Configure Exchange Online inbound mail flow to accept SMTP connection only from a specific mail security gateway IP address 5/5 (3) 12 min read

In the current article, we will review how to change the default Exchange Online incoming mail policy, which enables any host, to address Exchange Online using SMTP.
A different way of describing such a scenario is – Block SMTP access of external mail servers to Exchange Online.
In our scenario, we want to implement an Exchange Online incoming mail policy in which Exchange Online will “agree” to accept incoming SMTP connection, only from approved “entities.”

Our incoming mail flow scenario

Our scenario, includes the following mail infrastructure:

We use Exchange Hybrid configuration, in which our mail infrastructure is “distributed” between Exchange on-Premises and Exchange Online.

The MX record of our organization domain name (o365info.com), is pointing to the IP address of Mail security gateway

Our organization, need to fulfill a regulatory requirement in which every E-mail that is sent to our organization recipient must reach to the Mail security gateway.

The Mail security gateway implements several security checks.
After the security check is completed, the Mail security gateway will forward the E-mails to the Exchange on-Premises server or to the Exchange Online mail server.

Our organization mail infrastructure is published by using MX record that “point” to on-Premises mail security gateway represented by the IP address 93.157.83.110.

The scenario characters – MX record is pointing to Mail security gateway-

An additional requirement that we need to fulfill is – prevent from the external mail server\s the ability to address the Exchange Online mail server, that represents our domain name “Directly.”

Notice the important observation – although the MX record of our domain name is pointing to the IP address of the Mail security gateway, external hosts who know the IP address of the Exchange Online mail server or know what is the “Office 365 MX record” that represents our hosted domain name, can “bypass” our Mail security gateway by creating an SMTP session with Exchange Online directly.

In other words, we need to implement a mail flow configuration. In which – only the Exchange on-Premises Exchange Hybrid server, and the Mail security gateway are allowed to create an SMTP session with the Exchange Online mail server that represents our domain name.

Block access of external mail servers to Exchange Online except specific IP address-

Another requirement that we need to fulfill is, that the communication channel between the Exchange on-Premises Exchange Hybrid infrastructure and the Exchange Online will not be interrupted by the configuration settings that we will create for restricting the SMTP access to “our Exchange Online mail server”.

We will review this issue in the following section .

How to provide the required solution

The solution for this business requirement, implemented by created a new Exchange Online mail connector, that defines the Exchange Online “incoming mail policy.”

As mentioned, by default Exchange Online is willing to accept SMTP connection from any external host.

In our scenario, we want to “harden” this default behavior so, the Exchange Online mail server that represents our domain name, will accept incoming SMTP connection only from the following “approved” hosts:

  1. The Exchange on-Premises Exchange Hybrid server
  2. The Mail security gateway

To be able to create this “incoming mail flow policy,” we will use two incoming Exchange Online mail connectors.

Exchange Online and the communication channel with Exchange on-Premises Hybrid server

In our example, the organization mail environment is an Exchange Hybrid environment.
When the Exchange Hybrid environment was created, the Exchange Hybrid wizard automatically creates inbound and outbound (send and receive) connectors.

By default, the incoming Exchange Online mail connector is configured to accept SMTP connection from the Exchange on-Premises Exchange Hybrid server, only on the Exchange on-Premises can identify himself (prove his identity).

The Exchange on-Premises “present” his identity by providing a server certificate.

The point is – that Exchange Online had already a “relationship” with the Exchange on-Premises environment. For this reason, we will not need to create a dedicated Exchange Online incoming mail connector for the Exchange Hybrid environment.

Exchange Online and the communication channel with Mail security gateway

To be able to change the default Exchange Online incoming mail policy regarding incoming SMTP connection, we will create a new incoming mail connector (receive connector), that will allow incoming connection only from a specific IP address – The IP address of the Mail security gateway.

Approving the required mail entities which can communicate Exchange Online using SMTP-

Creating new Exchange Online incoming mail connector

In the following section, we will demonstrate how to harden the Exchange Online incoming mail policy, by creating a custom Exchange Online incoming mail connector.

The Exchange Online incoming mail connector will be configured to accept SMTP connections, only from a specific IP address that will be specified in the incoming mail connector settings.

Create a new Exchange Online partner incoming mail connector -01

In the following screenshot, we can see the “structure” of the incoming mail connector.

The first configuration setting defines the two involved parties – the “source” entity (A) and the “destination” entity (B).

Create a new Exchange Online partner incoming mail connector -02

In our scenario,

  • The “source” relates to the mail server that will be “allowed” to connect an Exchange Online server who represent our hosted domain.
  • The “Destination” is the Exchange Online server.

Create a new Exchange Online partner incoming mail connector -03

  • In the section “From,” select the option – Partner organization.

Create a new Exchange Online partner incoming mail connector -04

  • In the section “To,” select the option – Office 365. The term “Office 365” represent the Exchange Online server who host our domain.

Create a new Exchange Online partner incoming mail connector -05

  • In the *Name section, provide a descriptive name for the Exchange Online connector.
  • Notice that the default setting of the new Exchange Online mail connector is set to activate the mail connector, at the end of the process. In case that you consider testing the mail connector setting at a later time, uncheck the option of “Turn it on
  • Click Next

Create a new Exchange Online partner incoming mail connector -06

  • Select the option – Use the sender’s domain
  • Click Next

Create a new Exchange Online partner incoming mail connector -07

  • Click on the plus icon

Create a new Exchange Online partner incoming mail connector -08

  • Add the “*” character. The meaning of this character is “every domain”. In other words, this incoming mail connector settings will be “applied ” for every domain that the “source host” uses. Technically speaking, we can create an incoming Exchange Online mail connector that will be “activate” only in a scenario in which the sender presents himself by using a specific domain name.
  • Click OK

Create a new Exchange Online partner incoming mail connector -09

  • Click Next

Create a new Exchange Online partner incoming mail connector -10

  • Uncheck the option – Reject E-mail messages if they aren’t sent over TLS

By default, Exchange Online relates to “partner organization” connectors, as a connector that defines TLS based communication between two end points (Exchange Online and the “other mail server).

In our scenario, we do not want to configure TLS relationship. For this reason, we will uncheck the “TLS” option.

Create a new Exchange Online partner incoming mail connector -11

  • Select the option – Reject email messages if they aren’t sent from within this IP address range
  • Click on the plus icon

In our example, Exchange Online will identify the “external Mail security gateway” by his public IP address.

Create a new Exchange Online partner incoming mail connector -12

  • Add the IP address of the “external host” that will be allowed to send E-mail to Exchange Online.
  • Click OK

Create a new Exchange Online partner incoming mail connector -13

  • Click Next

Create a new Exchange Online partner incoming mail connector -14

  • Click Save

Create a new Exchange Online partner incoming mail connector -15

In the following screenshot, we can see that a new incoming mail connector was successfully created.

Create a new Exchange Online partner incoming mail connector -16

Testing incoming mail flow | Exchange Online

To be able to verify if we manage to implement the required Exchange Online “incoming mail policy,” we implemented two different tests, in which we try to verify that the Exchange Online mail server that represents our domain name (o365info.com in our scenario) is willing to accept an SMTP connection requests only from an “approved entity.”

We will use SMTP mail client, that will address the MX record of the Exchange Online mail server that represents the domain name – o365info.com

In our example, the Exchange Online that host my domain name is represented by the host name – o365info-com.mail.protection.outlook.com

The mail client that I use for implementing the required incoming SMTP communication tests is, a nice and useful Mail client utility named – Basic SMTP Telnet Client

Test 1#2 – Try to create an SMTP session using “Approved” host.
In this test, we will address the MX record of the Exchange Online mail server that represents our domain name, from a host, that his IP address was configured in the Exchange Online incoming mail connector.

The expected result is, that the Exchange Online will accept the request for SMTP connection.

Test 2#2 – Try to create an SMTP session using “non-approved” host.
In this test, we will verify of “unapproved” host, can create an SMTP session with the Exchange Online server who host our domain.

The expected result is, that the Exchange Online will refuse to accept the request for SMTP session, from a host whom his IP address was not added to the incoming Exchange Online mail connector.

Testing the incoming Exchange Online mail connector settings

Testing SMTP session using “Approved” host.

In the following screenshot, we can see the configuration of the SMTP mail client that was installed on a “non-approved” host.

  • Destination mail server – in the section named – Receive Connector IP, we add the host name or the IP address of the destination mail server (number 1).
  • The TCP port that we use is the standard SMTP port – port 25 (number 1).
  • The sender E-mail address that we use is – Bobm@o365info.com (number 3).
  • The destination recipient E-mail address that we use is also – Bobm@o365info.com (number 4).

Note – in case that you need to get more information about – how to locate the information about the Exchange Online MX record for a specific domain, you can read the article – What is the hostname of my Office 365 MX records?

Testing SMTP connection to Exchange Online mail server – approved IP address -01

We select the Talent tab, which enables us to start the SMTP session with the destination mail server and in addition, to view the communication “chat” between our mail client and the mail server.

In our example, the communication channel between the mail client and the Exchange Online mail server was successfully completed.

The Exchange Online responds with the following message:

transmitting body 250 2.6.0 <5f229770-5b32-4cc0-a54d-4a3456d89918@AM1FFO11FD041.protection.gbl> [InternalId=115027814122736, Hostname=DB3PR05MB091.eurprd05.prod.outlook.com] 7155 bytes in 0.160, 43.503 KB/sec Queued mail for delivery

The meaning is that the Exchange Online mail server is willing to accept the E-mail and inform the mail client that the E-mail is located in the queue, waiting for a delivery

Testing SMTP connection to Exchange Online mail server – approved IP address -02

Testing SMTP session using “Non-Approved” host.

In the following screenshot, we can see the configuration of the SMTP mail client that was installed on a “non-approved” host.

The main difference versus the former scenario is – that this time; the SMTP client is installed in a host who has an IP address that doesn’t consider as “approved“ IP address, by Exchange Online mail server.

Testing SMTP connection to Exchange Online – NON approved IP address -01

We select the Talent tab, which enables us to start the SMTP session with the destination mail server.

The SMTP communication results with the Exchange Online mail server is – failure.

The Exchange Online mail server responds with the following message:

rcpt to: Bobm@o365info.com

550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message’s recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set

This is a “‘good result” or the expected result. In our scenario, we don’t want that the Exchange Online mail server that represents our domain, will agree to accept an SMTP communication requests from non-approved hosts.

Testing SMTP connection to Exchange Online – NON approved IP address -02

Verifying the communication channel between Exchange on-Premises Hybrid server and Exchange Online

In this section, I would like to briefly review the configuration of the communication channel between – Exchange Online and the Exchange on-Premises Hybrid server.

As mentioned, in our scenario, there are two “entities” that are “allowed” to communicate with the Exchange Online mail server:

  • The Mail security gateway
  • The Exchange on-Premises Hybrid server

In the former sections, we review the settings of the Exchange Online incoming mail connector that defines the “relationship” with the Mail security gateway.

The question that we can ask now is – how can we know, that the restriction that we define on the Exchange Online incoming mail connector, will not interfere with the communication channel with the Exchange on-Premises Hybrid server?

The incoming mail connector the was created, define who are the “allowed” hosts who can communicate with Exchange Online mail server, include only the IP address of the Mail security gateway! (And does not relate to the Exchange on-Premises Hybrid server).

The answer is – that when the Exchange Hybrid environment was created, the Exchange Hybrid wizard automatically created Exchange Online incoming mail connector, that defines the relationship with the Exchange on-Premises Hybrid server.

The Exchange Online mail server identifies or recognize the Exchange on-Premises Hybrid server, by looking for a specific text string that needs to be included on the certificate that the Exchange on-Premises Hybrid server provide.

Exchange Online approve SMTP session -Exchange on-Premises Exchange Hybrid server server certificate

The outcome is that in our specific scenario, Exchange Online will include two incoming mail connectors:

  1. The incoming mail connector that defines the relationship with the Mail security gateway (recognize the sender by IP address).
  2. The incoming mail connector that defines the relationship with them Exchange on-Premises Hybrid server (recognize the sender by a public certificate).

In other words, the Exchange Online mail server can have “multiple relationships” with multiple “source senders,” that will not Interfere with each other.

Checking the incoming mail connector for the Exchange Hybrid environment

To be able to view the incoming mail connector, we will implement the following steps:

In the following screenshot, we can see an example of the Exchange Online incoming mail connector that defines the relationship with the Exchange on-Premises Hybrid server:

Verifing the information about incoming mail flow Exchange on-Premises Hybrid environment -01

The mail connector is an “incoming mail connector,” that will be “active” each time that the Exchange on-Premises Hybrid server will address the Exchange Online mail server.

Verifing the information about incoming mail flow Exchange on-Premises Hybrid environment -02

In the following screenshot, we can see that the Exchange Online incoming mail connector includes the following setting:

By verifying that the subject name of the certificate that the sending server uses to authenticate with Office 365 matches this domain name (recommended) This option requires all email messages from your email server to be sent over Transport Layer Security (TLS), a secure channel. Your email server secures this channel by authenticating with Office 365 using a digital certificate. Office 365 then verifies that the subject name in the digital certificate matches the domain name specified here. The domain name can contain wildcard characters.

In simple words, Exchange Online will verify SMTP communication coming from the Exchange on-Premises Hybrid server by checking the following parts:

  • That the Exchange on-Premises Hybrid server can provide a certificate.
  • That the certificate is valid.
  • That the certificate includes a specific text string.

Verifing the information about incoming mail flow Exchange on-Premises Hybrid environment -03


Now it’s Your Turn!
It is important for us to know your opinion on this article

Print Friendly, PDF & Email

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

No Responses to “Configure Exchange Online inbound mail flow to accept SMTP connection only from a specific mail security gateway IP address12 min read

    Leave a Reply

    Your email address will not be published. Required fields are marked *