Limiting Inbound Mail to AES in Office 365
This article walks through creating a connector and rules in Office 365 that will ensure all external mail is filtered and allowed by AppRiver Email Security (AES). If you have O365 services with AppRiver you can request this setup by contacting our Phenomenal Support Team. NOTE: THIS SETUP REQUIRES THAT THE DOMAIN'S MX RECORDS ARE POINTED TO AES. IF THE DOMAIN'S MX RECORDS ARE POINTED AWAY FROM AES IN THE FUTURE THE RULES IN O365 MUST BE DISABLED OR A MAIL LOOP WILL OCCUR.
1. Navigate to https://portal.office.com then log in with Global Admin credentials.
2. Once you're logged in open a new tab in your browser then navigate to https://outlook.office365.com/ecp. Once the Exchange Admin Center (EAC) appears click Mail Flow then click Connectors.
3. Click the + symbol to create a new connector then in the New Connector window set the From: drop-down to Office 365 and the To: drop-down to Partner Organization then click Next.
4. Enter the Name and Description as listed below then make sure the "Turn it on" check box is checked and click Next.
Name: Limit Inbound Mail to AES
Description: This connector redirects external email to the MX record if the message was not delivered by AES. This will ensure that all messages are filtered by AES as long as the domains MX record points to AES.
5. Select the "Only when I have a transport rule set up that redirects messages to this connector" button then click Next.
6. Select the button for "Use the MX record associated with the partner's domain" then click Next.
7. Make sure the check-box for "Always use Transport Layer Security (TLS)" is checked. Next, make sure the button for "Issue by a trusted certificate authority (CA)" is selected then click Next.
8. Verify your settings on the "Confirm your settings" page then click Next.
9. On the "Validate this connector" page click the + symbol.
10. Enter an external email address in the "add email" window then click OK.
11. Click Validate on the "Validate this connector" window.
12. Click Close on the "Validation Result" pop up.
13. Click Save to save the Limit Inbound Mail to AES connector. If you receive an additional prompt stating the connector was not validated click Yes.
14. Click Mail Flow > then click Rules in the Exchange Admin Center.
15. Click the + symbol then select "Create a new rule"
16. Click the "More options..." link to show all rule options then enter "Limit Inbound Mail to AES" as the name of the rule.
17. Under "Apply this rule if..." select The Sender > Is External/Internal > in the pop up window select Outside the Organization then click OK.
18. Under "Do the following..." select Redirect the Message To > The Following Connector > choose the Limit Inbound Mail to AES connector then click OK.
19. Under "Except if..." click Add Exception then select The sender... > IP Address is in any of these ranges or exactly matches > here you will need to add the following IP ranges then click the + symbol after each one > once all IP ranges are listed click OK.
IP address ranges: (You must click the plus sign after each entry) 18.104.22.168/26 + 22.214.171.124/25 + 126.96.36.199/26 + 188.8.131.52/24 + 184.108.40.206/24 + 220.127.116.11/24 + 18.104.22.168/24 + 22.214.171.124/24 + 126.96.36.199/28 + 188.8.131.52/29 + 184.108.40.206/24 + 220.127.116.11/24 + 18.104.22.168/24 + 22.214.171.124/24 + 126.96.36.199/26 + 188.8.131.52/24
20. In the bottom of the new rule window add the comment listed below. Please reference the remaining settings in the screen-shot as well to make sure your rule is setup correctly. Once all settings are confirmed click Save.
Comments: This rule will redirect external email to the domains MX record if the message was not delivered by AES. This rule should only be active for AES customers and it must be disabled if AES is no longer being used.
21. Next you need to create another rule that will allow mail from AES to bypass O365 filtering. To do this click the + sign on the rules page in the EAC then choose Bypass Spam Filtering from the drop down menu.
22. Enter the data listed below in the new rule fields then click Save. After clicking Save you should see the screen-shot below.
Name: Allow Inbound Mail from AES
Apply this rule if: The sender… > Ip address is in any of these ranges or exactly matches
Specify IP address ranges: (You must click the plus sign after each entry) 184.108.40.206/26 + 220.127.116.11/25 + 18.104.22.168/26 + 22.214.171.124/24 + 126.96.36.199/24 + 188.8.131.52/24 + 184.108.40.206/24 + 220.127.116.11/24 + 18.104.22.168/28 + 22.214.171.124/29 + 126.96.36.199/24 + 188.8.131.52/24 + 184.108.40.206/24 + 220.127.116.11/24 + 18.104.22.168/26 + 22.214.171.124/24
Do the following: (Should already be set) Modify the message properties > set the spam confidence level to (SCL) -1
Choose a mode for this rule: Enforce
Comments: This rule must remain in place to allow AES traffic to bypass Office 365 filtering.