Inbound Rule 


Using EveryCloud email filtering with Office365 online exchange, you will need to ensure that your version of Office 365 Online Exchange can only accept protocol connections from EveryClouds service ranges or spammers will still be able to send email directly to you Office 365 mail environment, bypassing your MX records ; here's how to lock down Office 365 Online Exchange.


You cannot define an inbound receive connector that will allow only connections from EveryCloud’s IP ranges, as EveryCloud has a /20 range within its delivery ranges and Office 365 receive connectors have a limitation, in that they will only allow connections from /24 ranges to /32 ranges. You must therefore create a Transport rule instead. This will be a reverse logic rule.


Tasks


1. Deny all email

2. Create an exception to the deny rule and allow only from EveryCloud Technologies IP ranges

3. Create an exception to allow mail sent from your Office 365 mailboxes (Inside the organization)



Method:


1. Click on ‘Mail Flow’

2. Click on ‘Rules’

3. Click on ‘+’ to create a new rule

4. Give the rule a Name

5. Immediately click on 'More options'



 online Ec



1. 'Name' = This is up to you


2. 'Apply this rule if ' = [Apply to all messages]


3. 'Do the following'  = 'Reject the message with explanation (then define an explanation, ours is    ' Email bypassed MX records'

 

Reverse logic 


Add Exception to the rule:

 

'Except if'  = Senders IP is in the range (and enter our IP ranges)




    Subnet IP
          Subnet Mask 
            Net Mask                              IP Range 
  83.246.65.0
          255.255.255.0
/24 83.246.65.0 - 83.246.65.255
  94.100.128.0
          255.255.240.0
/20 94.100.128.0 - 94.100.143.255








Additional exception


Then add an additional exception which will allow mail from your internal mailboxes outbound in the  same transport rule 


1. The sender is located: = Extrenal/Internal = 'Inside the organisation'  


2. This will cover all sending mailboxes within your Office 365 accoun





Tick 'Enforce'

Click 'OK'

Click 'Save'



Rule over view: 


EveryCloud Allow Only


If the message...

Apply to all messages


         

Do the following...

reject the message and include the explanation 'Email Bypassed MX records' with the status  

code: '5.7.1'


        

Except if...

sender ip addresses belong to one of these ranges: '94.100.128.0/20' or '217.64.175.0/24'
or '83.246.65.0/20 or Is received from  'Inside the organization'


       

Rule comments

EveryCloud Allow Only

      

Rule mode

Enforce


Now go to your customer account in EveryClouds control panel https://control.everycloudtech.com/ and input the unique office 365 generated MX records under your customers IP/Host-name within the ‘Management’ tab



Important

Activate outbound relay by inputting a Dummy IP of 1.1.1.1 and save. IP 1.1.1.1 is simply a place holder which activates the ability to send outbound through your account. 


We maintain a full list of office 365 sending address in our backend database: Office 365's active sending ranges are available to view here



 

You will now need to go back to your DNS control panel and make sure that the office 365 MX records are set to at least a priority 50 

so that email for your domain will route to EveryCloud Technologies MX  records first at priority 10, 20, 30 and 40


Priority 10: mx101.everycloudtech.com

Priority 20: mx102.everycloudtech.com

Priority 30: mx103.everycloudtech.com

Priority 40: mx104.everycloudtech.com

Priority 50: your office 365 MX’



You will also need to add an additional include statement within your new office 365 TXT record

 eg: "v=spf1 include:spf.everycloudtech.com include:spf.protection.outlook.com -all"


Outbound Rule/Connector


Firstly
Important

Activate outbound relay by inputting a Dummy IP of 1.1.1.1 and save. IP 1.1.1.1 is simply a place holder which activates the ability to send outbound through your account. 


We maintain a full list of office 365 sending address in our backend database: Office 365's active sending ranges are available to view here#



Now to Office 365


Go to 'Mail flow'

'Connectors'

Depress '+'

Add connector, seclect scenario.


From: Office 365

To: Partner Organisation





Apply a useful Name to the connector and depress 'Next'





Choose 'Only when email messages are sent to these domains' and add your Domains or for 

the purposes of this example, Add * = all















Then press next and choose the option: 'Route email through these smart-hosts'. Depress the '+' option  and 
add Everycloud Technologies smart-host 




outbound.everycloudtech.com and then depress 'Save'





Then next option is not mandatory, but if you would like to ensure that all messages    

sent outbound through EveryCloud Technologies smarthost are sent via TLS please leave this 

window as the default option as below




Depress 'Next' and you will then be presented with a summary of the scenario




Click 'Next' to apply and you will be presented with a validate connector window




You should enter an external email address and Office 365 will validate the connector and attempt

to send a test message though the EveryCloud Technologies smarthost 'outbound.everycloudtech.com'


Validating




When validation is complete you will see the below window







Save the config and view in EveryCloud Technologies control panel outbound logs.





Bypassing Office 365 Spam Filtering


There is no reason to allow Microsoft Exchange Online to continue using its own inbuilt spam filtering heuristics if EveryCloud is already filtering your inbound email.


If you would like to turn off Office 365 online Exchanges filtering for connections originating from our IP ranges, please follow these instructions.



Go to Exchange -> mail flow -> rules -> create a new rule.



  • Give the rule a name: 'Bypass Office 365 Filtering'
  • *Apply this rule if: Senders IP address is in the range 
  • Add EveryCloud's ranges
  • *Do the following: Set the spam confidence level (SCL) : Bypass spam filtering
  • Save the rule and you are done





Overall you should have two inbound mailflow rules:





And one outbound connector to pass email outbound through EveryCloud's smarthost.