邮件 进行加密Example 1: Require that email sent from your partner organization domain contosobank.com is encrypted using transport layer security (TLS)

为此,请指定合作伙伴组织域名以标识来自该合作伙伴的邮件,然后在创建合作伙伴到 Microsoft 365 或 Office 365 连接器时选择 "传输层安全性(TLS)加密"。To do this, specify your partner organization domain name to identify mail from that partner, and then choose transport layer security (TLS) encryption when you create your partner to Microsoft 365 or Office 365 connector. 在设置期间使用下面这些选项:Use these options during setup:

选择使用发件人的域名称

使用以下屏幕输入合作伙伴组织的一个或多个域名,以便此连接器可以识别合作伙伴发送的邮件:Use this screen to enter your partner organization's domain name(s) so the connector can identify mail sent by your partner:

添加合作伙伴组织的域名

选择此设置可以要求对发送自 ContosoBank.com 的所有电子邮件使用 TLS 加密:Choose this setting to require encryption for all email from ContosoBank.com using TLS:

从合作伙伴组织选择用于加密电子邮件的 TLS

当您选择这些设置后,发送自合作伙伴组织域 ContosoBank.com 的所有电子邮件都必须进行 TLS 加密。任何未加密的邮件都会遭到拒绝。When you choose these settings, all email from your partner organization's domain, ContosoBank.com, must be encrypted using TLS. Any mail that is not encrypted will be rejected.

示例 2:要求发送自合作伙伴组织域 ContosoBank.com 的电子邮件必须加密并使用域证书Example 2: Require that email sent from your partner organization domain ContosoBank.com is encrypted and uses their domain certificate

为此,请使用示例 1 中的所有设置。To do this, use all the settings shown in Example 1. 此外,还应添加合作伙伴组织用于连接 Microsoft 365 或 Office 365 的证书域名称。Also, add the certificate domain name that your partner organization uses to connect with Microsoft 365 or Office 365. 在设置期间使用以下选项:Use this option during setup:

输入合作伙伴组织的证书名称

当您设置这些限制后,发送自合作伙伴组织域的所有邮件都必须进行 TLS 加密,并且发送服务器必须具有您指定的证书名称。任何不满足这些条件的电子邮件都会遭到拒绝。When you set these restrictions, all mail from your partner organization domain must be encrypted using TLS, and sent from a server with the certificate name you specify. Any email that does not meet these conditions will be rejected.

示例 3:要求所有电子邮件从特定的 IP 地址范围发送Example 3: Require that all email is sent from a specific IP address range

此电子邮件可来自合作伙伴组织,例如 ContosoBank.com,或来自你的本地环境。例如,你的域 contoso.com 的 MX 记录指向本地,并且你希望所有发送到 contoso.com 的电子邮件仅来自你的本地 IP 地址。这有助于防止欺骗,并确保所有邮件都可以强制实施你的合规性策略。This email could be from a partner organization, such as ContosoBank.com, or from your on-premises environment. For instance, the MX record for your domain, contoso.com, points to on-premises, and you want all email sent to contoso.com to come from your on-premises IP addresses only. This helps prevent spoofing and makes sure your compliance policies can be enforced for all messages.

为此,请指定合作伙伴组织域名以标识此合作伙伴发送的邮件,然后限制您接受的邮件发送 IP 地址。使用 IP 地址可以使连接器更为具体化,因为这样做可以标识合作伙伴组织邮件发送自哪一个地址或地址范围。输入您的合作伙伴域(如示例 1 所述),然后在设置期间使用以下选项:To do this, specify your partner organization domain name to identify mail from that partner, and then restrict the IP addresses that you accept mail from. Using an IP address makes the connector more specific because it identifies a single address or an address range that your partner organization sends mail from. Enter your partner domain as described in Example 1, then use this option during setup:

输入合作伙伴组织的 IP 地址范围

当你设置这些限制后,发送自合作伙伴组织域 ContosoBank.com 或发送自你的本地环境的所有电子邮件都必须发送自你指定的 IP 地址或地址范围。任何不满足这些条件的邮件都会遭到拒绝。When you set these restrictions, all email sent from your partner organization domain, ContosoBank.com, or from your on-premises environment must be sent from the IP address or an address range you specify. Any mail that does not meet these conditions will be rejected.

示例4:要求从 internet 发送到您的组织的所有电子邮件都发送自特定的 IP 地址(第三方电子邮件服务方案)Example 4: Require that all email sent to your organization from the internet is sent from a specific IP address (third-party email service scenario)

从第三方电子邮件服务到 Microsoft 365 或 Office 365 的邮件流工作不需要连接器。Mail flow from a third-party email service to Microsoft 365 or Office 365 works without a connector. 不过,在此方案中,您可以视需要选择使用连接器来限制传递到您组织的所有邮件。However, in this scenario you can optionally use a connector to restrict all mail delivery to your organization. 如果您使用此示例中所述的设置,这些设置将应用于发送到您的组织的所有电子邮件If you use the settings described in this example, they will apply to all email sent to your organization. 如果向您组织发送的所有电子邮件均来自一个第三方电子邮件服务,则您可以视需要选择使用连接器,将所有邮件限制为仅传递从单个 IP 地址或地址范围发送的邮件。When all email sent to your organization comes from a single third-party email service, you can optionally use a connector to restrict all mail delivery; only mail sent from a single IP address or address range will be delivered.

备注

请务必标识第三方电子邮件服务发送邮件时使用的 IP 地址的完整范围。如果缺少 IP 地址或在您不知情的情况下添加了 IP 地址,则某邮件将无法传递到您的组织。Make sure you identify the full range of IP addresses that your third-party email service sends mail from. If you miss an IP address, or if one gets added without your knowledge, some mail will not be delivered to your organization.

若要将发送到您组织的所有邮件限制为发送自特定的 IP 地址或地址范围,请在设置期间使用下面这些选项:To restrict all mail sent to your organization from a specific IP address or address range, use these options during setup:

选择使用发件人的域名称

输入'*'将设置应用于所有发件人域

输入合作伙伴组织的 IP 地址范围

当您设置这些限制后,发送到您组织的所有邮件都必须发送自特定的 IP 地址范围。When you set these restrictions, all mail sent to your organization must be sent from a specific IP address range. 任何不源于此 IP 地址范围的 internet 电子邮件都将被拒绝。Any internet email that does not originate from this IP address range will be rejected.

示例 5:要求发送自合作伙伴组织 IP 地址或地址范围的所有邮件均进行 TLS 加密Example 5: Require that all mail sent from your partner organization IP address or address range is encrypted using TLS

若要按 IP 地址识别您的合作伙伴组织,请在设置期间使用下面这些选项:To identify your partner organization by IP address, use these options during setup:

选择 IP 地址以标识您的合作伙伴组织

输入合作伙伴组织的 IP 地址

使用以下设置添加 TLS 加密要求:Add the requirement for TLS encryption by using this setting:

从合作伙伴组织选择用于加密电子邮件的 TLS

当您设置这些限制后,发送自您指定的合作伙伴组织 IP 地址或地址范围的所有邮件都必须通过 TLS 发送。任何不满足此限制条件的邮件都会遭到拒绝。When you set these restrictions, all mail from your partner organization sent from the IP address or address range you specify must be sent using TLS. Any mail that does not meet this restriction will be rejected.

另请参阅See also

在 Microsoft 365 或 Office 365 中使用连接器配置邮件流Configure mail flow using connectors in Microsoft 365 or Office 365

Exchange Online、Microsoft 365 和 Office 365 的邮件流最佳做法(概述)Mail flow best practices for Exchange Online, Microsoft 365, and Office 365 (overview)

验证连接器Validate connectors

如果我有多个适用于同一种情况的连接器,会发生什么情况?What happens when I have multiple connectors for the same scenario?