Shulou(Shulou.com)06/02 Report--

The previous article "skillfully using Exchange Online Protection in Office365 (1)" introduced how to use Office365's EOP as the anti-spam gateway of the local Exchange Server, but how to use Office365's EOP to filter outgoing mail to prevent the public IP of the local Exchange Server from being blacklisted?

Due to my limited permissions and resources, I also tried after writing my previous blog:

1. Create a new connector on Office365: fixed mail flow from local Exchange Server to Office365

2. Create a new send connector on the local Exchange Server and delete all previous send connectors

But none of this worked. I met several customers during the day, and everything changed tonight after I was able to remotely access the Exchange Server virtual machine and get a public network SSL certificate (which is the root reason why I didn't make up the second part after two days).

Let's share the whole process:

First of all, I created an email to send to my QQ Mail without doing anything. You can see that my QQ Mail is available to receive the email. Let's take out the email header and analyze it.

Through the analysis of the email header through the Microsoft remote Analysis Connector, it was found that the email was sent directly from Exchange Server to my QQ Mail, without going through Office365's Exchange Online Protection.

Then I logged in to the ExchangeOnline Administration Center, created a new connector, and chose the direction of the mail flow as the path from the local Exchange Server to the Office365

Define the name of the connector

Then I directly choose to use the public network IP address of the local Exchange Server to identify my local Exchange Server, but Microsoft still suggests using the public network SSL certificate to identify the local Exchange Server.

Click next to finish

You can see that the connector on the Office365 is created.

Next, create a send connector on the local Exchange Server. Since it is impossible to remotely access the server at that time, it can only be created in web (but there are too many pitfalls to create in web, and it is impossible to define advanced features)

Write the name of the send connector and select Custom

Here, add a smart host. The name of the smart host can be found in the MX record in the reference Office365.

Do not validate the smart host identity configuration by default

Add address space or for *

The source server selects an existing Exchange Server

Then the creation is completed and the original send connector is disabled

Then test the outgoing email, and you can see that the delivery failed because Office365 Exchange Online Protection rejected my email, which is obviously a verification and service problem. But it hurts not to be able to access the mail server remotely.

Let's take a look at the certificate issued by the intranet CA that is still used by the mail server.

Then everything has been improved tonight. Get a wildcard certificate and change it directly to Exchange Server. By default, there are no SMTP and IIS services assigned. Just assign it manually.

I can also go to Exchange Server remotely, and then I naively do the set- sendconnector action to enable cloud services and configure the fqdn of helo/ehlo response, but the reality is to slap on the face and directly use Set to modify the existing parameters. The modification is successful, but it cannot be sent out.

Then go to send an e-mail and prompt to be rejected again.

With regard to this part, I repeatedly adjusted all the parameters and tossed about for 2 hours, but it was not done.

Then I used a big trick to delete the send connector directly, and then use powershell to create a new send connector

This part of Microsoft's official document is also unreliable and asked me to create a new send connector on Exchange Online. There is a woolen send connector on Office365, only connectors. The Indian guy who wrote the document: give me some strength. I can't make such a low-level mistake.

The new command is as follows (complain again about the Exchange product group, the final certificatevalidation parameter tab is not available, I spell it all one letter at a time):

New-sendconnector-name "Exchange Server to Office365"-addressspaces *-cloudservicesmailenable $true-fqdn mail.ucssi.cn-requiretls $true-smarhosts ucssi-cn.mail.protection.outlook.com-tlsauthlevel certificatevalidation

Successfully created, go to the management center to see what this product looks like.

Looking at the details, it is no different from the previous one, and all this sendconnector is still suitable to be created with powershell.

After completing this series of operations, it was already early morning, and I hurriedly sent a test email to QQ Mail

QQ Mail got an email from test01 over here.

Then open the header of this email. In fact, you can see that this email is delivered from Exchange Online Protection.

In order to see the whole process more intuitively, I still took the whole email header to Microsoft remote Analysis Connector for analysis. It was more intuitive to see that test01 sent email to the outside. First of all, find the newly built send connector inside Exchange Server, and then directly route the message to Office365. Finally, Office365 filtered through EOP to confirm that the email is normal and then delivered to QQ Mail.

The whole process is over.

To sum up:

1. It is strongly recommended that Exchange Server use public network SSL.

2. When creating a connector on Office365, it is recommended to use a certificate to identify the local Exchange Server. Some enterprises have many Exchange Server public network IP addresses, so it is troublesome to add one by one.

3. Don't put too much faith in Microsoft official documents. When reading the documents, you should also analyze whether what Microsoft official said is accurate or not according to your own experience.

4, this kind of special send connector creation, or obediently use Powershell to do, otherwise it is likely to do as I do a few hours later to check Microsoft documents, but also find a small problem of the document out.

5. Both the Chinese version of Office365 and the international version of Office365 provide this function (my experimental environment is the international version)

Finally, the originality is not easy, you can feel free to reward ~

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.