Shulou(Shulou.com)06/02 Report--

We all know that the anti-spam function of the enterprise self-built Exchange Server is relatively weak, and we usually need to purchase additional anti-spam gateways to cooperate with Exchange Server to achieve anti-spam and virus mail functions. the general hardware anti-spam gateways are basically concentrated in barracuda, Symantec and other functions are more powerful, but the price is also more expensive. if the enterprise has one or two thousand users, a set of anti-spam gateways will cost hundreds of thousands of people. So as the title says: how to use Office365 cleverly to solve this problem?

There is such a feature in Office365 called ExchangeOnline Protection. As long as the Office365 you buy contains ExchangeOnline service, it will have this function. You may wonder, this thing provides ExchangeOnline online anti-virus and anti-spam. What does it have to do with my local Exchange? Let me tell you, it's a big deal, and it can save hundreds of thousands of hardware anti-spam gateway fees every year (even if you only buy a subscription to an Office365 account) For EOP's outbound and inbound email limits, please refer to Microsoft's website https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#receiving-and-sending-limits and there are no cool reporting features of the hardware anti-spam gateway. EOP can only provide state-of-the-art anti-spam and antivirus services in real time.

Let's share with you how to use EOP as the local Exchange Server anti-spam gateway.

First of all, you need to add the enterprise's domain name to the purchased Office365. Do not select the Exchange service when setting up the DNS, and wait for all the configurations to be completed before making the DNS record.

Log in to Exchange Online Central Administration, select the accepted domain in the mail flow and click Edit

Then select the accepted domain as the internal relay and click Save

Then select Mail flow-Connector and click New

Because EOP is used to provide outer protection of messages, the direction of message routing here is Office365 to local Exchange Server.

Next, name and describe the connector.

Next, choose to apply this connector using only emails sent to the receiving domain

The key here is to fill in the intelligent host. Because the resources of my test environment are limited, I directly fill in the local Exchange address mapped to the outside. Generally speaking, it is recommended to take a separate public network IP, open port 25 and then map it to the Exchange Server, and fill in the public network IP here as an intelligent host.

The creation of intelligent host is completed

Then here is also the key step. Whether to use TLS or not, I checked TLS encryption here. Normally speaking, it also needs to be done this way. But later, we will see that the verification connector reports an error, because my CA self-signed certificate used by Exchange Server does not use the public network SSL certificate.

Here or choose to use TLS to continue to create

Then verify the connector using TLS and click + to enter the recipient address on a local Exchange Server

Then do the next step in turn.

See, it failed properly because TLS authentication failed and the certificate of Exchange Server could not be verified. As I said earlier, my Exchange Server certificate is issued by private CA, and naturally this certificate cannot be verified by Office365, so it is strongly recommended that Exchange use the public network SSL certificate, otherwise, as in the configuration behind me, the route from Office365 to local Exchange Server runs naked without using TLS encryption. It's not easy to take the blame for e-mail leaks.

And then cancel the TLS encryption.

Once again, the mail test showed that it was successful.

Finally, we need to make a switch: change the MX record to point to Office365, and add EOP information on Office365 to the SPF record.

Then I use QQ Mail to send a test email to test01@ucssi.cn.

Copy the header of this message and analyze it to see how the whole message route goes.

Conduct mail routing analysis in the following websites

Https://testconnectivity.microsoft.com/

You can see that QQ Mail first sent the email, parsed it to Office365's EOP through MX, EOP filtered the email, then routed the email to the local Exchange Server through the connector created earlier, and finally Exchange Server transferred the email to the user's Mailbox.

In this way, the desired effect has been achieved.

How to use it? is it cool?

If there is an environment, please try it.

Finally, the originality is not easy, you can feel free to reward ~

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.