New Post has been published on o365info.com
New Post has been published on http://o365info.com/block-smtp-access-of-external-mail-servers-to-exchange-online-except-specific-ip-address/
Block SMTP access of external mail servers to Exchange Online except specific IP address
In the current article, we will review how to change the default Exchange Online incoming mail policy, which enables any host, to address Exchange Online using SMTP.
A different way of describing such a scenario is â Block SMTP access of external mail servers to Exchange Online.
In our scenario, we want to implement an Exchange Online incoming mail policy in which Exchange Online will âagreeâ to accept incoming SMTP connection, only from approved âentities.â
Our incoming mail flow scenario
Our scenario, includes the following mail infrastructure:
We use Exchange Hybrid configuration, in which our mail infrastructure is âdistributedâ between Exchange on-Premises and Exchange Online.
The MX record of our organization domain name (o365info.com), is pointing to the IP address of Mail security gateway
Our organization, need to fulfill a regulatory requirement in which every E-mail that is sent to our organization recipient must reach to the Mail security gateway.
The Mail security gateway implements several security checks.
After the security check is completed, the Mail security gateway will forward the E-mails to the Exchange on-Premises server or to the Exchange Online mail server.
Our organization mail infrastructure is published by using MX record that âpointâ to on-Premises mail security gateway represented by the IP address 93.157.83.110.
An additional requirement that we need to fulfill is â prevent from the external mail server\s the ability to address the Exchange Online mail server, that represents our domain name âDirectly.â
Notice the important observation â although the MX record of our domain name is pointing to the IP address of the Mail security gateway, external hosts who know the IP address of the Exchange Online mail server or know what is the âOffice 365 MX recordâ that represents our hosted domain name, can âbypassâ our Mail security gateway by creating an SMTP session with Exchange Online directly.
In other words, we need to implement a mail flow configuration. In which â only the Exchange on-Premises Exchange Hybrid server, and the Mail security gateway are allowed to create an SMTP session with the Exchange Online mail server that represents our domain name.
Another requirement that we need to fulfill is, that the communication channel between the Exchange on-Premises Exchange Hybrid infrastructure and the Exchange Online will not be interrupted by the configuration settings that we will create for restricting the SMTP access to âour Exchange Online mail serverâ.
We will review this issue in the following section .
How to provide the required solution
The solution for this business requirement, implemented by created a new Exchange Online mail connector, that defines the Exchange Online âincoming mail policy.â
As mentioned, by default Exchange Online is willing to accept SMTP connection from any external host.
In our scenario, we want to âhardenâ this default behavior so, the Exchange Online mail server that represents our domain name, will accept incoming SMTP connection only from the following âapprovedâ hosts:
The Exchange on-Premises Exchange Hybrid server
The Mail security gateway
To be able to create this âincoming mail flow policy,â we will use two incoming Exchange Online mail connectors.
Exchange Online and the communication channel with Exchange on-Premises Hybrid server
In our example, the organization mail environment is an Exchange Hybrid environment.
When the Exchange Hybrid environment was created, the Exchange Hybrid wizard automatically creates inbound and outbound (send and receive) connectors.
By default, the incoming Exchange Online mail connector is configured to accept SMTP connection from the Exchange on-Premises Exchange Hybrid server, only on the Exchange on-Premises can identify himself (prove his identity).
The Exchange on-Premises âpresentâ his identity by providing a server certificate.
The point is â that Exchange Online had already a ârelationshipâ with the Exchange on-Premises environment. For this reason, we will not need to create a dedicated Exchange Online incoming mail connector for the Exchange Hybrid environment.
Exchange Online and the communication channel with Mail security gateway
To be able to change the default Exchange Online incoming mail policy regarding incoming SMTP connection, we will create a new incoming mail connector (receive connector), that will allow incoming connection only from a specific IP address â The IP address of the Mail security gateway.
Creating new Exchange Online incoming mail connector
In the following section, we will demonstrate how to harden the Exchange Online incoming mail policy, by creating a custom Exchange Online incoming mail connector.
The Exchange Online incoming mail connector will be configured to accept SMTP connections, only from a specific IP address that will be specified in the incoming mail connector settings.
Login to Exchange Online admin center
On the left menu bar, select mail flow
On the left menu bar, select connectors
In the following screenshot, we can see the âstructureâ of the incoming mail connector.
The first configuration setting defines the two involved parties â the âsourceâ entity (A) and the âdestinationâ entity (B).
The âsourceâ relates to the mail server that will be âallowedâ to connect an Exchange Online server who represent our hosted domain.
The âDestinationâ is the Exchange Online server.
In the section âFrom,â select the option â Partner organization.
In the section âTo,â select the option â Office 365. The term âOffice 365â represent the Exchange Online server who host our domain.
In the *Name section, provide a descriptive name for the Exchange Online connector.
Notice that the default setting of the new Exchange Online mail connector is set to activate the mail connector, at the end of the process. In case that you consider testing the mail connector setting at a later time, uncheck the option of âTurn it onâ
Select the option â Use the senderâs domain
Add the â*â character. The meaning of this character is âevery domainâ. In other words, this incoming mail connector settings will be âapplied â for every domain that the âsource hostâ uses. Technically speaking, we can create an incoming Exchange Online mail connector that will be âactivateâ only in a scenario in which the sender presents himself by using a specific domain name.
Uncheck the option â Reject E-mail messages if they arenât sent over TLS
By default, Exchange Online relates to âpartner organizationâ connectors, as a connector that defines TLS based communication between two end points (Exchange Online and the âother mail server).
In our scenario, we do not want to configure TLS relationship. For this reason, we will uncheck the âTLSâ option.
Select the option â Reject email messages if they arenât sent from within this IP address range
In our example, Exchange Online will identify the âexternal Mail security gatewayâ by his public IP address.
Add the IP address of the âexternal hostâ that will be allowed to send E-mail to Exchange Online.
In the following screenshot, we can see that a new incoming mail connector was successfully created.
Testing incoming mail flow | Exchange Online
To be able to verify if we manage to implement the required Exchange Online âincoming mail policy,â we implemented two different tests, in which we try to verify that the Exchange Online mail server that represents our domain name (o365info.com in our scenario) is willing to accept an SMTP connection requests only from an âapproved entity.â
We will use SMTP mail client, that will address the MX record of the Exchange Online mail server that represents the domain name â o365info.com
In our example, the Exchange Online that host my domain name is represented by the host name â o365info-com.mail.protection.outlook.com
The mail client that I use for implementing the required incoming SMTP communication tests is, a nice and useful Mail client utility named â Basic SMTP Telnet Client
Test 1#2 â Try to create an SMTP session using âApprovedâ host.
In this test, we will address the MX record of the Exchange Online mail server that represents our domain name, from a host, that his IP address was configured in the Exchange Online incoming mail connector.
The expected result is, that the Exchange Online will accept the request for SMTP connection.
Test 2#2 â Try to create an SMTP session using ânon-approvedâ host.
In this test, we will verify of âunapprovedâ host, can create an SMTP session with the Exchange Online server who host our domain.
The expected result is, that the Exchange Online will refuse to accept the request for SMTP session, from a host whom his IP address was not added to the incoming Exchange Online mail connector.
Testing SMTP session using âApprovedâ host.
In the following screenshot, we can see the configuration of the SMTP mail client that was installed on a ânon-approvedâ host.
Destination mail server â in the section named â Receive Connector IP, we add the host name or the IP address of the destination mail server (number 1).
The TCP port that we use is the standard SMTP port â port 25 (number 1).
The destination recipient E-mail address that we use is also â [email protected] (number 4).
Note â in case that you need to get more information about â how to locate the information about the Exchange Online MX record for a specific domain, you can read the article â What is the hostname of my Office 365 MX records?
We select the Talent tab, which enables us to start the SMTP session with the destination mail server and in addition, to view the communication âchatâ between our mail client and the mail server.
In our example, the communication channel between the mail client and the Exchange Online mail server was successfully completed.
The Exchange Online responds with the following message:
250 2.6.0 <5f229770-5b32-4cc0-a54d-4a3456d89918@AM1FFO11FD041.protection.gbl> [InternalId=115027814122736, Hostname=DB3PR05MB091.eurprd05.prod.outlook.com] 7155 bytes in 0.160, 43.503 KB/sec Queued mail for delivery
The meaning is that the Exchange Online mail server is willing to accept the E-mail and inform the mail client that the E-mail is located in the queue, waiting for a delivery
Testing SMTP session using âNon-Approvedâ host.
In the following screenshot, we can see the configuration of the SMTP mail client that was installed on a ânon-approvedâ host.
The main difference versus the former scenario is â that this time; the SMTP client is installed in a host who has an IP address that doesnât consider as âapprovedâ IP address, by Exchange Online mail server.
We select the Talent tab, which enables us to start the SMTP session with the destination mail server.
The SMTP communication results with the Exchange Online mail server is â failure.
The Exchange Online mail server responds with the following message:
550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the messageâs recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set
This is a ââgood resultâ or the expected result. In our scenario, we donât want that the Exchange Online mail server that represents our domain, will agree to accept an SMTP communication requests from non-approved hosts.
Verifying the communication channel between Exchange on-Premises Hybrid server and Exchange Online
In this section, I would like to briefly review the configuration of the communication channel between â Exchange Online and the Exchange on-Premises Hybrid server.
As mentioned, in our scenario, there are two âentitiesâ that are âallowedâ to communicate with the Exchange Online mail server:
The Mail security gateway
The Exchange on-Premises Hybrid server
In the former sections, we review the settings of the Exchange Online incoming mail connector that defines the ârelationshipâ with the Mail security gateway.
The question that we can ask now is â how can we know, that the restriction that we define on the Exchange Online incoming mail connector, will not interfere with the communication channel with the Exchange on-Premises Hybrid server?
The incoming mail connector the was created, define who are the âallowedâ hosts who can communicate with Exchange Online mail server, include only the IP address of the Mail security gateway! (And does not relate to the Exchange on-Premises Hybrid server).
The answer is â that when the Exchange Hybrid environment was created, the Exchange Hybrid wizard automatically created Exchange Online incoming mail connector, that defines the relationship with the Exchange on-Premises Hybrid server.
The Exchange Online mail server identifies or recognize the Exchange on-Premises Hybrid server, by looking for a specific text string that needs to be included on the certificate that the Exchange on-Premises Hybrid server provide.
The outcome is that in our specific scenario, Exchange Online will include two incoming mail connectors:
The incoming mail connector that defines the relationship with the Mail security gateway (recognize the sender by IP address).
The incoming mail connector that defines the relationship with them Exchange on-Premises Hybrid server (recognize the sender by a public certificate).
In other words, the Exchange Online mail server can have âmultiple relationshipsâ with multiple âsource senders,â that will not Interfere with each other.
Checking the incoming mail connector for the Exchange Hybrid environment
To be able to view the incoming mail connector, we will implement the following steps:
Login to Exchange Online admin center
On the left menu bar, select mail flow
On the left menu bar, select connectors
In the following screenshot, we can see an example of the Exchange Online incoming mail connector that defines the relationship with the Exchange on-Premises Hybrid server:
The mail connector is an âincoming mail connector,â that will be âactiveâ each time that the Exchange on-Premises Hybrid server will address the Exchange Online mail server.
In the following screenshot, we can see that the Exchange Online incoming mail connector includes the following setting:
By verifying that the subject name of the certificate that the sending server uses to authenticate with Office 365 matches this domain name (recommended) This option requires all email messages from your email server to be sent over Transport Layer Security (TLS), a secure channel. Your email server secures this channel by authenticating with Office 365 using a digital certificate. Office 365 then verifies that the subject name in the digital certificate matches the domain name specified here. The domain name can contain wildcard characters.
In simple words, Exchange Online will verify SMTP communication coming from the Exchange on-Premises Hybrid server by checking the following parts:
That the Exchange on-Premises Hybrid server can provide a certificate.
That the certificate is valid.
That the certificate includes a specific text string.
Now itâs Your Turn!
It is important for us to know your opinion on this article