Connector- Based Customer Delivery Pool Mailbox (On-premises) Mailbox or Application (On-premises) Higher Risk High Risk Delivery Pool Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Virus Scanning AV Engine 1 AV Engine 2 AV Engine 3 Edge Blocks & Tenant Attribution IP-based block lists Directory-based (Recipient) Blocks Internet mail is routed based on MX record resolution Outbound Pool Normal Score Internet mail is routed based on MX record resolution Mailbox (O365) Transport Rules / Policy Enforcement Custom Rules Encryption Quarantine Allows/Rejects SPAM Protection Content scanning and Heuristics Content Filter Advanced Options Outlook Safe Sender/Recipient Bulk Mail Filtering
Deployment: Basic Mail Flow
Filtering only…or with Exchange Online, including Hybrid:
is the correct URL to use when connecting to EOP SA
liveid/ Is the correct URL to use when connecting to Exchange Online Migration planning is key
Routing between Exchange on-premises & Exchange Online MUST NOT pass through any 3 rd party Use CBR connectors or centralized mail transport if you must for non-Hybrid mail flow If you keep MX record pointed to on-premises: EOP scanning will have reduced effectiveness On-premises IP reputation & ability to keep the bad stuff out is critical to maintaining mail flow
Domain Validation
Domain Validation – Wizard completion
Once verified, domain will appear in EOP/EXO as an “AcceptedDomain” For EOP, will default to “internal relay” For EXO, will default to “authoritative”
Test & enable mail flow Test Simply VALIDATE your new connector in the Office 365 Admin Center Or telnet to assigned host record (contoso-com.mail.protection.outlook.com) and attempt to send a test message to on-premises mailbox DNS changes MX record (domain-suffix.mail.protection.outlook.com) SPF record (v=spf1 ip4: include:spf.protection.outlook.com –all) Do not change Autodiscover CNAME DNS entries for filtering-only customers On-premises changes Create smart host from on-premises environment to EOP Restrict on premises firewall to only accept port 25 traffic from EOPEOP
When you are done: HINT: Keep your on-premises IP addresses in here too!
Recommend: Enable Directory Synchronization Automated user/group management Ease of administration for rules based on addresses Synchronize Outlook safe/block sender lists Enable directory-based edge (recipient) blocking On-premisesExchange Online Protection Office 365 Directory Sync
Protection: Anti-Spam & Anti-Malware
Setting expectations May see a change in patterns Every product needs to be tuned to your environment Features may function differently Porting configuration Good opportunity to trim old safe/block lists Spam filtering rules may not be needed Review filtering policies (transport rules)
Spam and Policy customization
EOP and the Junk Mail folder Standalone only (should not be required for proper Hybrid deployment): Set-OrganizationConfig –SCLJunkThreshold 4 At least two rules need to be added to the on premises environment: At least two rules New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" - HeaderContainsWords "SFV:SPM" -SetSCL 6 New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" - HeaderContainsWords "SFV:SKS" -SetSCL 6 Make sure Outlook updates are always applied to prevent false negatives (SCL -1 is not recognized without update and will take the spam action) It is EASY to educate end users to use the Junk Mail folder in Outlook!
EOP and the quarantine Messages are kept in EOP datacenters away from the user’s view. Administrator can grant access to the quarantine for end-user self- management. Administrator can also configure end-user spam notifications (ESNs)
Publish an SPF record (Sender Policy Framework) Include EOP IPs and on-premises public IPs Use the Microsoft Configuration WizardMicrosoft Configuration Wizard Avoid safe-listing own domains - this by-passes the SPF check and negates the check’s effectiveness Publish a DMARC policy (Domain-based Message Authentication, Reporting and Conformance) If you can’t publish p=reject or p=quarantine, you can still publish p=none and collect feedback.
Publish a DKIM signature (DomainKeys Identified Mail) Recommend reporting Spam to Microsoft Get the Junk reporting toolJunk reporting tool Attach to a new , copy headers into body of new and send to Recommend reporting False Positives to Microsoft Attach to a new , copy headers into body of new and send to
Protection against unknown malware and viruses Through a feature called Safe Attachments Real time, time-of-click protection against malicious URLs Through a feature called Safe Links Rich reporting and URL trace capabilities A new filtering service coming this summer
Microsoft has begun to get more aggressive against bulk New anti-spam header X-Microsoft-AntiSpam Improvements to bulk filtering: Bulk Complain Levels (BCL) – use it today
Have application send via EOP Find a 3 rd party in the business of sending Use same on-premises IPs as core business s Use a separate domain or subdomain for mass s Make sure SPF record(s) include all apps & 3 rd parties X ✓ X ✓ ✓
Make adjustments to rules or settings as needed Evaluate effectiveness of spam settings Did you report that to the Microsoft Anti-spam team? Reports (Office 365 Portal or Mail Protection Reports for Office 365) – Updates Coming! Monitor and fine tune
Transport Layer Security (TLS) Great for securing between Office 365 and on-premises or with specific partner/external servers All Office 365 SMTP is defaulted to opportunistic; TLS secure ciphers Office 365 Message Encryption Allows recipient to be external and on any device; if recipient’s mailbox can be accessed, then the message can be decrypted Information Rights Management (Azure AD) Keys held on RMS server; organization can set usage rights and custom templates; requires organizational authentication; does not get in the way of e-Discovery S/MIME Secure from client-to-client, as long as the private keys remain secure
Who can fix it? Indicates error details Who generated the NDR?
Remote Connectivity Analyzer ( Message Header Analyzer
Can be added to OWA & Outlook as an app
Find out everything about a message that Office 365 handled Search up to 90 days Get routing details Message Trace
N e w! “Basic” Message Trace “Extended” Message Trace (Historical Search) Data SetBetween approx. 15 minutes & 7 daysBetween approx. 8 hours & 90 days View ResultsIn UIDownload ResultsIn seconds In minutes/hours (can configure notification address) Routing DetailsBasic detail onlyFull detail optional Maximum Size5005,000 (3,000 for detail) Max Queries / DayReasonable limits15 per tenant
Finding Message Trace Go to Exchange Admin Center Click mail flow Click message trace
Using the UI Two features share the same UI for simplicity
Using Historical Search After selecting a period outside of 7 days, new options appear “Include message events and routing details with report” Enter Notification address
Completed Historical Search Click to see running & completed reports Reports available for 10 days Results of 5000 (or 3000 for detailed) should not be trusted to be complete (truncated warning message) Scroll to bottom to download the results
Reviewing Historical Search Results Recommend using Excel DATA -> Filter Sort by date_time More information about the fields & value meanings: oft.com/en- us/library/bb124375( v=exchg.150).aspx oft.com/en- us/library/bb124375( v=exchg.150).aspx
Basic: Get-MessageTrace, Get-MessageTraceDetail Extended: Start-HistoricalSearch, Stop-HistoricalSearch, Get-HistoricalSearch Pull results inside of (and shorter than) 7 days (but still >8 hours) Search on advanced criteria such as find all messages that hit a particular DLP rule PowerShell Start-HistoricalSearch [[-Organization] ] -ReportType {MessageTrace | MessageTraceDetail | DLP | TransportRule | SPAM | Malware} -ReportTitle -StartDate -EndDate [-NotifyAddress ] [-DeliveryStatus ] [-SenderAddress ] [-RecipientAddress ] [-OriginalClientIP ] [-MessageID ] [-DLPPolicy ] [-TransportRule ] [-Locale ] [-Direction {All | Sent | Received}]
Check to see if there is any record of the message (if no record, then you’ll need to check with the sender) Check hygiene results Look for hints about where it may have gone (forwards, rules, etc.) Scenario: Inbound
Make sure the message was received from Outlook client (if not, troubleshoot Outlook) Look for SMTP SEND Event Scenario: Outbound
Connector- Based Customer Delivery Pool Mailbox (On-premises) Mailbox or Application (On-premises) Higher Risk High Risk Delivery Pool Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Resolve host name to EOP DC (contoso- com.mail.protection.outlook. com) Virus Scanning AV Engine 1 AV Engine 2 AV Engine 3 Edge Blocks & Tenant Attribution IP-based block lists Directory-based (Recipient) Blocks Internet mail is routed based on MX record resolution Outbound Pool Normal Score Internet mail is routed based on MX record resolution Mailbox (O365) Transport Rules / Policy Enforcement Custom Rules Encryption Quarantine Allows/Rejects SPAM Protection Content scanning and Heuristics Content Filter Advanced Options Outlook Safe Sender/Recipient Bulk Mail Filtering SMTP Client Submission (EXO only) Mailbox (O365)
Failover configuration Using a second MX record to accomplish failover Contoso.com has 3 on-premises IPs: Site A & , Site B , Site C Contoso.com wants mail to route to Site A but if it is down wants mail to go to Site B, and Site C as last resort. Specify onprem.contoso.com in the outbound connector smart host field & create the following DNS records: contoso.com MX preference = 10 contoso-com.mail.protection.outlook.com (routes all mail for contoso.com) onprem.contoso.com MX preference = 10 mail-a.contoso.com onprem.contoso.com MX preference = 20 mail-b.contoso.com onprem.contoso.com MX preference = 30 mail-c.contoso.com mail-a.contoso.comA , mail-b.contoso.comA mail-c.contoso.comA
You do/type thisServer responds with this Telnet tenantDomainMxRecordHere HELO your_sending_server_fqdn 250 (followed by human readable message) MAIL FROM: Sender OK RCPT TO: Recipient OK DATA (followed by the enter key)Tells you to send data and how to end. SUBJECT: Test (hit enter twice)Hitting enter twice conforms to the standard. Enter the body message. To end put a single period on a line by itself and press enter. You should see something about message accepted or message queued. QUIT