How to Secure Your Exchange Online Mail Flow with Inbound Connector Restrictions
If you use Exchange Online as your email service, you may want to protect your mail flow from unauthorised or malicious senders. One way to do that is to use inbound connector restrictions, which allow you to specify which IP addresses or domains are allowed or blocked from sending emails to your organisation.
In this blog post, I will explain what inbound connector restrictions are, how they work, and how to configure them in Exchange Online.
What are inbound connector restrictions?
Inbound connector restrictions are a feature of Exchange Online that let you control who can send emails through or into your organisation when using Exchange Online as a smtp relay. You can use them to:
- Allow only specific IP addresses or domains to send emails to your organisation. This is also known as a whitelist or an allow list.
- Block specific IP addresses or domains from sending emails to your organisation. This is also known as a blacklist or a block list.
- Reject emails that do not match the criteria of your inbound connectors. This is also known as a default deny policy.
How do inbound connector restrictions work?
Inbound connector restrictions work by applying rules to the inbound connectors that you create in Exchange Online. An inbound connector is a configuration object that defines how Exchange Online receives emails from external sources, such as other email servers or cloud services.
You can create different types of inbound connectors depending on the source of the emails, such as:
- Partner: For emails from trusted partners or third-party services that require authentication or encryption.
- On-premises: For emails from your on-premises Exchange servers or hybrid deployments.
- Internet: For emails from any other external sources that do not require authentication or encryption.
You can then apply inbound connector restrictions to each inbound connector by specifying the IP addresses or domains that are allowed or blocked from sending emails to your organisation.
For example, you can create an inbound connector of type Partner for a third-party service that sends newsletters to your users, and then apply an inbound connector restriction that allows only the IP address of the service to send emails to your organisation.
You can also create an inbound connector of type Internet for all other external sources, and then apply an inbound connector restriction that blocks any IP address or domain that is not on your allow list.
How to configure inbound connector restrictions in Exchange Online?
To configure inbound connector restrictions in Exchange Online, you need to use the Exchange admin center (EAC) or PowerShell.
Using the EAC, you can follow these steps:
- Sign in to the EAC with an account that has the Exchange administrator role.
- Go to Mail flow > Connectors.
- Click New (+) to create a new inbound connector, or select an existing one and click Edit (✎).
- In the New connector or Edit connector wizard, specify the following information:
- Name: Give a descriptive name for your inbound connector.
- Description: Optionally, provide a brief description of your inbound connector.
- From: Select the source of the emails, such as Partner, On-premises, or Internet.
- To: Select Office 365.
- How do you want to identify the partner organisation?: Select how you want to identify the sender of the emails, such as by IP address, domain name, certificate subject name, or TLS domain name.
- Restrict domains by IP addresses: Optionally, select this option if you want to restrict the domains that can send emails to your organisation by their IP addresses. This means that only the domains that have a matching IP address in your inbound connector will be allowed to send emails to your organisation. Strongly recommend as you don’t want an open relay on the internet that can be used for spamming purposes.
- Reject email messages if they aren’t sent over TLS: Optionally, select this option if you want to reject any emails that are not sent over TLS encryption.
- Reject email messages if they aren’t from within this IP address range: Optionally, select this option if you want to reject any emails that are not from within a specific IP address range. You can enter one or more IP addresses or ranges separated by commas.
- Reject email messages if they aren’t from these domains: Optionally, select this option if you want to reject any emails that are not from specific domains. You can enter one or more domains separated by commas.
- Click Next and review your settings.
- Click Save to create or update your inbound connector.
Using PowerShell, you can use the New-InboundConnector and Set-InboundConnector cmdlets to create and update your inbound connectors with inbound connector restrictions.
For example, you can run the following command to create an inbound connector of type Partner for a third-party service that sends newsletters to your users, and then apply an inbound connector restriction that allows only the IP address of the service to send emails to your organisation:
New-InboundConnector -Name “Newsletter Service” -ConnectorType Partner -SenderIPAddresses 203.0.113.5 -RestrictDomainsToIPAddresses $trueYou can run the following command to create an inbound connector of type Internet for all other external sources, and then apply an inbound connector restriction that blocks any IP address or domain that is not on your allow list:
New-InboundConnector -Name “Default Internet” -ConnectorType OnPremises -SenderDomains * -RequireTls $true -RejectMessageOnUnresolvedRecipient $trueYou can run the following command to add an IP address or a domain to your allow list:
Set-InboundConnector “Default Internet” -SenderIPAddresses @{Add=“198.51.100.10”} -SenderDomains @{Add=“example.com”}You can run the following command to remove an IP address or a domain from your allow list:
Set-InboundConnector “Default Internet” -SenderIPAddresses @{Remove=“198.51.100.10”} -SenderDomains @{Remove=“example.com”}You can run the following command to view the settings of your inbound connectors:
Get-InboundConnector | Format-Table Name, ConnectorType, SenderIPAddresses, SenderDomainsWhy use inbound connector restrictions?
Inbound connector restrictions can help you improve the security and reliability of your mail flow in Exchange Online. By using inbound connector restrictions, you can:
- Prevent spam, phishing, and spoofing emails from reaching your users.
- Ensure that only authorised and trusted senders can send emails to your organisation.
- Reduce the risk of data leakage or compromise by enforcing encryption and authentication.
- Simplify the management and troubleshooting of your mail flow by having clear and consistent rules.
Inbound connector restrictions are one of the many features that Exchange Online offers to help you protect your email environment.
I hope this blog post has helped you understand how to use inbound connector restrictions in Exchange Online. If you have any questions or feedback, please leave a comment below. Thank you for reading!
Like, Comment or WordPress Reblog the post and Subscribe to IT Service Guru for future blog posts.
I found this incredibly useful, thank you!