Configure Microsoft 365 with SpamExperts Local Cloud
The details on this page relate to SpamExperts Local Cloud only. For information on configuring for SpamExperts Hosted Cloud, see:
- Configure Incoming Filtering with Exchange Online (Microsoft 365)
- Configure Outgoing Filtering with Exchange Online (Microsoft 365)
- Configure Journaling in SpamExperts/Exchange
As the majority of this is documented by Microsoft for their system, please see the Microsoft documentation for setting up a third-party spam filter
Incoming filtering
Basic steps to protect your domain:
- Add a domain via the SpamExperts web interface, ensure the destination route is set to the MX record hostname provided by Microsoft 365
- Follow the Microsoft documentation for setting up a third-party spam filter
- For Step #3: IP Addresses to Skip in the "Use the Microsoft 365 Defender portal to configure Enhanced Filtering for Connectors on an inbound connector" section of the above Microsoft documentation, ensure you add the IP address ranges of your cluster
- Change the MX records of the domain in the DNS to point to the MX records used for the incoming filter
Outgoing filtering per domain configuration
Step 1: Create Outgoing User/Authentication Method in SpamExperts
- Log in to the SpamExperts control panel as an admin
- Select General > Domains Overview then click on the relevant domain to open the Domain Level Control Panel
- Select Outgoing > Manage Users
- Select the Authenticating Domain tab and ensure that the domain you are using with Exchange Online is shown
- Enter a secure password and click Add and configure
- Configure the Authentication method as required, ensuring that Re-authentication permitted is enabled
- Click Save
The secure password is only required to complete the configuration process. Once set, it is no longer needed.
For full details on Authentication methods, see Outgoing Users/Authentication Methods
Step 2: Set up a Transport Rule in Exchange Online
For full details on configuring this in either the Classic EAC or the New EAC, see the Microsoft documentation to set up connectors for secure mail flow.
When enabling Route messages through these smart hosts, ensure you provide hostname for the IP address configured for outbound filtering on port:25 e.g.
smtpout25.yourdomain.invalid
Cluster Configuration for Outbound filtering for Microsoft 365
You must have outbound filtering configured on a dedicated IP to listen for connections on port:25. Using existing IPs will cause traffic to be treated as Inbound. If you do not have this configured, Please contact our support team by through N-AbleMe.
For this to work successfully the following is needed:
- A minimum of 2 public IPs on a node
This is required as Microsoft 365 (Exchange Online) needs to be able to contact the local filter notes on an additional public interface listening for outbound connections on port 25.
- The secondary public IP configured to use port 25 for outgoing usage. Please contact SpamExperts support to have this enabled on a secondary IP
- Microsoft 365 IP's (from Microsoft's current published list) added to a controlled authenticating domain as authenticating users (IP addresses) - 1 user per IP address range from Microsoft
- Make sure that you add these IP Addresses with the option to Re-authenticate as sending domain enabled
We recommend setting this on a domain specifically for this purpose. All mail which does not successfully re-authenticate will be logged against the domain with the IP outbound users listed.
As Microsoft 365 can sometimes change their IPs without notice, its advised to periodically check and update the existing IPs added
Email archiving
Basic steps to archive your domain's email:
- Ensure that archiving is enabled on the domain in SpamExperts("Status" page in the "Archive" section)
- Any incoming/outgoing email passing the domain will automatically be archived by default
- Set up a filter rule to also archive the Microsoft 365 internal message using a mail rule, or for archive-only, set a rule to archive all email
- Go to the domain dashboard, enable the archiving service on the "Status" page in the "Archive" section
- Optionally restrict which recipients should be archived on the "Archived recipients" page
- Login to the Microsoft 365 "Exchange admin center"
- In the dashboard, go to journal rules in the compliance management section
- First choose "select address" for "Send undeliverable journal reports to:". This should be a valid recipient to be informed in case of journal failures
- Next add a journal rule:
- Send journal reports to: You can find the Global journal address which is unique for your domain on the Archiving > Status page in SpamExperts
E.g. "47034d58-47e0-451a-bf64-25327148361d-demo-domain.invalid@MX-record-hostname" where you must replace "MX-record-hostname" with the primary MX record for your inbound filter
- Name: SpamExperts journal archive rule
- If the message is sent to or received from: [Apply to all messages]
- Journal the following messages: Internal messages only (in case you use protection), all messages (this would cause duplicate archiving if you also archive via the protection service)
- Send journal reports to: You can find the Global journal address which is unique for your domain on the Archiving > Status page in SpamExperts
By default, all incoming/outgoing email processed by the filtering servers for the domain will now be archived