03-27-2017 12:36 PM
Dear support,
we are looking to migrate to office 365, however i would like to keep email routing via on-premise iron-port appliance.
I need to ensure the following:
1. Email sent from Office 365 to external (internet) routes through on-prem ESA and normal content filter,outbound mail policy and DLP policy applies
2. Email sent between two users in office 365 does not need to route via onprem.
3. Outbound email from on-prem, continues to route email as normal with content filter,outbound mail policy and DLP policy applied.
4. Email sent from on-prem user to cloud user (i.e. our private O365 tenant) goes back out via ESA en-route to office 365,however without any filtering, or DLP policy
please has anyone implemented this scenario. I need some guidance as i am not great with ESA appliance
03-23-2021 06:05 AM
I am trying to configure our system according to the following instructions.
(Outbound from EXO -> On-Premises ESA -> External Domains.)
www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812-configuring-office-365-microsoft-with.html
www.youtube.com/watch?v=n7U_h5c3TFs
If .protection.outlook.com has been configured as RELAY, doesnt that mean that mails from foreign external EXO Domains to us are also sent via this relay config? So there is no filtering either?
04-28-2022 04:36 AM
I am trying to setup the same as you described, and have the same question about protection.outlook.com. I have read that you can apply a message content filter, but would that drop the message from other external 365 domains that are sending mail to users? What do you need to apply to have messages from your company 365 be relayed through CES and allow external 365 users email not use the sender relay list and be seen as inbound email.
04-28-2022 05:01 PM
@rschwendeman Use a different "private" listener for outbound emails from your O365 tenant to external domains. Configure O365 connector configuration to send outgoing emails via the private listener. Setup the RELAYLIST under this new listener with sender as .protection.outlook.com.
As highlighted in the guide, setup the message filter with a condition matching your private listener name. This is way its matched only for connections landing on the outbound/private listener and other connections on incoming listener are ignored.
office365_outbound: if sendergroup == "RELAY_O365" {
if header("X-OUTBOUND-AUTH") == "^mysecretkey$" {
strip-header("X-OUTBOUND-AUTH");
} else {
drop();
}
}
In retrospect, all external O365 tenants rely on MX records which will be pointed to incoming listener IP address (ensure there's no RELAYLIST configured for protection.outlook.com)
Your own O365 tenant uses the connector configuration to relay outbound emails to private listener.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide