This article will show you how to lock down Office 365 to only accept from the MPmail service.
- Office 365 customer setup on MPmail
- Office 365 admin account
- MPmail with 126.96.36.199 in the Outbound Relay, must have been done at least 60 minutes prior
- MPmail Outbound Smarthost address
- Log into the Exchange section of your Office 365
- Click on ‘Mail Flow’
- Click on ‘Rules’
- Click on ‘+’ to create a new rule
- Give the rule a Name
- Immediately click on 'More options'
- 'Name' = MPmail Inbound Rule
- 'Apply this rule if ' = [Apply to all messages]
- 'Do the following' = 'Reject the message with explanation (then define an explanation, ours is 'Email bypassed MX records')
Add Exception to the rule. 'Except if' = Senders IP is in the range (and enter our IP ranges):
188.8.131.52/20 184.108.40.206/22 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24 126.96.36.199 188.8.131.52 184.108.40.206
- Add an additional exception which will allow mail from your internal mailboxes outbound in the same transport rule
- The sender is located 'External/Internal'
- Select Inside the organisation. This will cover all sending mailboxes within your Office 365 account
- Add another Exception with 'The message type is -> Calendaring'
- Tick 'Enforce'
- Click 'OK'
- Click 'Save'
- Go to your customer account in the https://converge.mp and input the unique office 365 generated MX records under your customers IP/Hostname within the MPmail area
- Activate outbound relay by inputting a Dummy IP and save. IP 220.127.116.11 which is a virtual container, which encompasses all of Office 365 IP ranges
We also recommend setting up another rule to bypass Microsoft 365 spam filtering as other products are taking care of this.
Not doing this can result in messages getting quarantined by Microsoft. Note that the priority for this rule should be set so that it kicks in AFTER the rule created in previous steps.
- Create a new Rule called 'Bypass Spam Filtering'
- Set 'Apply this rule if' to 'The recipient is located inside the organization'
- Set 'Do the following' to 'Set the spam confidence level (SCL) to' and choose 'Bypass spam filtering'
- Make sure 'Enforce' is checked and Save
Teams Voicemail Messages
To allow teams voice voicemail messages to be delivered to email, we will also need to create an additional rule that is higher in priority that the previous two rules so it happens before them.
Name the rule 'Teams Voicemail' or something similar. Choose 'is message type Voicemail' for Apply this rule if, Prepend the subject with 'Teams Voicemail' for Do the following (the rule has to do something, so we make it something harmless like this), select Enforce for mode and check the 'Stop processing more rules' option. Click Save.
To send all emails outbound through Manage Protect Smarthost:
- Go to 'Mail flow'
- Click '+'
- Add connector, select scenario.
- From: Office 365
- To: Partner Organisation
- Apply a useful Name to the connector and click 'Next'
- Choose 'Only when email messages are sent to these domains' and add you Domains or for the purposes of this example, Add *
- Then press next and choose the option: 'Route email through these smarthosts'. Click the '+' option and add yourdomain.outbound.anz.mpmailmx.com.
- Click Save
- The next option is not mandatory, but if you would like to ensure that all messages sent outbound through the smarthost are sent via TLS please leave this window as the default option as below
- Click 'Next' and you will then be presented with a summary of the scenario
- Click 'Next' to apply and you will be presented with a validate connector window
- You should enter an external email address and Office 365 will validate the connector and attempt to send a test message though the smarthost
- You should see the following results when validation is complete.