Configuring Office 365 for Spambrella
Configuring Microsoft 365 for Spambrella
Summary –See below for information on:
- Pre-requisite information to begin
- What to do with your Spambrella account before setting up
- How to setup in Microsoft 365, including:
- Setting up inbound mail flow
- Bypass spam filtering in Microsoft 365
- Creating an inbound connector
- Setting up outbound mail flow
- Cutting over mailflow
- Enable and test domains
This article explains how to configure Microsoft 365 to use Spambrella as your email gateway.
Note: Office 365 / O365 has been rebranded as Microsoft 365.
What Is Microsoft Office 365?
Office 365 is a cloud-based solution from Microsoft which offers email, messaging, security, archiving and other capabilities delivered from Microsoft’s worldwide network of cloud data centers. For more information please see: https://products.office.com/en-us/business/office
Before You Start…
Before continuing with the provisioning and configuration of the Spambrella service, it is recommended that you have the information listed below.
INFORMATION NEEDED FOR CONFIGURING SPAMBRELLA
- MX record(s) for domain(s) you are configuring
INFORMATION NEEDED FOR CONFIGURING OFFICE 365
- Spambrella IPs, Smart Host, and SPF
- Office 365 administrator account
Microsoft 365 Tenant
The instructions on this KB presume that you are setting up all your domains in your tenant with Spambrella. If you are splitting your mail routing, you may need to consult Microsoft on creating the necessary custom rules based on our documentation.
SPAMBRELLA SIDE
Prior to the below set-up for Office 365, please ensure to do this with the Spambrella side.
- Set the domain verification
- Customize Spam settings (before adding in users)
- Customize Digest settings (before adding in users)
- Modify Notifications (if warranted)
- Add in users (preferable with Azure: Azure Active Directory Sync Guide – New API Version)
- Create filter policies and/or approve/block sender list items
DNS TTLs
For ease of DNS changes, turning down your TTLs on the DNS, specifically, MX and TXT records will help in the above domain verification, and later MX cut-over.
Microsoft 365 Tenant SIDE
Setup Inbound Mail Flow
Spambrella is deployed between the customer’s Office 365 environment and the Internet. Inbound mail is routed to Spambrella by changing the customer’s MX records. After the email is processed by Spambrella it is routed to Office 365.
Locate your MX record for the domain in Office 365…
- Sign-In to the Office 365 Admin center.
- Click on Settings > Domains
- Click on the domain you wish to manage.
- Under Exchange Online, locate the MX row in the table from the Points to address or value column (i.e.,mybusiness.com.mail.protection.outlook.com)
These values will be necessary when you add your domains to Spambrella |
---|
Adding domain(s) to Spambrella…
- Sign-in to the Spambrella user interface.
- Navigate to the ‘Administration‘ section and click Account Management > Domains
- Click on New Domain.
- Enter the domain name you wish to configure.
- Ensure “Relay” is selected for domain purposes.
- Enter the delivery and failover destinations’ values.
- Choose the method you wish to use for domain verification.
- Click Verify Now if you wish to verify your domain at this stage or Verify Later.
Each Domain must be verified before it can be enabled. |
---|
- Repeat if you are adding more than 1 domain.
The delivery and failover destinations refer to the “points to” values captured in the previous section. |
---|
CONFIGURE OFFICE 365…
Microsoft Office 365 limitation
Please note that Microsoft has a limitation of their allow list. It does not allow you to enter a large IP range. The maximum size of a range is a /24; it will not recognize larger ranges. Unfortunately, you have to enter in the IP ranges twice in this set-up documentation: Connection Details
Bypass Spam Filtering in Microsoft 365…
- Sign-In to the Office 365 Admin portal.
- Click on Admin > Exchange
This will launch the Exchange Admin Center
- Navigate to mail flow > rules.
- Click + icon to access the pull-down menu.
- Select By-pass spam filtering.
- In the new rule window, complete the required fields:
- Enter a value for Name (e.g. By-pass Spam filtering for Spambrella)
- For Apply this rule if… select The sender…IP address is in any of these ranges or exactly matches.
- Add IP address to the IP address list.
- Type in the address followed by the + icon.
- Repeat for each IP address.
- Ensure Set the spam confidence level (SCL) to is selected in the Do the following… menu
- Do the following > Modify the message proprieties > set the spam confidence level > bypass spam filtering
- Click Next
- Select Enforce
- Click Next
- Review the info then click Finish
Optional steps if you need to disable Microsft 365’s Advanced Email Threat protection (Safelink rewrites)
Before clicking Save in the above step 6 do the following:
- Click Add Action.
- Select Modify the message properties..set a message header.
- Set the message header: X-MS-Exchange-Organization-SkipSafeLinksProcessing to the value: 1
- Click Save.
SCL Bypass
Due to major complaints, Proofpoint has opted to change to the format of ensuring Spambrella mail is not scored via the O365 system. This rule will allow external email to come in still but will follow O365 scoring. This is to ensure no mail is lost.
Select the IP addresses that correspond to the stack you are hosted on. You can determine this by looking at the URL in your browser. For example, if your URL is https://spambrella.cloud-protect.net than you are on stack “EU1”. Therefore look for that stack in the list of IP values. If you are unsure, please email support for clarification. |
---|
CREATE INBOUND CONNECTOR
An inbound connector is used to manage mail traffic between Office 365 and Spambrella.
- While accessing the Exchange Admin Center, click mail flow then connectors.
- Click + to launch control.
- For From select Partner Organization.
- For To select Office 365.
- Click Next.
- Enter a value for Name (e.g. Spambrella Inbound Connector).
- (Optional) Enter a value for Description (e.g. Inbound connector for Spambrella).
- Uncheck the turn it on setting. You will turn this inbound connector on once you are ready to cutover mailflow.
- Click Next.
- Select Use the sender’s IP address.
- Click Next.
- Click +.
- Add IP address to the IP address list.
- Click +.
- Type in the address followed by OK.
- Repeat for each IP address.
- Click Next.
- Ensure Reject email messages if they aren’t over TLS is checked.
- Click Next.
- Click Save.
If your mail server has not been locked down to only accept mail from our IP’s. It is possible for senders to route directly to your mail system instead of following normal MX lookups to route through Proofpoint.
SETUP OUTBOUND MAIL FLOW
Spambrella is deployed between the customer’s Office 365 environment and the Internet. Outbound mail is routed to Spambrella by configuring an outbound mail gateway.
Outbound instructions set-up for all mail-in tenant
Please note that these instructions are for all mail within in the tenant. If you custom routing, or extra outbound mail flow, other outbound routing and/or rules will be required to set-up.
CONFIGURE SPAMBRELLA
Enable Outbound Relaying
- Sign-in to the Spambrella user interface.
- Navigate to ‘Administration‘ and click Account Management > Features
- Check Enable Outbound Relaying.
- Click Save.
Add Service IP addresses to your Inbound Gateway
- While logged into the Spambrella user interface, navigate to ‘Administration‘ and click Account Management > Domains
- Click Managed Hosted Services.
- Choose Office 365.
- Click Save.
CONFIGURE OFFICE 365
Create Outbound Connector
- Sign-In to the O365 365 Admin portal.
- Navigate to Admin > Exchange.
This will launch Exchange Admin Center
- Click Mail Flow > Connectors.
- Click + to access menu.
- For From select Office 365.
- For To select Partner Organization.
- Click Next.
- Enter a value for Name (e.g. Spambrella).
- Enter a value for Description (e.g. Outbound connector for Spambrella).
- Uncheck the turn it on setting. You will turn this outbound connector on once you are ready to cutover mailflow.
- Click Next.
- For When do you want to use this connector? select Only when email messages are sent to these domains.
- Click +.
- Enter * to specify all domains.
- Click OK.
- Click Next.
- For How do you want to route email messages? select Route email through these smart hosts.
- Click + and enter your Spambrella smart host value (i.e., outbound-us1.ppe-hosted.com).
- Click Save.
- Click Next.
- For How should Office 365 connect to your partner organization’s email server? choose your preferred approach.
- If you choose Always use Transport Layer Security (TLS) to secure the connection, please choose Any digital certificate, including self-signed certificates.
- Click Next.
- Click Next.
- Click + icon and enter an email address for validation.
- Click OK.
- Click Validate.
- Click Save.
If you are using Spambrella Professional service package and the Email Archive, you will need to create an additional outbound connector. Please refer to Configuring Journaling for Office 365 for additional steps.
If you are using another archiving service, you will need to create an additional outbound connector to ensure journal emailed is not sent to Spambrella. If it is sent to Spambrella it will be subject to outbound rate-limiting policies. Please contact your archiving service provider for instructions.
External Recipients of distro-groups/Auto-forwarding
Please note that Spambrella does not explicitly support some types of auto-forwarding.
- User-level forwarding – O365 support this for messages sent directly to the user
- Distribution Groups with external Recipients – Spambrella does not support this outbound behavior. A custom rule will be required to allow these messages out by by-passing the Spambrella smarthost.
- Distribution Groups with a user-level forward – Similar to external recipient, a by-pass rule will be required
Sending To Distribution Groups With External Domain Recipients
Sending to Distribution Groups with external domain recipients contains step-by-step instructions how to set it up. For auto-forwarding, same connector can be used and a rule will need to be created to match the auto-forward.
CUTTING OVER MAILFLOW
ENABLE & TEST DOMAIN(S)
- Sign-in to the Spambrella user interface.
- Navigate to ‘Administration‘ and click Account Management > Domains
- Click the relay control to enable the domain for relay.
Once the domain is turned on, you will need to wait for Spambrella MTAs to be updated. This occurs every half-hour. You should not proceed to the next step until you’ve waited for this change to be applied.
- Click the test domain (clipboard) icon to verify Spambrella can deliver to the specified SMTP destination
UPDATE YOUR MX RECORDS
You will need to add Spambrella MX records to your DNS record.
You may want to add the MX records with a low priority ahead of your cutover. Once ready, you can then increase the priority of the Spambrella MX records while decreasing the priority of your existing MX record.
Update Sender Policy Framework (SPF)
When sending outbound email through the Spambrella gateway, recipients receive mail sent from Spambrella rather than Office 365 mail servers. If the recipient’s mail service attempts to verify that the message came from your domain, it must confirm that the gateway server is an authorized mail server for your domain.
To enable this, you need to add the Spambrella MX records to your domain.
ENABLE INBOUND CONNECTOR
- Sign-In to the O365 Admin portal.
- Navigate to Admin > Exchange.
- Click Mail Flow > Connectors.
- Select the Inbound Connector and click edit (pencil icon).
- Check the turn it on checkbox.
- Click Next and move through the next 3 screens.
- Click Save.
ENABLE OUTBOUND CONNECTOR
- Sign-In to the O365 Admin portal.
- Navigate to Admin > Exchange.
- Click Mail Flow > Connectors.
- Select the outbound connector and click edit (pencil icon).
- Check the turn it on checkbox and click next through the remaining screens.
- Click Validate.
- Click Save.
ENABLE BY-PASS SPAM FILTERING RULE
- While accessing the Exchange Admin Center, click mail flow > rules.
- Check the checkbox next to the mail flow rule you created previously.
VERIFY INBOUND MAILFLOW
- While logged into the Spambrella user interface, click the Logs tab.
- Select Any from the Status drop-down and click Search.
- Look for new entries to be listed in the search results.
VERIFY OUTBOUND MAILFLOW
- Send a test message from an Office 365 mailbox to an external SMTP address.
- While logged into the Spambrella user interface, click the Logs tab.
- Select Outbound mail from the type drop-down.
- Select Any from the status drop-down and click Search.
- Look for the test message that was sent.