Mailprotector recommends configuring inbound and outbound connectors to improve the security of mail flow with Office 365 tenant domains. Instructions for implementing the connectors can be found in other articles using the Office 365 Admin Center, however, some partners may prefer to use PowerShell commands. This article provides the commands necessary to configure the connectors.
Office 365 (O365), PowerShell
Connect to Office 365 Management Console
From a PowerShell Command Line, you must connect to the Office 365 tenant domain you are configuring. When prompted for a username and password, please use an Office 365 admin credential for the domain.
Set-ExecutionPolicy RemoteSigned -Force
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Add the Inbound Connector
The Inbound Connector is disabled on creation. You must enable the connector after changing the MX record for the domain. Otherwise, the connector will reject emails that do not pass through Mailprotector.
New-InboundConnector -Name “Inbound from Mailprotector” -Comment “Only accept email from Mailprotector transport addresses” -Enabled $false -SenderDomains * -RestrictDomainsToIPAddresses $true -RequireTls $true -SenderIPAddresses 22.214.171.124,126.96.36.199,188.8.131.52
Add the Outbound Connector (if using Mailprotector as a smarthost)
The Outbound Connector is enabled on creation. It will immediately begin using the Mailprotector smarthost so be sure you have the domain and users configured in the Mailprotector Console before running this command.
Please change the smarthost address to the appropriate host for the domain you are configuring.
New-OutboundConnector -Name “Outbound to Mailprotector” -Comment “Send all external outbound email through Mailprotector SmartHost” -Enabled $true -RecipientDomains * -SmartHosts mp-office365.com.outbound.emailservice.io -TlsSettings EncryptionOnly
Add an Allow List to the Default Connection Filter (Optional)
Typically, the inbound and outbound connectors work as expected and emails are also evaluated by Exchange Online Protection. There is nothing wrong with this mail flow scenario. However, in rare circumstances, email delivered from Mailprotector can end up in the Junk E-mail folder too often. In that event, please contact Mailprotector Support for additional guidance and whether adding this Allow List to the Default Connection Filter would be appropriate.
Set-HostedConnectionFilterPolicy “Default” -IPAllowList 184.108.40.206,220.127.116.11,18.104.22.168