Inbound Configuration
- Log into the Microsoft 365 Portal with an admin account.
- On the left menu select Show all option.
- Navigate then to Settings > Domains.
- Select your domain from the domain list and click on it.
- Move to DNS records and spot your MX record.
- You MX record should be something like yourdomain-com.mail.protection.outlook.com, your destination mail server.
- Log into the Libraesva ESG web interface and go to the System > Mail Transport > Relay Configuration > Domain Relay menù.
- Add (or Edit if already present) the your-domain.tld and set the Mail Server field
The Mail Server address indicates where the Libraesva ESG should direct inbound mail from the Internet (to your Microsoft 365 Exchange server).
Domain Antispoofing
Leave Domain Antispoofing setting Standard (SPF) unless you are sure that no one else is sending email with your domain as envelope sender.
Disable Microsoft 365 Spam Checks
Disabling 365 spam checks is not mandatory. We advice to disable spam checks on email delivered by Libraesva ESG in order to avoid false positives.
- In the Microsoft 365 Portal, to disable internal spam checks for the email analyzed by Libraesva ESG, create a Transport Rule:
1) Click on Admin Centers and select Exchange from the drop-down in the left panel.
2) On the left side then click Mail Flow link.
3) Under Rules, click the [+] button and select Create New Rule.
4) Give it a Name
5) Look down at the bottom and click More options…
6) Under the Apply this rule if… drop-down, select The sender… -> IP address is in any of these ranges or exactly matches.
7) In the pop-up titled IP address ranges, input the Libraesva ESG IP address
8) Click [+] and then click OK.
9) Under the *Do the following… section, select Modify the message properties… -> Set the spam confidence level (SCL), and under Specify SCL, select Bypass spam filtering via the drop-down.
10) Click OK, and then click Save to save the new transport rule. - Do the same under the Connection Filtering section (https://security.microsoft.com/antispam).
Configure an Inbound Connector
The inbound connector can be done in two ways: allowing inbound only from ESG (the right choice for production system) or allowing inbound also from other sources (suggested only when testing).
You only need one of the following connectors.
OPTION 1: LOCKDOWN THE INBOUND MAIL FLOW TO LIBRAESVA ESG
In the Exchange Admin Center, to configure O365 to accept email only from Libraesva ESG, reject email sent directly to Microsoft 365 and avoid Rate Limiting, create an Inbound Connector:
- On the left side client Mail Flow and select Connectors on the top right
- Under Connectors, click the [+] button.
- From: Partner Organization – To: Office 365
- Click Next.
- Give it a name and click Next
- Select Use the sender’s domain
- Specify one Sender domain with * (asterisk)
- Click Next
- Select the option Reject email messages if they aren’t sent from within this IP address range
- Enter the IP Address(es) of your Libraesva ESG appliance(s)
WARNING: Steps 9 and 10 should be done after you changed the MX records. You can skip these two steps on the first setup and the come back when you received the first few messages through Libraesva ESG.
- Click Next
- Review and Create connector
Outbound Configuration
NOTE: each time you add a new rule or connector, Microsoft will take till an hour to propagate over all nodes new settings.
SPF Record
Before going through the configuration steps below please Update the SPF Record for your domain(s)!
Your organization should already have a SPF record for the domain(s) registered with Microsoft 365. When implementing Libraesva ESG with Microsoft 365, this record must be updated in the DNS zone for the relevant domain to include the following:
Add: include:spf.esvacloud.com (if Libraesva ESG is deployed in our cloud)
Add: include:<customer-spf-record> or a:<ESG-HOSTNAME> or ip4:<ESG-IP-Address> (if Libraesva ESG is deployed in customer’s datacenter)
in both cases include:spf.protection.outlook.com must be present
Example:
v=spf1 mx include:spf.protecion.outlook.com include:spf.esvacloud.com -all
