[email protected] your organization email server office 365: your cloud email subscription (exo and...
TRANSCRIPT
Spark the future.
May 4 – 8, 2015Chicago, IL
Using Connectors & Mail Routing in O365Khushru IraniProgram ManagerTransport Team, O365
BRK3159
Session Objectives And Takeaways
How mailflow works in Office 365So why do I need connectors?Dispel myths about connectorsNew Connector UI demo
Customer Type and MailflowExchange Online (EXO)
Hosted – all mailboxes are in Office 365 Hybrid – some mailboxes are in Office 365, some are in on-premises
Exchange Online Protection (EOP)All mailboxes are hosted in on-premises, use EOP for protection only
Customer type determines configuration and how mail flows through Office 365
Mail flow participants
[email protected] [email protected]
e.g. [email protected]. MessageLabs
Your organization email server
Partner organizationEmail Service Provider
Internet
Office 365: Your cloud email subscription (EXO and EOP), hosts your cloud mailboxes. It also acts as a hub for all mailflow of Office 365 customers
Your organization email server (a.k.a. on-premises server): This is an email server that you manage. It could be MS Exchange, or any other email server such as Lotus Notes. Cloud-only organizations won't have one.
Partner Organization: A partner can be an organization you do business with, such as a bank.
Email Service Provider: A cloud email service provider that provides services such as archiving, anti-spam, etc.
Internet: Email sent from the Internet that doesn't originate from your organization email servers or rest of the participants.
Scenario: Fully Hosted
Fully Hosted
Contoso.com
Add domain contoso.com in O365 and verify you own the domain by adding a txt record (at DNS provider)
Contoso.com is registered as an accepted domain
Fully Hosted
MX Record
Add domain contoso.com in O365 and verify you own the domain by adding a txt record (at DNS provider)
Add users Change MX record for contoso.com to point to O365
(at DNS provider)
Contoso.comContoso.com is
registered as an accepted domain
Fully Hosted
MX Record
Add domain contoso.com in O365 and verify you own the domain by adding a txt record (at DNS provider)
Add users Change MX record for contoso.com to point to O365
(at DNS provider)
contoso.com MX preference = 10, mail exchanger = contoso-com.mail.protection.outlook.com
contoso-com.mail.protection.outlook.com internet address = 207.46.163.170contoso-com.mail.protection.outlook.com internet address = 207.46.163.215contoso-com.mail.protection.outlook.com internet address = 207.46.163.247
Contoso.com Region based
IPsContoso.com is registered as an accepted domain
Fully Hosted
MX Record
Add domain contoso.com in O365 and verify you own the domain by adding a txt record (at DNS provider)
Add users Change MX record for contoso.com to point to O365
(at DNS provider)
contoso.com MX preference = 10, mail exchanger = contoso-com.mail.protection.outlook.com
contoso-com.mail.protection.outlook.com internet address = 207.46.163.170contoso-com.mail.protection.outlook.com internet address = 207.46.163.215contoso-com.mail.protection.outlook.com internet address = 207.46.163.247
Contoso.com
From: [email protected]: [email protected]
Do we need a connector for this scenario?
NO
Region based IPs
Contoso.com is registered as an accepted domain
Fully HostedFrom: [email protected]: [email protected]
SPF Record
Register a SPF record (TXT) for contoso.com (at DNS provider)
"v=spf1 include:spf.protection.outlook.com -all“
SPF effectively tells the world that contoso.com can send mail using O365 IPs, thereby reducing the chances of your mail being considered as spam
Contoso.com
Do we need a connector for this scenario?
NO
Contoso.com is registered as an accepted domain
Fully Hosted + Scanner/Printer
Contoso.com
Can it talk SMTP using TLS 1.0 & higher? Yes
Can your scanner authenticate using a username+password? Yes
Do we need a connector for this scenario?
NO
From: [email protected]: [email protected]
Contoso.com is registered as an accepted domain
Contoso.com is registered as an accepted domain
Fully Hosted + Scanner/Printer
Contoso.com
From: [email protected]: [email protected]
smtp.office365.com (Username + Password)
Use SMTP Client submission to authenticate to O365 and send mail [connect to smtp.office365.com]
If you have multiple devices you can share the username/password
You can even send mail outside O365
Can it talk SMTP using TLS 1.0 & higher? Yes
Can your scanner authenticate using a username+password? Yes
Fully Hosted + Scanner/Printer
Contoso.com
From: [email protected]: [email protected]
Can it talk SMTP using TLS 1.0 & higher? Not sure
Can your scanner authenticate using a username+password? No
Do we need a connector for this scenario?
NO
You will have to use “direct send”; especially if you don’t have a dedicated IP to send from(Mail highly prone to be marked as spam)Contoso.com is
registered as an accepted domain
Fully Hosted + Email marketing
Contoso.com
From: [email protected] From: [email protected]
EmailMarketing.com
Reply to: [email protected]
Do we need a connector for this scenario?
NO
This mail should NOT pass through O365 at all
Contoso.com is registered as an accepted domain
Fully Hosted + Hosted Website/App
Contoso.com
From: [email protected]: [email protected]
www.contoso.com
Do we need a connector for this scenario?
NO
Authenticate using EWS
Create a user account in O365 (it could be shared) Use EWS API to authenticate & log in Send mail from that user account (subject to sender
& recipient limits)
Contoso.com is registered as an accepted domain
Scenario: Hybrid (customers that have their own organization email servers)
Hybrid – Before the move to O365
Contoso.com
MX Record
From: [email protected]: [email protected]
contoso.com MX preference = 20, mail exchanger = mail.contoso.comcontoso.com MX preference = 10, mail exchanger = mailbackup.contoso.com mail.contoso.com internet address = 78.35.15.8mailbackup.contoso.com internet address = 78.35.15.9
Hybrid
Contoso.com
Contoso.com
Contoso.com is registered as an accepted domain
MX Record
contoso.com MX preference = 10, mail exchanger = contoso-com.mail.protection.outlook.com
contoso-com.mail.protection.outlook.com internet address = 207.46.163.170contoso-com.mail.protection.outlook.com internet address = 207.46.163.215contoso-com.mail.protection.outlook.com internet address = 207.46.163.247
Move MX to point to O365 (preferred method, since it avoids many issues with SPF, DKIM, DMARC, etc.)
Add domain contoso.com in O365 and verify you own the domain by adding a txt record (at DNS provider)
Add users you want to host in O365
Hybrid – Primary reason for having connectors
Contoso.com
Contoso.com
You want one happy family organization
Cloud + On-premises appear as one organization (Exchange headers are retained between the two)
MX Record
Contoso.com is registered as an accepted domain
Hybrid – Connector From O365 To Your Org
Contoso.com
MX Record
Contoso.com
Contoso.com is registered as an accepted domain
Connector (Direction of mail flow)From: O365To: Your organization servers(PSH: Outbound On-premise Connector)For all Accepted domainsPoint to your organization’s smarthost
Receive Connector(Firewall to accept mails from mail.protection.microsoft.com IPs)
Hybrid – Connector From O365 To Your Org
Contoso.com
From: [email protected]: [email protected]
MX Record
Contoso.com
Contoso.com is registered as an accepted domain
From: [email protected]: [email protected]
Receive Connector(Firewall to accept mails from mail.protection.microsoft.com IPs)
Connector (Direction of mail flow)From: O365To: Your organization servers(PSH: Outbound On-premise Connector)For all Accepted domainsPoint to your organization’s smarthost
Hybrid – Mail queued to your org smart hostYou will see a Message Center post + an email notification to your admin
Connector: From O365 To Your Organization ServersDemo
Hybrid – Authoritative Domain
Contoso.com
MX Record
Contoso.com
Contoso.com is registered as an accepted domain of type = Authoritative
From: [email protected]: [email protected]
Contoso.com domain is of type = Authoritative [This gives you Directory Based Edge Blocking*]
Users+Groups in your organization need to be synced to O365
For every user with a mailbox in your on-premises org, have a mail user with an External Email Address* As long as you don’t have Public Folders or Dynamic Distribution
Groups
Hybrid – Internal Relay Domain
Contoso.com
MX Record
Contoso.com
Contoso.com is registered as an accepted domain of type = Internal Relay
From: [email protected]: [email protected]
If you don’t want to sync users+groups in your organization to O365, then mark your domain as Internal Relay
You will not get DBEB (Directory Based Edge Blocking)
Hybrid – Connector From Your Org To O365
Contoso.com
Contoso.com
Contoso.com is registered as an accepted domain
From: [email protected]: [email protected]
Send Connector(All mail goes via smarthost contoso-com.mail.protection.outlook.com)Connector (Direction of mail flow)From: Your organization serversTo: O365(PSH: Inbound On-premise Connector)Prove Identity using certificate or IP[Sender domain must match Accepted domain]
Hybrid – Connector From Your Org To O365
Contoso.com
SPF Record
Contoso.com
Contoso.com is registered as an accepted domain
Send Connector(All mail goes via smarthost contoso-com.mail.protection.outlook.com)
From: [email protected]: [email protected] "v=spf1 include:spf.protection.outlook.com –
all”
Connector (Direction of mail flow)From: Your organization serversTo: O365(PSH: Inbound On-premise Connector)Prove Identity using certificate or IP[Sender domain must match Accepted domain]
Connector: From Your Organization Servers To O365Demo
Hybrid – In Summary
Contoso.com
SPF Record
Contoso.com
Contoso.com is registered as an accepted domain
MX Record
You create 2 connectors because – You want one happy family
organization Cloud + On-premises appear as one
organization (Exchange headers are retained between the two)
Keep in mind – You MUST have dedicated IPs (those
IPs MUST belong to your organization)
More secure way of proving mail comes from on-premises is TLS using certificate (issued by well-known CA) vs. IPs
Sender domain MUST match accepted domain
Between O365 and your on-premises there MUST be no other service provider
Hybrid – Retain Exchange Internal HeadersFor Mail flow between O365 and your org Exchange Servers
Exchange internal headers are used by some Exchange components (such as DL permission management, calendar). Note: Transport rule no longer requires this.
All Exchange internal headers (X-MS-Exchange-Organization-xxxx) are stripped off by O365 before coming into or leaving from O365
To retain these headers between the two environmentsMailflow In On-premises (Your organization email servers) In O365
On-premises->O365
Ex 2013: Sendconnector(CloudServicesMailEnabled) Ex 2010: RemoteDomain (TrustedMailOutboundEnabled)
UI: “Retain Exchange internal headers”Cmdlet: Inbound connector(CloudServicesMailEnabled)
O365->On-premises
Ex 2013: Default Frontend ReceiveConnector:1. TlsCertificateName <Subjectname>2. TlsDomainCapabilities:mail.protection.outlook.com:AcceptCloudSer
vicesMail Ex 2010: RemoteDomain (TrustedMailInboundEnabled)
Outbound connector(CloudServicesMailEnabled)
Hybrid + Scanner/Printer or In-house App
Contoso.com
SPF Record
Contoso.com
Contoso.com is registered as an accepted domain
MX Record
You can use existing connectors to send mail from the scanner or app
Hybrid – Force TLS with certain partners
Contoso.com
SPF Record
Contoso.com
Contoso.com is registered as an accepted domain
MX Record
Partner – bank.com From: [email protected]: [email protected]
From: [email protected]: [email protected]
Bank.com sends mail to Contoso.com like any other org on the Internet
O365 will apply TLS for mail from bank.com to O365, if bank.com chooses to apply TLS
O365 will apply TLS for mail from O365 to bank.com, if bank.com supports TLS
Do we need a connector for this scenario?
NO, but…
...If you want to force TLS with certain partners
Contoso.com
Contoso.com
Contoso.com is registered as an accepted domain
Partner – bank.com From: [email protected]: [email protected]
From: [email protected]: [email protected]
Connector (Direction of mail flow)From: Your partner organizationTo: O365(PSH: Inbound partner connector)
Connector (Direction of mail flow)From: O365To: Your partner organization(PSH: Outbound partner connector)
SPF RecordMX
Record
...If you want to force TLS with certain partners
Contoso.com
Contoso.com
Contoso.com is registered as an accepted domain
Partner – bank.com From: [email protected]: [email protected]
From: [email protected]: [email protected]
SPF RecordMX
Record From Partner Organization to
O365: Force TLS; If TLS isn’t used, then reject incoming connection
From O365 to Partner Organization: Force TLS; If TLS isn’t supported by partner, then do not send mail to partner
Connector: From O365 To Partner Organization and From Partner Organization to O365Demo
Hybrid – Instead of MX pointing on-premises
Contoso.com
MX Record
contoso.com MX preference = 20, mail exchanger = mail.contoso.comcontoso.com MX preference = 10, mail exchanger = mailbackup.contoso.com mail.contoso.com internet address = 78.35.15.8mailbackup.contoso.com internet address = 78.35.15.9
Hybrid – MX points to a (shared) service
Contoso.com
MX Record
From: [email protected]: [email protected]
contoso.com MX preference = 10, mail exchanger = cluster9.us.messagelabs.com
cluster9.us.messagelabs.com internet address = 216.82.241.83cluster9.us.messagelabs.com internet address = 216.82.242.19cluster9.us.messagelabs.com internet address = 216.82.249.35Do we need a connector for this
scenario?NO, but…
...If you want to force TLS + route all outbound mail
Contoso.com
Contoso.com
Contoso.com is registered as an accepted domain
Connector (Direction of mail flow)From: Your partner organizationTo: O365(PSH: Inbound partner connector)
Connector (Direction of mail flow)From: O365To: Your partner organization(PSH: Outbound partner connector)Recipient domain = *
MX Record
...If you want to force TLS + route all outbound mail
Contoso.com
Contoso.com
Contoso.com is registered as an accepted domain
MX Record From: [email protected]
From Partner Organization to O365: Force TLS; If TLS isn’t used, then reject incoming connection(Identify the partner via these IPs)
From: [email protected]: [email protected]
From O365 to Partner Organization: Force TLS; If TLS isn’t supported by partner, then do not send mail to partner(Because recipient domain=*; we route mail outside using the connector)
Hybrid – Which Connector does O365 pick?
Contoso.com
Contoso.com
Contoso.com is registered as an accepted domain
MX Record
Which Connector does O365 pick? From O365 to partner organization
Recipient domain = * Send mail to partner IPs
From: [email protected]: [email protected]
From O365 to your organization Recipient domain=Accepted
domains Send mail to Org IPs
Closer match on recipient domain wins
Summary
Who Needs to Create Connectors in O365You have a standalone Exchange Online Protection (EOP) subscription (required)
You are a hybrid organization with an Exchange Online subscription (required)
You have an Exchange Online subscription and your organization needs to send email messages from non-mailboxes, such as printers/scanners (optional)
You often exchange email with business partners, and you want to apply certain security restrictions (optional)
Questions
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.