Move message from outbound to inbound

chrishklomp · ‎04-24-2025

We have a customer that is migrating to Office365.

Emails are received as Relay from O365, since there are users on both the old and new system and emails need to flow back and forth. However also emails from other domains to the customer domain come in through the relay. I've had O365 setup a special header for sourced emails from the customer domain. But I'm not seeing how I can move emails to the inbound process, when the sending domain is not the customer.

Any suggestions would be appreciated...

Ken Stieers · ‎04-24-2025

Are the ESAs on-prem, or are you using CES?

chrishklomp · ‎04-24-2025

These are on-prem ESA's.

Ken Stieers · ‎04-24-2025

Step 1 is to get flow between O365 and On-prem to NOT be going through the ESAs. (we tried it... had all sorts of weirdness)
You want an inbound connector on an Exchange box that's nat'd to the outside, and with appropriate rules on the firewall (open to JUST the MS ips,) and an outbound connector on O365 that's pointed at it.
And you want an inbound connect on O365 for mail coming off of your exchange server, and an outbound connector on the Exchange server pointed at your O365 deployment.
If I remember correctly the Hybrid wizard sets that all up, you just need to tweak it so the ESA are out of the way...
Then you need to use the Hybrid wizard to enable "Centralized Mail Transport" . Basically that forces all mail on-prem and Exchange figures out where it goes...
MX records point at your ESAs, ESAs point inbound at Exchange, Exchange has outbound connector to the Internet.

chrishklomp · ‎04-24-2025

In our case the ESA is used both for inbound and outbound security.

So far we have traffic being delivered correctly for the customer's domain both ways.
I'm just concerned with external traffic coming from O365 destined to the customer, that is not correctly filtered, since it's not handled as incoming traffic.

Also I still have a concern with outbound O365 traffic, that is not coming from the customer domain. So far, I have not seen it, and we have a block in place, but am still concerned for things falling over within O365, as it's beyond our control.

Ken Stieers · ‎04-24-2025

Inbound mail won't just "fall over" from one tenant to another in O365 as long as you have mail to "onmicrosoft.com" domains blocked.
Do you have just 1 listener on the ESAs, and its handling both inbound and outbound mail?

chrishklomp · ‎04-24-2025

Yes, we only have one listener interface. Though I don't see that making a difference for receiving emails from O365.

The "fall over" reference is in regards to when configuration changes are done on O365 and unintended traffic flow is activated. We never know when changes are made.

Our customer uses an "onmicrosoft.com" subdomain, not sure why you need that blocked specifically, as I see also private domains coming from O365...

Ken Stieers · ‎04-24-2025

When you use a email security gateway product like ESA's, you want to block external delivery to their onmicrosft.com address because it doesn't get scanned by the ESAs. Microsoft controls the MX records.

You started with the underlying question of keeping Inbound and outbound mail flows straight....

With 2 listeners its far simpler... your outbound listener gets just a "relay" sendergroup, and only the ips of your internal exchange boxes can talk to it.

The inbound listener has the other sender groups.

You set Hybrid wizard to Centralized Delivery , and that makes O365 deliver all outbound mail to Exchange and from there out through the ESAs.

What I'm guessing you have right now is O365 ips got added to your Relay sendergroup, so the ESA processes that mail through the outbound policy... except sometimes that mail is inbound mail...