How to Configure Esva for Office365 This article addresses configuring Office 365 with Libra Esva as your inbound and/or outbound mail gateway. You can specify the appliance as an inbound mail gateway through which all incoming mail for your domain passes before reaching your Office 365 account. Esva filters out spam and viruses, and then passes the mail on to the Office 365 mail servers. Use the Inbound Configuration instructions below to configure. You can likewise specify Esva as the outbound mail gateway through which all mail is sent from your domain via your Office 365 account to the recipient. As the outbound gateway, Libra Esva processes the mail by filtering out spam and viruses and applying any outbound policies (blocking, encrypting, etc.) before final delivery. By using the configuration described in Outbound Configuration below, you instruct the Office 365 mail servers to pass all outgoing mail from your domain to the appliance. INBOUND CONFIGURATION Log into the Office 365 Portal. From the Admin Center navigate to Setup -> Domains in the left panel. Select your domain from the domain list and click on it. Read the value next to the MX Type row:
As shown in Figure above Points To Address of yourdomain.com.mail.protection.outlook.com is the Office 365 destination mail server. Log into the Libra Esva web interface and go to the System -> Mail Transport -> Relay Configuration -> Domain Relay menù. Add (or Edit if already present) the yourdomain and set the Mail Server field as found in the previous step.
The Mail Server address indicates where the Libra Esva should direct inbound mail from the Internet (to your Office 365 Exchange server). Recipient Verification One issue with Office365 is that Microsoft doesn t provide access to an Active Directory system and does not enable recipient verification by default. So you must either set up a Valid Recipients list in Libra Esva or integrate Libra Esva with a separate AD/LDAP directory to allow recipient verification. Alternately in Office365 you can enable the Directory Based Edge Blocking (DBEB) feature, which is similar to the Valid Recipient list in Libra Esva and switch di Dynamic Verification in Esva. Instructions can be found here: https://technet.microsoft.com/en-us/library/dn600322%28v=exchg.150%29.aspx However, if you have your own external AD/LDAP you can integrate this with Libra Esva to do recipient verification, streaming and authentication of user credentials. Another solution is to set your domain on Office 365 as Authoritative and always set Libra Esva recipient verification to Dynamic.
In addition Office 365 does provide a public POP3 service which you may be able to use for authentication of users accessing the Libra Esva webui. To use these services, please contact Microsoft for details. Domain Antispoofing Leave Domain Antispoofing setting disabled unless you are sure that no one else is sending email with your domain as envelope sender. RECOMMENDED OPTIONAL STEPS A] Disable Office 365 Spam Checks In the Office 365 Portal, to disable internal spam checks for the email analyzed by Libra Esva, create a Transport Rule: 1) Click on Admin Centers and select Exchange from the drop-down in the left panel. 2) On the left side then click Mail Flow link. 3) Under Rules, click the [+] button and select Create New Rule. 4) Give it a Name 5) Look down at the bottom and click More options 6) Under the Apply this rule if drop-down, select The sender -> IP address is in any of these ranges or exactly matches. 7) In the pop-up titled IP address ranges, input the Libra Esva IP address 8) Click [+] and then click OK.
9) Under the *Do the following section, select Modify the message properties -> Set the spam confidence level (SCL), and under Specify SCL, select Bypass spam filtering via the drop-down. 10) Click OK, and then click Save to save the new transport rule. Do the same under the Connection Filtering section. 1) On the left side client Mail Flow and select Protection on the top right 2) Click on Connection Filter 3) Click the Edit icon 4) Click on Connection Filtering 5) Click on the plus icon +within the IP Allow list section 6) Enter the Libra Esva IP Address B] Lock Down Office 365 to accept email only from Libra ESVA Add a mail flow rule to allow email to be sent from Libra ESVA 1) Click on Admin Centers and select Exchange from the drop-down in the left panel. 2) On the left side then click Mail Flow link. 3) Click [+] to access the pull down menu. 4) Select Restrict messages by sender or recipient 5) Give it a Name (for example, Only accept mail from Libraesva) 6) For Apply this rule if select The Sender is located and Outside the organization. 7) For Do the following select Delete the message without notifying anyone. 8) Uncheck Audit this rule with severity level. 9) For Choose a mode for this rule select Enforce. 10) Click More options. 11) Click add exception. 12) Select the sender > IP address is in any of these ranges or exactly matches 13) Add here the Libra ESVA IP address to the IP address list. 14) Click OK 15) Clive Save. 16) Uncheck the checkbox to disable the rule. You will re-enable the rule once you are ready to reject mails not originating from your Libra ESVA!
C] Office 365 Rate Limiting Only if you are experiencing Rate Limiting Problems: create a Receive Connector. WARNING: If you are an ISP/MSP managing multiple different domains on Office 365 do not create this connector or you may experience Mail Loop problems with Office 365! 1) On the left side client Mail Flow and select Connectors on the top right 2) Under Connectors, click the [+] button. 3) From: Your Organization s email server To: Office 365 4) Click Next. 5) Give it a name and click Next 6) Under How to identify email sent from your email server, select the second option and enter your Libra Esva public IP address: 7) Click Next and then Save NOTE: This is the official Microsoft documentation about adding a new receive connector in Office 365.
OUTBOUND CONFIGURATION WARNING: We do NOT recommend routing mails from Office 365 to Libra Esva as Microsoft Exchange Online DOES NOT support smarthost authentication yet! Our suggestion is to let Office365 deliver mails directly! Before going through the configuration steps below please Update the SPF Record for your domain(s)! Your organization should already have a SPF record for the domain(s) registered with Office 365. When implementing Libra Esva with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following: Remove: v=spf1 include:spf.protection.outlook.com all Replace with or add: v=spf1 a: a.b.c.d ~all Where a.b.c.d is the IP Address of your Libra Esva Appliance! To configure the outbound mail flow from Office 365 to Libra Esva proceed as follows: Log into the Office 365 Portal. Click on Admin and select Exchange from the drop-down in the left panel. Select mail flow from the left link navigation bar. Select the connectors link at the top. Create a new connector In the From section select Office 365, and in the To section select Partner Organization. Click Next.
Give the new connector a Name (for example: Office 365 to LibraEsva), optional Description, and decide if the connector should be enabled once it has been saved using the Turn it on checkbox. Click Next. Leave the default Only when email messages are sent to these domains selected and click the plus icon to add the recipient domains that should use this connector. To route all outbound emails to Libra Esva enter * here and click ok, followed by Next.
Select the Route email through these smart hosts option, and click the plus icon to add the ip address or FQDN of your Libra Esva Appliance. Click Save, followed by Next. Leave the default Always use Transport Layer Security (TLS) to secure the connection (recommended) and Any digital certificate, including self-signed certificates (unless you own a trusted one) set and click Next.
Verify your settings and click Next.
Now go on your Libra Esva Appliance and select Menù System->Mail Transport->Relay Configuration->Trusted Networks and select the option Trust Microsoft Office 365 at the bottom of the page: