empty

Attention:

The required "connectors" and "rules" in "Exchange Online" are to be generated mandatorily via "PowerShell Core" (download from https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2#msstore, installation notes under https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2). The reason for this is that the graphic interface of "Exchange Online" does not offer all necessary options.

SEPPmail provides appropriate modules for the guided generation of the required connectors and rules via the "PowerShell Gallery" www.powershellgallery.com/packages/SEPPMail365/. Further information can be found in the chapter SEPPmail365 Powershell Module.

Furthermore, a correct ARC configuration is required, see ARC Sealing and subchapters. For multi-tenant capable SEPPmail Secure E-Mail Gateways, the chapter Exchange Online Configuration must also be observed.

Furthermore, the following configurations within Microsoft 365 should be observed:

Ignore the last sending IP address in the connector "[SEPPmail] Appliance -> ExchangeOnline"

This can be checked as follows:

GUI:

https://security.microsoft.com/skiplisting

Policies & rules > Threat policies > Enhanced Filtering for Connectors > Policies & rules > Enhanced Filtering for Connectors

Connector Name: [SEPPmail] Appliance -> ExchangeOnline

Setting: Automatically detect and skip the last IP address

Powershell:

Get-InboundConnector '[SEPPmai*' | fl EFSkipLastIP,EFSkipIPs
EFSkipLastIP : True
EFSkipIPs : {}

"Connection filter policy" may not be active

This can be checked as follows:

GUI:

https://security.microsoft.com/antispam

Name: Connection filter Policy

Policies & rules > Threat policies > Anti-spam policies > Connection filter policy

Powershell:

# IPAllowList/AllowedSenders should not contain SEPPmail IPSs
Get-HostedContentFilterPolicy Default | fl AllowedSenders
AllowedSenders : {}

If the "Exchange Online" is implemented in this way, no additional configuration steps are required in the Mail Processing.

empty

Note:

The mentioned modules are a SEPPmail service for the configuration of a third-party system (Office365/Exchange Online) provided free of charge and without obligation.

In complex environments, in particular with the involvement of additional third-party systems, however, a manual adaptation and/or configuration by correspondingly trained persons may still be necessary under certain circumstances.

Furthermore, existing sets of rules may have to be created again after the release of a new module version in order to be able to participate in the innovations.

For further information, please also refer to https://www.seppmail.de/produkte/seppmail365/.

empty

Attention:

Since the SEPPmail Secure E-Mail Gateway is operated in this configuration without spam protection, it is essential to ensure that port 25 can only be reached by an Exchange Online server. The corresponding IP addresses of these servers are listed under Mail System Exchange Online Relaying Currently registered MTAs.

Since the SEPPmail Secure E-Mail Gateway in this constellation is usually operated in MS Azure, for the virtual machine on which SEPPmail Secure E-Mail Gateway is run, the following must be entered under "Virtual Computer | Network" in "Rules for incoming ports":

Priority	Name	Port	Protocol	Source	Target address	Action
The value must be lower than "DenyAllInBound".	Meaningful name, for instance "SMTP"	25	TCP	IP addresses from Mail System Exchange Online Relaying Currently registered MTAs as well as additional servers which should use SEPPmail Secure E-Mail Gateway as relay.	<public IP address of NIC>,<private IP address of NIC>	Allow

Please enable JavaScript to view this site.

Attention:

Note:

Attention:

Keyboard Navigation