Office 365 Configuration

The following article covers the configuration required for Office 365, which is also known as Exchange Online.

Office 365

There are four steps to this.  The receiving connector, connection filter and the outbound connector configuration are mandatory and the journaling configuration is required if you wish to archive internal communications also.

Exchange Administration Steps

Enter the Admin menu from the Office365 portal welcome screen.

Navigate to the Exchange admin screen

Navigate to the Exchange admin screen

Select 'Exchange' under the Admin menu option and a new browser tab will open containing all of the Exchange Online administration options.

Access the Mailflow - Connectors management screen

To access the desired administration screen select:

  1. 'Mail Flow' followed by
  2. 'Connectors'

Inbound Connector Setup

Inbound Connector Setup

For the inbound connector please select 'Partner Organisation' in the From and 'Office365' in To. Then select 'Next'.

Inbound Connector Configuration

Inbound Connector Configuration

Specify the connector name as "Mailsphere Inbound" and ensure the connector is turned on once saved.

Inbound Connector Identification

Inbound Connector Identification

Identify the traffic from this connector using the sender's IP address.

Inbound Connector IP Addresses

Inbound Connector IP Addresses

Use the + button to add the following IP addresses. You will need to add these individually.

54.229.40.39
54.229.54.94

Inbound Connector Security

Inbound Connector Security

To ensure that TLS is used enable the option to 'Reject email messages if they aren't send over TLS'.

Inbound Connector Review

Inbound Connector Review

Once you click Next you will be supplied with a summary of the configuration. Double check this to ensure it is correct and then click Save to complete the configuration.

Connection Filter

Microsoft Security does not recognise the receive connector configuration and acts independently.  Therefore it is necessary to add the Mailsphere IP addresses into the connection filter to ensure that these processed correctly.

Connection filter policy

Edit the default connection filter policy and select connection filtering.

Connection filter - add the Mailsphere IP addresses

Connection filter - add the Mailsphere IP addresses

Using the + button add each of the Mailsphere IP addresses

54.229.54.94
54.229.40.39

Then click Save

Outbound Connector Setup

Outbound Connector Setup

For the Outbound connector use the + button to add a new connector and select 'Office365' for the From entry and 'Partner Organisation' for To.

Outbound Connector Configuration

Outbound Connector Configuration

Set the outbound connecter name as "Mailsphere Outbound" and ensure that the connector is set to turn on once saved.

Outbound Connector Rules

Outbound Connector Rules

Ensuring the rule is for messages sent to the configured domains use the + button to add a rule and use the * to include all external domains.

Outbound Connector Delivery

Outbound Connector Delivery

Change the outbound delivery to "Route mail through smart hosts" and then add the following as the available SMART HOST:

eu1.mailsphere.mx
eu2.mailsphere.mx

Outbound Connector Security

Outbound Connector Security

Set the connection security as "Trusted certification authority (CA)" so that TLS is always used.  Mailsphere uses 256bit certificates to ensure optimum security is available.

Outbound Connector Review

Outbound Connector Review

Once you have clicked Next on the connector security configuration you will be presented with a summary of the configuration. Review details to ensure they are correct and then if you're satisfied press Next to continue.

Outbound Connector Validation (REQUIRED)

Outbound Connector Validation (REQUIRED)

It's important that the connector is successfully validated.  There are some idiosyncrasies with this function in Office 365.  

  • If the connector is not validated, then it will not be used - even if you activate it.  
  • If the connector is not activated then it will not be validated.  
  • The UI for this function does not warn you about either of these but they can trip you up if you are not aware.

It is necessary to add a temporary email address into the Mailsphere account. This follows the below format:

O365ConnectorValidation@DEFAULTDOMAIN.COM

Ensure that you replace DEFAULTDOMAIN.COM with the default domain in your Office 365 account configuration.

Follow this link to add the temporary email address: https://portal.mailsphere.co.uk/users

Once you have added the temporary email address, add an external email address in the Office 365 UI to validate with an active connector the validation test will succeed.

Journal NDR Recipient

Microsoft requires a recipient for Journal Non Delivery Reports to be configured.  This cannot be a normal email account in the organisation as it disables journaling from taking place for that account.  So that Mailsphere customers are not affected by the cost of an additional Office 365 license we have provided a dedicated account for this setup:

undeliverable@mailsphere.co.uk

This will need to be added as an external contact and then it can be set up as the recipient of Journal NDR's.

Go to:

  1. Recipients
  2. Contacts

Click the + to add a new external contact. Complete the required fields and save.  You can now return to the Journal editor to complete the Journal NDR setup.

Journal Internal Email

Journal Internal Email

To access the relevant administration screen select:

  1. Compliance Management
  2. Journal Rules

Before you create the rule you will need to add a Journal NDR Recipient using the link highlighted by (3).

Journal Rule

Journal Rule

Add a new journal rule using the + sign.

Send journal reports to:

journal@mailsphere.mx

Set the rule name to:

Mailsphere Internal
  1. Select "Apply to all message" from the first drop down list.
  2. Select "Internal messages only" from the second drop down list.

You may now save the new journal rule and all internal email will be archived in Mailsphere.

You may be warned that no NDR recipient is set up. If you wish to set up an NDR recipient please follow the Microsoft guidelines