Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
12
Replies

Move message from outbound to inbound

chrishklomp
Level 1
Level 1

‎04-24-2025 12:54 PM

We have a customer that is migrating to Office365.

Emails are received as Relay from O365, since there are users on both the old and new system and emails need to flow back and forth. However also emails from other domains to the customer domain come in through the relay. I've had O365 setup a special header for sourced emails from the customer domain. But I'm not seeing how I can move emails to the inbound process, when the sending domain is not the customer.

Any suggestions would be appreciated...

Labels:
0 Helpful
12 Replies 12

Ken Stieers
VIP
VIP

‎04-24-2025 01:16 PM

Are the ESAs on-prem, or are you using CES?
0 Helpful

chrishklomp
Level 1
Level 1

‎04-24-2025 01:31 PM

These are on-prem ESA's.

0 Helpful

Ken Stieers
VIP
VIP
In response to chrishklomp

‎04-24-2025 01:44 PM

Step 1 is to get flow between O365 and On-prem to NOT be going through the ESAs. (we tried it... had all sorts of weirdness)
You want an inbound connector on an Exchange box that's nat'd to the outside, and with appropriate rules on the firewall (open to JUST the MS ips,) and an outbound connector on O365 that's pointed at it.
And you want an inbound connect on O365 for mail coming off of your exchange server, and an outbound connector on the Exchange server pointed at your O365 deployment.
If I remember correctly the Hybrid wizard sets that all up, you just need to tweak it so the ESA are out of the way...
Then you need to use the Hybrid wizard to enable "Centralized Mail Transport" . Basically that forces all mail on-prem and Exchange figures out where it goes...
MX records point at your ESAs, ESAs point inbound at Exchange, Exchange has outbound connector to the Internet.

0 Helpful

chrishklomp
Level 1
Level 1

‎04-24-2025 02:21 PM

In our case the ESA is used both for inbound and outbound security.

So far we have traffic being delivered correctly for the customer's domain both ways.
I'm just concerned with external traffic coming from O365 destined to the customer, that is not correctly filtered, since it's not handled as incoming traffic.

Also I still have a concern with outbound O365 traffic, that is not coming from the customer domain. So far, I have not seen it, and we have a block in place, but am still concerned for things falling over within O365, as it's beyond our control.

0 Helpful

Ken Stieers
VIP
VIP
In response to chrishklomp

‎04-24-2025 02:48 PM

Inbound mail won't just "fall over" from one tenant to another in O365 as long as you have mail to "onmicrosoft.com" domains blocked.
Do you have just 1 listener on the ESAs, and its handling both inbound and outbound mail?

0 Helpful

chrishklomp
Level 1
Level 1

‎04-24-2025 03:52 PM

Yes, we only have one listener interface. Though I don't see that making a difference for receiving emails from O365.

The "fall over" reference is in regards to when configuration changes are done on O365 and unintended traffic flow is activated. We never know when changes are made.

Our customer uses an "onmicrosoft.com" subdomain, not sure why you need that blocked specifically, as I see also private domains coming from O365...

0 Helpful

Ken Stieers
VIP
VIP
In response to chrishklomp

‎04-24-2025 08:09 PM

When you use a email security gateway product like ESA's, you want to block external delivery to their onmicrosft.com address because it doesn't get scanned by the ESAs. Microsoft controls the MX records.


You started with the underlying question of keeping Inbound and outbound mail flows straight....

With 2 listeners its far simpler... your outbound listener gets just a "relay" sendergroup, and only the ips of your internal exchange boxes can talk to it.

The inbound listener has the other sender groups.

You set Hybrid wizard to Centralized Delivery , and that makes O365 deliver all outbound mail to Exchange and from there out through the ESAs.

What I'm guessing you have right now is O365 ips got added to your Relay sendergroup, so the ESA processes that mail through the outbound policy... except sometimes that mail is inbound mail...


0 Helpful

chrishklomp
Level 1
Level 1

‎04-25-2025 11:55 AM

First of all there is no Exchange server in play here. (The legacy server is a Domino server and will be retired.)

Secondly, the ESA remains to be used for O365 outbound verification.

Regardless of the amount of listeners, O365 can only be detected by the sender QDN "protection.outlook.com". The complication is that this is independent of the sender domain. We have no way to know at HAT level (sender group selection) if the O365 is Outbound or Inbound traffic. That's why my original question was, if it was possible to redirect the process flow from outbound to inbound mail processing.

Hope this helps clear up my conundrum.

Thank you, Chris Klomp
647-837-4158
Shift: 11:00 - 19:00 EST

0 Helpful

Ken Stieers
VIP
VIP
In response to chrishklomp

‎04-25-2025 12:35 PM

Yes...that helps to clear the confusion. 

How mail is treated is based on the listener type, that got set at creation. 

listenertype.PNG

You can create new ones with the required types, but this is how the ESA decides how to deal with mail... 

There's also the Mailflow policy that is applied to a SenderGroup.. that policy might be set to Relay, and if your traffic hits that, its treated as "outbound"...   

What I'm missing is why your internal traffic from O365 is being treated differently from MY traffic to you from my O365... generally it would all be "inbound".   Then on that listener, there'd be a sendergroup with a mail flow policy that's set for Relay, and the IPS of your internal mail servers would be the only thing in it... Every thing else should hit a Sendergroup for "inbound" mail.  

 

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎04-25-2025 12:43 PM - edited ‎04-25-2025 12:43 PM

So if I am reading it right, you are expecting only email from the domain to come in this relay, but in the chance they mess up and more come through to your domain you want it processed as an incoming flow.

 

Depending on how you want to do it, you could make a new listener, or you may be able to break the flow off to the current incoming listener.

1: make an outbound mail policy saying basically recipient is @mydomain.com. This will break it into a new flow in case they send to multiple recipients.

2: From this make a content filter that sends to a alternate host and apply to this flow. Set the alternate host to your inbound IP. Assuming it is standard port 25.

 

Another option is to do a separate listener to use.

1: create a new public listener on another port ie2525 or something.

2: do the 2 steps above, but set the alt server as a DNS name. IE redirect.mydomain.com

3: under network -> SMTP routes, set the receiving domain redirect.mydomain.com to destination host <IP>:<Port> of the new listener.

With this you have a different flow of content filters etc you can use. Hope that makes sense.

0 Helpful

chrishklomp
Level 1
Level 1

‎04-25-2025 12:43 PM

The problem with O365 is that the SenderGroup for O365 is the same for traffic from different SenderDomains.
Traffic for my customer's SenderDomain should be treated as Relay and the rest should be treated as Inbound. However multiple SenderDomains are coming from the same SenderGroup.

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎04-25-2025 01:14 PM

so office is sending multiple domains through the interface?

So take what I said, but instead of the recipient being @mydomain.com, set it to sender does not end with @mydomain.com That will break off any email not from the domain specified into another flow and then you can redirect them.

0 Helpful
Customers Also Viewed These Support Documents