I'm configuring a MS 365 Hybrid deployment, MX will be keeped to Exchange on premise server.
I have a On premise antispam (LibraEsva) that I don't want to remove.
This is the actual configuration:
Following MS guide lines, the connection between Exchange On Premise and Cloud has to be direct without any filter.
As you can see the there is a SMTP 25 from public internet to MX interface filtered by Antispam.
Moreover, there is another SMTP 25 connection between Exchange On Premise and Cloude for internal routing between local and cloud mailboxed.
I made 2 NAT
- From Any with port SMTP-25 forwarded to Antispam
- From MS365 ips with port SMTP-25 forwarded to Exchange
This works, public email are filtered, and email between Exchange server are not filtered…
BUT
The NAT made from MS365 hostname are getting all public emails from MS 365 NOT ONLY the internal ones, if any user of 365 sends an email to me, it is not filtered anymore.
How can I solve this brain teaser? I think there should be a solution.
Best Answer
You need two different public IP addresses.
One will forward TCP port 25 to your antispam system and will be used as your public MX record.
The second one will forward TCP port 25 to your Exchange server and will only be used by your Exchange Online hybrid connectors; you can restrict inbound traffic to this IP address to Exchange Online IP address ranges.