Export (0) Print
Expand All

Create required connectors to set up basic email flow through EOP

Exchange 2013
 

Applies to: Exchange Online Protection

Topic Last Modified: 2014-06-02

In order to enable email between Exchange Online Protection (EOP) and your own email servers, you must set up an Inbound connector and an Outbound connector. You configure an inbound connector to allow the service to accept email. You configure an outbound connector to allow the service to deliver email.

ImportantImportant:
Before you set up connectors, you must add your domain and configure DNS settings in the Office 365 admin center. For more information, see Set up your EOP service.

This diagram shows where to find connectors in the Exchange Admin Center. First choose mail flow, then connectors, and you’ll see a list of existing connectors in the center area.

Admin center view of connectors

The following illustration shows how email flows from EOP to your on-premises environment, and how outbound email flows from your environment to EOP.

eop_standalone_setup_inbound_outbound

  • Estimated time to complete: 20 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Inbound and Outbound connectors" entry in the Feature permissions in EOP topic.

  • Before you begin this procedure, add your domain and configure DNS settings in the Office 365 admin center. For more information, see Set up your EOP service.

  • There are two types of restrictions that you can use in EOP when accepting email from your own email servers. The first one is by identifying sending server's certificate, the second is by sending server's IP address. We recommend that you allow EOP to accept email from your organization by using certificate over TLS.

  • Depending on which authentication method you want to use, you will need to know either your organization’s TLS certificate name or email server IP address. You can also use an appropriate IP address range.

  • To complete your setup and route your outbound email to EOP, it’s likely that you will need to create an on-premises send connector if you use a Microsoft Exchange server. Set Up an On-Premises Connector to Send Outbound Email to EOP, a wiki topic in the Office 365 community, provides some guidance about setting up a connector in your on-premises environment to send your outbound email to EOP for filtering. For outbound email, we recommend that the server be configured to send no more than 50 emails per connection and to use fewer than 50 concurrent connections. Under normal circumstances, these settings will help ensure that the server has smooth and continuous data transfer to EOP.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

This connector is configured for the service to accept email that is being sent from your own email server. You need this connector so that outgoing email can be inspected by EOP.

The following video provides help for setting up email flow from your own email server into EOP by using an inbound connector. The written procedure for this is in this section of this topic.

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.
  1. Log in to the Office 365 admin center and go to Admin > Exchange Online Protection.

  2. In the EAC, navigate to mail flow > connectors. Under Inbound Connectors, click New Add Icon to create a new connector.

  3. In the New Inbound connector window, enter the following information:

    • Name   Choose a unique name for the inbound connector.

    • Ensure that Enable inbound connector is checked. If this is not selected, the connector does not process email.

    • Connector type   Choose On-premises.

    • Ensure that Retain service headers on transmission is checked if you have Exchange 2010 or Exchange 2013 servers deployed in your data center. If this is not selected, then any new header information that was created by your own Exchange server is removed from each message before it arrives at EOP for inspection.

    • Comment is an optional area that you can use for general information.

    • Choose Force TLS.

      ImportantImportant:
      Please refer to What do you need to know before you begin? earlier in this topic for important information about the types of authentication restrictions.
    • Under Domain Restrictions, choose Restrict domains by certificate.

    • Under Certificate specify the domain name that is contained in the CN/subject name of the certificate from your own email server.

    • Under Sender domains, click Add Add Icon, and then enter *.

    • Click save to save the connector. It appears in the Inbound Connectors list. Make sure ENABLED is checked. You can change the connector’s settings by clicking Edit.

    • If you choose to not use Force TLS, then you need to include the IP addresses of your own email servers, so that EOP can identify emails coming from them. To do this:

      Under Sender IP addresses click Add Add Icon, and in the resulting Add IP address window, add the IP addresses of your email servers. Click OK after adding the IP addresses.

    • You can leave Associated accepted domains blank.

  4. Click save to save the connector. It appears in the Inbound Connectors list. Make sure ENABLED is checked. You can change the connector’s settings by clicking Edit.

exCollapse

To verify that you have successfully created an inbound EOP connector, do the following:

  1. In the EAC, navigate to mail flow > connectors.

  2. Verify that the name of the connector you created appears in the list of Inbound connectors.

  3. To verify that your EOP setup, including your connector configuration, is working correctly, see the “How do you know this task worked?” section in Set up your EOP service.

After an email coming from the internet passes EOP inspection, this connector routes it to your email servers located in your own data center. Without it, filtered email can’t be routed to your mailboxes.

The following video provides help for setting up email flow from EOP to your own email server by using an outbound connector. The written procedure for this is in this section of this topic.

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.
  • Log in to the Office 365 admin center and go to Admin > Exchange Online Protection.

  • In the EAC, navigate to mail flow > connectors. Under Outbound Connectors, click Add to create a new connector.

  • In the New Outbound connector window, enter the following information:

    • Name   Choose a unique name for the outbound connector.

    • Ensure that Enable outbound connector is checked. If this is not selected, the connector does not process email.

    • Connector type   Choose On-premises.

    • Comment is an optional area that you can use for general information.

    • Choose Opportunistic TLS.

    • Under Outbound delivery, choose Route mail through smart hosts.

    • Near the list of smart hosts, click Add Add Icon, and then enter a FQDN or IP address of your own email servers and click OK.

    • Choose Route all accepted domains through this connector.

      NoteNote:
      Only when you need to route emails to different servers based on different domains for your or organization, then you may use the next option.
    • Under Sender domains Click Add , and in the resulting add domain window, add the domain name to include for this connector. For example, if your recipient domain is contoso.com, add contoso.com. Wildcard is supported here.

    • Leave the Use for Criteria Based Routing checkbox blank.

    • Checking the box for Retain service header in transmission will ensure that Exchange Organization internal headers are preserved when email leaves EOP. You do not need to select this option.

  • Click save to save the connector. It appears in the Outbound Connectors list. You can change the connector’s settings by clicking Edit.

To verify that you have successfully created a connector to deliver email over a secure channel, do the following:

  1. In the EAC, navigate to mail flow > connectors.

  2. Verify that the name of the connector you created appears in the list of Outbound connectors.

  3. To verify that your EOP setup, including your connector configuration, is working correctly, see the “How do you know this task worked?” section in Set up your EOP service.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft