Inbound Safe Listing Scenario
Applies to: Office 365 for enterprises, Live@edu, Forefront Online Protection for Exchange
Topic Last Modified: 2011-10-20
Organizations can set up a mail flow channel with partners by configuring their inbound mail routing using Forefront Online Protection for Exchange (FOPE) connectors. You can add a partner organization’s IP addresses to a “safe list” and mail coming from those specified IP addresses will bypass FOPE’s IP filtering service. When you configure their IP address and domain name with an inbound connector, this ensures that mail sent from that organization passes through FOPE IP filtering, even if the partner’s IP address appears on the FOPE block list. Mail that has a high spam rating that originates from the partner will still be blocked unless you configure the connector to skip spam filtering as well. Mail that conforms to a policy rule will be blocked as well, unless you configure the connector to skip policy filtering.
In this sample scenario, contoso.com has added fabrikam.com to their safe list using an inbound connector. Contoso hosts their mail using Microsoft Exchange Online. The mail passes through FOPE unfiltered to the Contoso mailboxes.
You can implement this enforcement scenario using an on-premises mail hosting system protected by standalone FOPE, a cross-premises system including standalone FOPE, or a fully cloud-hosted system only including Exchange Online with FOPE.
Tip: To view a video that describes this scenario and demonstrates the configuration steps for the FOPE connector, see Inbound Safe Listing Scenario.
When receiving inbound mail from the safe-listed partner, the architecture is as follows:
With this scenario, mail flowing from fabrikam.com’s safe-listed gateway to contoso.com passes through FOPE without being filtered by FOPE’s edge filtering.
In order to configure safe listing you must create an inbound connector that specifies the organization you want to add to a safe list. Following are the settings required for the sample scenario described above, where Contoso.com has added fabrikam.com to their safe list using an inbound connector.To configure a FOPE inbound connector in a safe-listing flow scenario
In the FOPE Administration Center, click the Administration tab, and then click the Company tab.
In the Connectors section, for the Inbound Connectors, click Add. The Add Inbound Connector dialog box opens.
The following image shows inbound connector settings for the safe-listing mail flow sample scenario.
In the Name field, enter a descriptive name for the inbound connector.
In the Description field, enter additional descriptive information about the inbound connector.
In the Sender Domains field, enter the domain name for the organization you want to add to the safe list (for example, fabrikam.com).
In the Sender IP Addresses field, enter the IP address or addresses for the organization you want to add to the safe list. IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 1 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 31. Multiple IP addresses must be separated by a comma. Although it is recommended that you specify IP addresses here, if you do not know the specific IP address or addresses associated with the domain, or if you want to create a broad-scope connector, you can leave this field blank.
Select the Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above radio button. This ensures that mail originating from the specified sender domain and IP addresses pass through FOPE without being IP filtered, and that mail sent from that domain but from a different IP address will be rejected. If you select the first radio button, Add these IP addresses to the safelist for the domains specified above, then the following two conditions apply.
Mail that comes from the specified IP address will have connector settings applied (such as apply spam filtering, apply policy rules, and inbound TLS setting).
Mail that comes from an IP address other than the one specified in the connector will not have any of this connector’s settings applied.
- Mail that comes from the specified IP address will have connector settings applied (such as apply spam filtering, apply policy rules, and inbound TLS setting).
In the Connector Settings section, you can select one of two Transport Layer Security (TLS) Settings options: Opportunistic TLS or Force TLS.
Selecting Force TLS enables you to force on-premises safe-listed partners to use a TLS connection when sending email to users hosted in the cloud. In this scenario, if the connection is not TLS-based, FOPE rejects the email message. When using this option, you can check Sender certificate matches and then enter the domain name of the organization with which you want to establish a secure channel. You can use the * wildcard character in this field to specify one level of subdomains. For example, if you specify *.domain.com, FOPE will match subdomain1.domain.com but it will not match subdomain2.subdomain1.domain.com.
When selecting Opportunistic TLS, FOPE attempts a TLS connection, but automatically rolls over to a SMTP connection if the sending email server is not configured to use TLS.
For more detailed information about using TLS in FOPE, see Understanding Transport Layer Security (TLS) in FOPE.
In the Connector Settings section, using the check boxes, you can specify to apply or skip several Filtering operations. If you specify to skip these filters, even mail with a high spam score from the safe-listed organization will be permitted. These filtering options are enabled (applied) by default.
Apply IP reputation filtering—Indicates whether to apply IP reputation filtering on inbound email messages. This option is not functional for this scenario.
Apply spam filtering—Indicates whether to apply spam filtering on inbound email messages. Selecting to skip spam filtering might result in your organization receiving spam mail if the partner sends spam mail.
Apply policy rules—Indicates whether to apply policy rules on inbound email messages.
- Apply IP reputation filtering—Indicates whether to apply IP reputation filtering on inbound email messages. This option is not functional for this scenario.
The connector is now listed under Inbound Connectors. You can expand the connector to view its settings. You can click Edit to change the configuration settings for this connector.
To apply this connector configuration to your entire company or for specific domains in your company, or to remove this connector, see Enforcing and Removing FOPE Connector Associations.