在中国使用独立 EOP 保护本地邮箱Protect on-premises mailboxes in China with standalone EOP


改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.


本文仅适用于由世纪银行在中国运营的 Office 365。This article applies only to Office 365 operated by 21Vianet in China.

即使您计划在本地托管部分或所有邮箱,您仍可以使用 Exchange Online Protection (EOP) 。Even if you plan to host some or all of your mailboxes on-premises, you can still protect the mailboxes with Exchange Online Protection (EOP). 若要配置连接器,您的帐户必须是全局管理员或组织管理角色组 (Exchange 公司) 。To configure connectors, your account must be a global admin, or an Exchange Company Administrator (the Organization Management role group). 有关 Office 365 权限与 Exchange 权限之间如何关联的信息,请参阅在由世纪银行运营的 Office 365中分配管理员角色。For information about how Office 365 permissions relate to Exchange permissions, see Assigning admin roles in Office 365 operated by 21Vianet. 如果所有 Exchange 邮箱都位于本地,请按照以下步骤设置 EOP 服务。If all of your Exchange mailboxes are on-premise, follow these steps to set up your EOP service.

步骤 1:使用 Microsoft 365 管理中心添加和验证域Step 1: Use the Microsoft 365 admin center to add and verify your domain

  1. 在 Microsoft 365 管理中心中,导航到"设置"以将域添加到服务。In the Microsoft 365 admin center, navigate to Setup to add your domain to the service.

  2. 按照门户中的步骤将适用的 DNS 记录添加到 DNS 托管提供商,以验证域所有权。Follow the steps in the portal to add the applicable DNS records to your DNS-hosting provider in order to verify domain ownership.


将域和用户添加到由世纪通运营的Office 365和在管理 DNS 记录时为Office 365创建 DNS 记录是向服务添加域和配置 DNS 时参考的有用资源。Add your domain and users to Office 365 operated by 21Vianet and Create DNS records for Office 365 when you manage your DNS records are helpful resources to reference as you add your domain to the service and configure DNS.

步骤 2:添加收件人并配置域类型Step 2: Add recipients and configure the domain type

在配置您的邮件,使其流动到 EOP 服务和从 EOP 服务流出之前,我们建议将您的收件人添加到服务。Before configuring your mail to flow to and from the EOP service, we recommend adding your recipients to the service. 执行此操作有几种方法,如在 EOP 中管理邮件用户中所述。There are several ways in which you can do this, as documented in Manage mail users in EOP. 此外,如果您希望启用基于目录的边缘阻止 (DBEB),以便在添加收件人之后强制实施服务内的收件人验证,您需要将域类型设置为"权威"。Also, if you want to enable Directory Based Edge Blocking (DBEB) in order to enforce recipient verification within the service after adding your recipients, you need to set your domain type to Authoritative. 有关 DBEB 详细信息,请参阅使用 基于目录的边缘阻止拒绝发送给无效收件人的邮件For more information about DBEB, see Use Directory Based Edge Blocking to reject messages sent to invalid recipients.

步骤 3:使用 EAC 设置邮件流Step 3: Use the EAC to set up mail flow

在能使邮件在 EOP 和你的内部部署邮件服务器间流动的 Set up connectors to route mail between Office 365 and your own email servers (EAC) 中创建连接器。Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. 有关详细说明,请参阅在 Office 365 中配置使用连接器的邮件流For detailed instructions, see Configure mail flow using connectors in Office 365.

如何判断此任务生效?How do you know this task worked?

请参阅 通过验证 Office 365 连接器测试邮件流See Test mail flow by validating your Office 365 connectors.

步骤 4:允许入站端口 25 SMTP 访问Step 4: Allow inbound port 25 SMTP access

配置连接器后,请等待 72 小时,允许准备 DNS 记录更新。After you configured connectors, wait 72 hours to allow propagation of your DNS-record updates. 然后,将防火墙或邮件服务器的入站端口 25 SMTP 流量限制为仅接受来自 EOP 数据中心的邮件,特别是来自 OFFICE 365的 URL 和 IP 地址范围中列出的 IP 地址的邮件。Following this, restrict inbound port-25 SMTP traffic on your firewall or mail servers to accept mail only from the EOP datacenters, specifically from the IP addresses listed at URLs and IP address ranges for Office 365. 此操作将通过限制可以接收的入站邮件范围,保护内部部署环境。This protects your on-premises environment by limiting the scope of inbound messages you can receive. 此外,如果邮件服务器上的设置控制了允许为邮件中继连接的 IP 地址,也要更新这些设置。Additionally, if you have settings on your mail server that control the IP addresses allowed to connect for mail relay, update those settings as well.


将 SMTP 服务器上的设置配置 60 秒的连接时间。此设置在大多数情况下都可接受,例如,在发送带有很大附件的邮件时允许有些延迟。Configure settings on the SMTP server with a connection time out of 60 seconds. This setting is acceptable for most situations, allowing for some delay in the case of a message sent with a large attachment, for instance.

步骤 5:确保垃圾邮件已路由到每个用户的"垃圾邮件"文件夹Step 5: Ensure that spam is routed to each user's Junk Email folder

为确保垃圾邮件 (垃圾邮件) 正确路由到每个用户的"垃圾邮件"文件夹,必须执行几个配置步骤。To ensure that spam (junk) email is routed correctly to each user's Junk Email folder, you must perform a couple of configuration steps. 配置独立 EOP 以将垃圾邮件发送到混合环境中垃圾邮件文件夹中 提供了这些步骤The steps are provided in Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments. 如果您不想将邮件移动到每个用户的"垃圾邮件"文件夹,您可以选择其他操作,通过编辑反垃圾邮件策略 (也称为内容筛选器策略) 。If you don't want to move messages to each user's Junk Email folder, you may choose another action by editing your anti-spam policies (also known as content filter policies). 有关详细信息,请参阅在 Office 365 中配置反垃圾邮件策略For more information, see Configure anti-spam policies in Office 365.

步骤 6:使用 Microsoft 365 管理中心将 MX 记录指向 EOPStep 6: Use the Microsoft 365 admin center to point your MX record to EOP

按照 Office 365 域配置步骤更新你的域的 MX 记录,以便于你的入站电子邮件能够通过 EOP。Follow the Office 365 domain configuration steps to update your MX record for your domain, so that your inbound email flows through EOP. 有关详细信息,可以在管理 DNS 记录时再次引用 为 Office 365 创建 DNS 记录For more information, you can again reference Create DNS records for Office 365 when you manage your DNS records.

如何判断此任务生效?How do you know this task worked?

请参阅 通过验证 Office 365 连接器测试邮件流See Test mail flow by validating your Office 365 connectors.

此时,您已验证经过适当配置的出站内部部署连接器的服务传递,而且已验证 MX 记录是否指向 EOP。现在,您可以选择运行以下其他测试来验证该服务是否会将电子邮件成功传递到内部部署环境:At this point, you've verified service delivery for a properly configured Outbound on-premises connector, and you've verified that your MX record is pointing to EOP. You can now choose to run the following additional tests to verify that an email will be successfully delivered by the service to your on-premises environment:

  • In the Remote Connectivity Analyzer, click the Office 365 tab, and then run the Inbound SMTP Email test located under Internet Email Tests.In the Remote Connectivity Analyzer, click the Office 365 tab, and then run the Inbound SMTP Email test located under Internet Email Tests.

  • 将来自基于 Web 的任何电子邮件帐户的电子邮件发送到组织中的邮件收件人,组织的域与您添加到服务上的域相匹配。使用 Microsoft Outlook 或另一个电子邮件客户端确认邮件是否已传递到内部部署邮箱。Send an email message from any web-based email account to a mail recipient in your organization whose domain matches the domain you added to the service. Confirm delivery of the message to the on-premises mailbox using Microsoft Outlook or another email client.

  • 如果您想进行出站电子邮件测试,可以发送组织中一个用户的电子邮件到基于 Web 的电子邮件帐户并确认是否收到邮件。If you want to run an outbound email test, you can send an email message from a user in your organization to a web-based email account and confirm that the message is received.

不太常见:具有本地邮箱和云中的邮箱的混合设置Less common: A hybrid setup with mailboxes on-premises and in the cloud

如果您在 Exchange Online 中拥有本地 Exchange 邮箱和云中的一个或多个邮箱,则具有 混合 设置。If you have Exchange mailboxes on-premises and one or more mailboxes in the cloud in Exchange Online, you have a hybrid setup. 在混合设置中,忙/闲日历共享和邮件路由等功能在本地和云环境中协同工作。In a hybrid setup, features such as free/busy calendar sharing and mail routing work together in your on-premises and cloud environments. 在将邮箱转换到 Exchange Online 时,您可能已设置好混合设置。You might have a hybrid setup in place while you transition mailboxes to Exchange Online. 混合环境的设置方式与 EOP 独立保护不同。A hybrid environment is set up differently than EOP standalone protection.

你可以选择混合方案来利用大多数员工的基于云的电子邮件。You might choose a hybrid scenario to take advantage of cloud-based email for most of your employees. 您可以在本地托管一些邮箱时进行此操作;例如,对于法律部门。You can do this while also hosting some mailboxes on-premises; for example, for your legal department.

混合设置可能很复杂,但有很多好处。A hybrid setup can be complex, but it has many benefits. 若要详细了解如何设置 Exchange 混合方案,请参阅Exchange Server 部署To learn more about setting up hybrid scenarios with Exchange, see Exchange Server hybrid deployments.