Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19242
Views
30
Helpful
17
Replies

Office 365 Email Routing Using ESA

victor.bassey
Level 1
Level 1

‎03-27-2017 12:36 PM

Dear support,

we are looking to migrate to office  365, however i would like to keep email routing via on-premise iron-port appliance. 

I need to ensure the following:

1. Email sent from Office 365 to external (internet) routes through on-prem ESA and normal content filter,outbound mail policy and DLP policy applies

2. Email sent between two users in office 365 does not need to route via onprem.

3. Outbound email from on-prem, continues to route email as normal with content filter,outbound mail policy and DLP policy applied.

4. Email sent from on-prem user to cloud user (i.e. our private O365 tenant) goes back out via ESA en-route to office 365,however without any filtering, or DLP policy

please has anyone implemented this scenario. I need some guidance as i am not great with ESA appliance

3 people had this problem
Labels:
0 Helpful
17 Replies 17

Libin Varghese
Cisco Employee
Cisco Employee

‎03-27-2017 12:51 PM

Hi Victor,

1. Email sent from Office 365 to external (internet) routes through on-prem ESA and normal content filter,outbound mail policy and DLP policy applies.

In order to allow emails from the Office 365 to be sent outbound you would need to add the office 365 IP to the HAT RELAYLIST under Mail Policies -> HAT Overview.

Adding this would then treat those emails as outbound and would process as per the outgoing mail policies including content filters and DLP.

If the office 365 servers are dynamic then you would need to add the required subnets along with the below message filter to prevent other domains from relaying emails through the ESA.

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@example\\.com;) OR (rcpt-to != 'example\\.com;)){
drop();
}

Message filters are added through the command line access of the appliance using command "filters".

2. Email sent between two users in office 365 does not need to route via onprem.

This would need to be configured on the office 365 server, any email injected to the ESA would be processed by the ESA so the office 365 server would need to be configured to prevent emails between users in office 365 from being sent to the ESA.

3. Outbound email from on-prem, continues to route email as normal with content filter,outbound mail policy and DLP policy applied.

As internal exchange server would be part of the HAT RELAYLIST already they would continue to be processed via the outbound mail policy.

4. Email sent from on-prem user to cloud user (i.e. our private O365 tenant) goes back out via ESA en-route to office 365,however without any filtering, or DLP policy

This would require configuration of a new outgoing mail flow policy for the recipient domain/email address on office 365 under Mail Policies -> Outgoing Mail Policies with the scanning engines disabled for just that outgoing mail policy.

Thank You!

Libin Varghese

victor.bassey
Level 1
Level 1
In response to Libin Varghese

‎03-27-2017 01:16 PM

Thanks Libin for the prompt response, greatly appreciated. I read that it may be better to create a new listener for this purpose. Would this be the best option,and will all the steps you already mentioned remain the same?

sorry if i sound a bit bump, can you describe the drop rule in plain english, just to help me better understand whats the rule is doing:

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@example\\.com;) OR (rcpt-to != 'example\\.com;)){
drop();

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to victor.bassey

‎03-27-2017 01:30 PM

Creating a second listener would allow you to maintain the traffic from office 365 servers separate from the rest of the traffic. The remaining steps would remain the same.

Only difference would be that the configuration under Mail Policies -> HAT Overview (including RELAYLIST) would be configured specific for that listener. You could also just create a new sendergroup for Office 365 server within the existing listener.

For the message filter, it checks the traffic originating from the IP's mentioned in the RELAYLIST and drops emails that are not from and not to your internal domain.

This would be required if the office 365 server is shared between multiple organizations.

For example, office 365 IP 10.10.10.10 is added to your HAT RELAYLIST.
The same server is used by abc.com which is owned by you and also by pqr.com which is owned by another organization.

So in order for the ESA to only allow emails from abc.com we would have a filter in place which would drop emails from pqr.com.

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com;) OR (rcpt-to != '@abc\\.com;)){
drop();
}

So email from abc.com to gmail.com - Accepted

Email from abc.com to pqr.com - Accepted

Email from pqr.com to abc.com - Accepted

Email from pqr.com to gmail.com - Dropped

However, if you have a dedicated office 365 server then simply adding that to the HAT RELAYLIST would be enough. The message filter would not be required in that scenario.

- Libin V

exMSW4319
Level 3
Level 3
In response to Libin Varghese

‎03-28-2017 02:15 AM

Would it be more efficient to nest the If rather than use an And operator?

Possibly I'm not following the scenario fully, but shouldn't the Or operator be an And? It sounds as if the OP is running hybrid for a while, so CC and BCC will also be a consideration.

I'm thinking:

DropRelayedMail:

if (sendergroup == 'O365LIST') {

    if ((mail-from != '@abc\\.com') AND (rcpt-to != '@abc\\.com')) {

        quarantine('Testing Quarantine');

    }

}

I'm suggesting a new sender group because the inflow from O365 may be unique enough to have its own mail flow policy. Not sure what should go in that. Whether O365LIST should go above or below BLACKLIST in the HAT is of course a matter of faith.

0 Helpful

victor.bassey
Level 1
Level 1
In response to exMSW4319

‎05-17-2017 04:21 AM

Hi Libin,

Just to say a big thanks to you. I was able to implement necessary office 365 email routing for our environment following your guidance.

Thanks.

Vic

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to victor.bassey

‎05-17-2017 05:08 AM

Awesome. Glad to help.

- Libin V

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to Libin Varghese

‎03-28-2017 04:47 AM

Correcting the filter.

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com;) AND (rcpt-to != '@abc\\.com;)){
drop();
}

- Libin V

David Vigil
Level 4
Level 4
In response to Libin Varghese

‎01-16-2018 12:07 PM

@Libin Varghese
I continue to get an illegal character error on the ' for the rcpt-to line.

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to David Vigil

‎01-16-2018 05:10 PM

Sorry about that. (The email address was within '' and did not need a ;)

 

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com') AND (rcpt-to != '@abc\\.com')){
drop();
}

Daniel Pleiman
Level 1
Level 1
In response to Libin Varghese

‎09-27-2018 07:52 AM - edited ‎09-27-2018 10:36 AM

 
0 Helpful

yohannugera
Level 1
Level 1
In response to Libin Varghese

‎09-20-2019 01:59 AM

Hi Libin,

 

I have the same issue. Some of the emails from "outlook.com" getting matched to "RELAYLIST". If I configure this message filter, such emails (like outlook mails) to internal will be dropped right?

@Libin Varghese wrote:

Correcting the filter.

 

DropRelayedMail:
if (sendergroup == 'RELAYLIST') AND
((mail-from != '@abc\\.com;) AND (rcpt-to != '@abc\\.com;)){
drop();
}

 

- Libin V

 

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to yohannugera

‎09-24-2019 06:09 PM

Emails from outlook matching relaylist would mean the sender host generating those emails is added to the HAT Relaylist.

 

So you may need to confirm your setup to see if you use O365.

 

For implementing relay from O365, you may want to consider implementing a private listener specific for O365 emails.

 

Regards,

Libin

michael sharp
Level 1
Level 1
In response to Libin Varghese

‎08-21-2020 08:28 AM

Would love to see a step by step document for supporting on prem ESA and office 365,  I found one for the cloud ESA. 

 

I'm having issue with office having issue with phishing email, Office 365 is failing the spf record check since emails are relaying from our on prem ESA servers. 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to michael sharp

‎08-21-2020 09:31 AM

putting it on my list to blog about soon. First will be how to add an external warning to incoming emails.

 

Cisco Champion for Email blog : http://www.emailsecurityblog.info/

 

Give me 1-2 weeks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents