Configuring an inbound connector in the Office 365 (O365) tenant domain is required to restrict message delivery from Mailprotector's servers and prevent spammers from using a direct connection to the O365 host address, bypassing Mailprotector scanning.
IMPORTANT: The inbound connector will reject mail flow that does not come from Mailprotector after it is turned on.
If the MX records for your domain already point to Mailprotector, it is safe to turn on the inbound connector. If the MX record still points directly to Office 365 or another host, do not turn this connector on until Mailprotector is scanning email. The connector will not accept messages from the Internet when turned on.
Configuration steps for an outbound connector are in the Office 365 - Outbound Connector article.
Office 365, O365, Exchange Online, Exchange Online Protection
Inbound Connector Configuration
- Open the Office 365 Admin Center and navigate to the Exchange Admin center, as shown in Figure 1. This link will open a new tab in your browser with the Exchange Admin Center.
- Find and click the 'connectors' link under the mail flow options, as shown in Figure 2. The link takes you to the connectors for the domain.
- You may have other connectors already listed. Click on the 'plus icon' to add a new connector. A new window will open to select your mail flow scenario. Select 'Partner organization' for 'From:' and 'Office 365' for 'To:' as shown in Figure 3. Then click the 'Next' button to continue.
NOTE: A message displays that indicates this connector is optional for the mail flow scenario. However, the configuration steps below will enhance the security of the connector by applying specific restrictions.
- Enter a name for the connector, for example, Inbound from Mailprotector Only and add a description if you would like. As shown in Figure 4, uncheck the box to the left of 'Turn it on' to prevent an interruption of mail flow if the domain's MX record is not pointing at Mailprotector yet. Then click the 'Next' button to continue.
- Identify the partner organization option will provide the ability to restrict mail flow from any domain to have to come through Mailprotector first. Select 'Use the sender's domain' to identify the partner organization, as shown in Figure 5, and click the 'Next' button to continue.
NOTE: For more detailed information on the configuration of this connector option, please read Microsoft's Example 4 described in example security restrictions you can apply to email sent from a partner organization.
- Specify that all sender domains will apply to identifying Mailprotector. Click the 'plus icon' to add a domain. Enter a '*' on the next screen and click the 'Ok' button. The dialog should look similar to Figure 6, then click the 'Next' button to continue.
- The next step applies the restrictions to ensure the connector only accepts mail from Mailprotector's servers. By default, the 'Reject email messages if they aren't sent over TLS' is checked. The sub-option to require a certificate should remain unchecked.
Check the box for 'Reject email messages if they aren't sent from within this IP range' and click the 'plus icon' to add the addresses as shown in Figure 7. Add each address individually.
Click the 'Next' button after adding the IP addresses.
- The final screen summarizes the steps taken above and should look similar to Figure 8. You may need to scroll your summary window to see all of the settings. Click the 'Save' button to finish creating the inbound connector.
- You will return to the connectors for the domain. The inbound connector you just created will be turned off if you followed the directions in this article. You can confirm the rule is turned on or off by looking at the status of the connector as shown in Figure 9.
NOTE: If the MX records for your domain already point to Mailprotector, it is safe to turn on the inbound connector. If the MX record still points directly to Office 365 or another host, do not turn this connector on until Mailprotector is scanning email. The connector will not accept messages from the Internet when turned on.
Enable the Inbound Connector After Changing the MX Record to Point to Mailprotector
If the MX record for your domain has been changed to yourdomain.tld.us.emailservice.io, you are ready to turn on the inbound connector created above. Remember! The inbound connector will reject mail flow that does not come from Mailprotector after it is turned on.
- Return to the connectors in the Exchange Admin Center, select the inbound connector you created above, and click the 'pencil icon' to edit the connector. The 'pencil icon' is to the right of the 'plus icon' as shown in Figure 10.
- A new window opens. Click the checkbox to the left of 'Turn it on' as shown in Figure 11 and click the 'Next' button to continue.
- You will step through the rest of the inbound connector configuration but will not change anything. Just click the 'Next' button three times and the 'Save' button at the summary screen. The inbound connector is now turned on and will only accept messages scanned through Mailprotector.