使用獨立版 EOP 保護中國的內部部署信箱Protect on-premises mailboxes in China with standalone EOP


改良的 Microsoft 365 安全性中心現在可供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這個新的體驗將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心裡面。This new experience brings Defender for Endpoint, Defender for Office, 365 Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new. 本主題僅適合適用於 Office 365 的 Microsoft Defender 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 請參閱 [適用於] 區段,並且尋找此文章中可能有所不同的特定圖說文字。Refer to the Applies To section and look for specific call outs in this article where there might be differences.


本文僅適用於中國 21Vianet 所營運的 Office 365。This article applies only to Office 365 operated by 21Vianet in China.

即使您打算將部分或所有信箱裝載在內部部署,您仍然可以使用 Exchange Online Protection (EOP) 保護信箱。Even if you plan to host some or all of your mailboxes on-premises, you can still protect the mailboxes with Exchange Online Protection (EOP). 若要設定連接器,您的帳戶必須是全域管理員或 Exchange 公司管理員 (組織管理角色群組) 。To configure connectors, your account must be a global admin, or an Exchange Company Administrator (the Organization Management role group). 如需 Office 365 權限與 Exchange 權限之關係的相關資訊,請參閱由 21Vianet 營運的 Office 365 中指派系統管理員角色For information about how Office 365 permissions relate to Exchange permissions, see Assigning admin roles in Office 365 operated by 21Vianet. 如果您的 Exchange 信箱均為內部部署,請遵循以下步驟以設定 EOP 服務。If all of your Exchange mailboxes are on-premise, follow these steps to set up your EOP service.

步驟 1:使用 Microsoft 365 系統管理中心新增及確認您的網域Step 1: Use the Microsoft 365 admin center to add and verify your domain

  1. 在 Microsoft 365 系統管理中心中,瀏覽至 [設定] 將您的網域新增至服務。In the Microsoft 365 admin center, navigate to Setup to add your domain to the service.

  2. 請遵循入口網站的步驟,將適用的 DNS 記錄新增到 DNS 主機提供者,以便驗證網域擁有權。Follow the steps in the portal to add the applicable DNS records to your DNS-hosting provider in order to verify domain ownership.


當您新增網域至此服務並設定 DNS 時,新增網域和使用者至 21Vianet 營運的 Office 365 (部分機器翻譯) 和 管理您的 DNS 記錄時建立 Office 365 的 DNS 記錄 (部分機器翻譯),是有用的參考資源。Add your domain and users to Office 365 operated by 21Vianet and Create DNS records for Office 365 when you manage your DNS records are helpful resources to reference as you add your domain to the service and configure DNS.

步驟 2:新增收件者和設定網域類型Step 2: Add recipients and configure the domain type

在設定您的郵件來進出 EOP 服務之前,建議您將收件者新增至服務。Before configuring your mail to flow to and from the EOP service, we recommend adding your recipients to the service. 有許多種作法,請參閱<管理 EOP 中的郵件使用者>。There are several ways in which you can do this, as documented in Manage mail users in EOP. 另外,如果您要啟用目錄架構邊緣封鎖 (DBEB),以便在服務內新增收件者之後強制驗證收件者,則必須將網域類型設為「授權」。Also, if you want to enable Directory Based Edge Blocking (DBEB) in order to enforce recipient verification within the service after adding your recipients, you need to set your domain type to Authoritative. 如需 DBEB 的相關資訊,請參閱使用目錄架構邊緣封鎖以拒絕傳送至無效收件者的郵件 (部分機器翻譯)。For more information about DBEB, see Use Directory Based Edge Blocking to reject messages sent to invalid recipients.

步驟 3:使用 EAC 來設定郵件流程Step 3: Use the EAC to set up mail flow

在 Exchange 系統管理中心 (EAC) 內建立連接器,來啟用 EOP 與您內部部署郵件伺服器之間的郵件流程。Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. 如需詳細指示,請參閱 使用 Office 365 中的連接器設定郵件流程 (部分機器翻譯)。For detailed instructions, see Configure mail flow using connectors in Office 365.

如何才能了解此工作是否正常運作?How do you know this task worked?

請參閱驗證 Office 365 連接器以測試郵件流程 (部分機器翻譯)。See Test mail flow by validating your Office 365 connectors.

步驟 4:允許輸入連接埠 25 SMTP 存取Step 4: Allow inbound port 25 SMTP access

設定連接器之後,請等待 72 小時以允許傳播 DNS 記錄更新。After you configured connectors, wait 72 hours to allow propagation of your DNS-record updates. 接著限制防火牆或郵件伺服器上的輸入連接埠 25 SMTP 流量,以僅接受來自 EOP 資料中心的郵件 (尤其是來自 Office 365 URL 和 IP 位址範圍所列 IP 位址的郵件)。(部分機器翻譯)。Following this, restrict inbound port-25 SMTP traffic on your firewall or mail servers to accept mail only from the EOP datacenters, specifically from the IP addresses listed at URLs and IP address ranges for Office 365. 這會限制您可接收的輸入郵件範圍,以保護內部部署環境的安全。This protects your on-premises environment by limiting the scope of inbound messages you can receive. 此外,若您在郵件伺服器上進行設定,以控制允許連線執行郵件轉送的 IP 位址,請一併更新這些設定。Additionally, if you have settings on your mail server that control the IP addresses allowed to connect for mail relay, update those settings as well.


將 SMTP 伺服器的連線時間設定設為超過 60 秒。此設定適用於大部分情況,例如在傳送具有大型附件的郵件時可稍許延遲。Configure settings on the SMTP server with a connection time out of 60 seconds. This setting is acceptable for most situations, allowing for some delay in the case of a message sent with a large attachment, for instance.

步驟5:確定垃圾郵件路由傳送至每個使用者的 [垃圾郵件] 資料夾Step 5: Ensure that spam is routed to each user's Junk Email folder

為了確保垃圾電子郵件正確地路由傳送至每個使用者的 [垃圾郵件] 資料夾,您必須執行幾個設定步驟。To ensure that spam (junk) email is routed correctly to each user's Junk Email folder, you must perform a couple of configuration steps. 設定獨立 EOP 中的步驟,將垃圾郵件傳遞至混合式環境中的 [垃圾郵件] 資料夾The steps are provided in Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments. 如果您不想要將郵件移至每個使用者的 [垃圾郵件] 資料夾,您可以編輯反垃圾郵件原則 (也稱為內容篩選原則) ,以選擇另一個動作。If you don't want to move messages to each user's Junk Email folder, you may choose another action by editing your anti-spam policies (also known as content filter policies). 如需詳細資訊,請參閱在 Office 365 中設定反垃圾郵件原則For more information, see Configure anti-spam policies in Office 365.

步驟 6:使用 Microsoft 365 系統管理中心將您的 MX 記錄指向 EOPStep 6: Use the Microsoft 365 admin center to point your MX record to EOP

請遵循 Office 365 網域設定步驟來更新網域的 MX 記錄,以讓輸入電子郵件經過 EOP。Follow the Office 365 domain configuration steps to update your MX record for your domain, so that your inbound email flows through EOP. 如需詳細資訊,您可以再次參考管理 DNS 記錄時為 Office 365 建立 DNS 記錄 (部分機器翻譯)。For more information, you can again reference Create DNS records for Office 365 when you manage your DNS records.

如何才能了解此工作是否正常運作?How do you know this task worked?

請參閱驗證 Office 365 連接器以測試郵件流程 (部分機器翻譯)。See Test mail flow by validating your Office 365 connectors.

到目前為止,您已確定有正確設定的輸出內部部署連接器可用來進行服務傳遞,並已確認 MX 記錄是指向 EOP。現在您可以選擇執行下列其他測試,以確認服務能夠成功將電子郵件傳遞至您的內部部署環境:At this point, you've verified service delivery for a properly configured Outbound on-premises connector, and you've verified that your MX record is pointing to EOP. You can now choose to run the following additional tests to verify that an email will be successfully delivered by the service to your on-premises environment:

  • 在 Remote Connectivity Analyzer 中,按一下 [Office 365] 索引標籤,然後執行位於 [網際網路電子郵件測試] 底下的 [輸入 SMTP 電子郵件] 測試。In the Remote Connectivity Analyzer, click the Office 365 tab, and then run the Inbound SMTP Email test located under Internet Email Tests.

  • 從任何其網域符合您新增至此服務之網域的 Web 式電子郵件帳戶,傳送電子郵件給您組織中的郵件收件者。使用 Microsoft Outlook 或其他電子郵件用戶端,確認郵件已傳遞至內部部署信箱。Send an email message from any web-based email account to a mail recipient in your organization whose domain matches the domain you added to the service. Confirm delivery of the message to the on-premises mailbox using Microsoft Outlook or another email client.

  • 如果您想要執行輸出電子郵件測試,可以從組織中的使用者傳送電子郵件到 Web 式電子郵件帳戶,再確認郵件是否已收到。If you want to run an outbound email test, you can send an email message from a user in your organization to a web-based email account and confirm that the message is received.

較不常見:具有內部部署和雲端信箱的混合式設定Less common: A hybrid setup with mailboxes on-premises and in the cloud

如果您擁有 Exchange 信箱內部部署和 Exchange Online 中一個或多個雲端信箱,則您具有 混合式 設定。If you have Exchange mailboxes on-premises and one or more mailboxes in the cloud in Exchange Online, you have a hybrid setup. 在混合式設定中,例如空閒/忙碌行事曆共用和郵件路由等功能可在您的內部部署和雲端環境中共同作業。In a hybrid setup, features such as free/busy calendar sharing and mail routing work together in your on-premises and cloud environments. 將信箱移轉到 Exchange Online 時,可能會啟用混合式設定。You might have a hybrid setup in place while you transition mailboxes to Exchange Online. 混合式環境的設定不同於 EOP 獨立防護。A hybrid environment is set up differently than EOP standalone protection.

您可以選擇混合式案例,以利用雲端式電子郵件給大部分員工使用。You might choose a hybrid scenario to take advantage of cloud-based email for most of your employees. 您可以在執行這項作業的同時,將部分信箱裝載在內部部署;例如,針對法務部門。You can do this while also hosting some mailboxes on-premises; for example, for your legal department.

混合式設定可能會很複雜,但也有許多優點。A hybrid setup can be complex, but it has many benefits. 若要深入了解如何使用 Exchange 設定混合式案例,請參閱 Exchange Server 混合式部署 (部分機器翻譯)。To learn more about setting up hybrid scenarios with Exchange, see Exchange Server hybrid deployments.