Best Practices for Configuring EOP
Applies to: Exchange Online Protection
Topic Last Modified: 2014-03-13
Follow these best-practice recommendations for Microsoft Exchange Online Protection (EOP) in order to avoid common configuration errors and set yourself up for success. We recommend using the default configuration settings as a general rule. This topic assumes that you’ve already completed the setup process. If you haven’t completed EOP setup, see Set Up Your EOP Service.
If your organization has existing user accounts in an on-premises Active Directory environment, you can synchronize those accounts to Windows Azure Active Directory (AD), where a copy of those accounts are stored in the cloud. When you synchronize your existing user accounts to Windows Azure AD, you can view those recipients on a read-only basis in the Exchange admin center (EAC). To learn more about the steps needed to set up directory synchronization, see DELETEManage Recipients in EOP.
|External contacts can only be managed through directory synchronization.|
|When you set up directory synchronization, you will need to run the Windows Azure AD Sync Tool Configuration Wizard. When you finish the wizard, the MSOL_AD_SYNC account is created in your Active Directory forest. This account is used to read and synchronize your on-premises Active Directory information. In order for directory synchronization to work correctly, make sure that TCP 443 on your local directory synchronization server is open.|
If you don’t want to set up directory synchronization, you can manage your users in the Microsoft Office 365 admin center. Users managed solely in the Office 365 admin center aren’t viewable in the Recipients pane of the EAC. Only users who are directory synchronized, and have a valid SMTP address, are reflected in the EAC. However, all users are available to be added to or removed from membership in an administrator role group in the EAC.
After you configure EOP for use with your on-premises mailboxes, wait 72 hours to allow propagation of your DNS-record updates. Following this, restrict inbound port-25 SMTP traffic on your firewall or mail servers to accept mail only from the EOP datacenters, specifically from the IP addresses listed at Exchange Online Protection IP Addresses. This protects your on-premises environment by limiting the scope of inbound messages you can receive. Additionally, if you have settings on your mail server that control the IP addresses allowed to connect for mail relay, update those settings as well.
|Configure settings on the SMTP server with a connection time out of 60 seconds. This setting is acceptable for most situations, allowing for some delay in the case of a message sent with a large attachment, for instance.|
When you set up EOP, you added an SPF (sender policy framework) record for EOP to your DNS records. The SPF record helps prevent spoofing. For more information about how an SPF record prevents spoofing and how you can add your on-premises IP addresses to the SPF record, see Customize an SPF Record to Validate Outbound Email Sent from Your Domain
When you set up EOP, you configured an Inbound connector to receive mail from your on-premises environment when your users send outbound mail. To complete your setup and route your outbound mail to EOP, it’s likely that you will need to create an on-premises send connector. Set Up an On-Premises Connector to Send Outbound Email to EOP, a wiki topic in the Office 365 community, provides some guidance about setting up a connector in your on-premises environment to send your outbound mail to EOP for filtering.
|For outbound mail, we recommend that the server be configured to send no more than 50 messages per connection and to use fewer than 50 concurrent connections. Under normal circumstances, these settings will help ensure that the server has smooth and continuous data transfer to EOP.|
Manage your content filters by reviewing and optionally changing the default settings. For example, you can change the action for what happens to spam-detected messages. If you want to pursue an aggressive approach to spam filtering, you can configure advanced spam filtering (ASF) options. Before setting an ASF option to on, enable it in test mode first. It’s recommended that organizations who are concerned about phishing turn on the SPF record: hard fail and Conditional Sender ID filtering: hard fail options. Learn more at Configure Content Filter Policies and Advanced Spam Filtering Options.
|If you are using the default content filter action, Move message to Junk Email folder, in order to ensure that this action will work with on-premises mailboxes, you must configure two Exchange Transport rules on your on-premises servers to detect spam headers added by EOP. For details, see Ensure that Spam is Routed to Each User's Junk Email Folder.|
We recommend that you review the Anti-Spam Protection FAQ, including the outbound mailing best practices section, which will help ensure that your outbound mail is delivered.
You can submit false negatives (spam) and false positives (non-spam) to Microsoft for analysis in several ways. For details, see Submitting Spam and Non-Spam Messages to Microsoft for Analysis.
Review and fine tune your malware filter settings in the EAC. Learn more at Configure Anti-Malware Policies.
You can submit malware that made it past the filters or submit a file that you think was incorrectly identified as malware by sending it via the Microsoft Malware Protection Center. To learn more about how to do this, and to also read about other frequently asked questions and answers, review our Anti-Malware Protection FAQ.
Create transport rules (custom filters) to meet business needs.
When you deploy a new rule to production, select one of the test modes first to see the effect of the rules. Once you are satisfied that the rule is working in the manner intended, change the rule mode to Enforce.
When you deploy new rules, consider adding the additional action of Generate Incident Report to monitor the rule in action.
If you are in a hybrid deployment configuration, with part of your organization on-premises and part in Office 365, you may want to create rules that apply to the entire organization in a seamless manner. You can only do this if you use predicates and actions that are available both on-premises and in Office 365. While most predicates and actions are available in both deployments, there is a small set that are specific to a particular deployment scenario. Learn more at Transport Rules.
Anti-phishing protection can be accomplished through the detection of personal information in emails exiting the organization. The following regular expressions, for example, can be used in transport rules to detect transmission of personal financial data or information that may compromise privacy:
\d\d\d\d\s\d\d\d\d\s\d\d\d\d\s\d\d\d\d (MasterCard Visa)
\d\d\d\d\s\d\d\d\d\d\d\s\d\d\d\d\d (American Express)
\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d (any 16 digit number)
\d\d\d\-\d\d\-\d\d\d\d (Social Security Numbers)
Spam and phishing can also be prevented by blocking inbound emails that appear to have been sent from your own domain. You can create a transport rule that rejects messages from your company domain sent to the same company domain yourdomain.com to block this type of sender forgery.
|We recommend creating this reject rule only in cases where you are certain that no legitimate email from your domain is sent from the Internet to your mail server. This can happen in cases where a message is sent from a user in your organization to an outside recipient and subsequently forwarded to another recipient in your organization.|
|This rule should only be created if you are certain that no legitimate email from your domain is sent from the Internet to your mail server.|
At a minimum, block the following extensions: EXE, PIF, SCR, VBS.
For increased protection, we also recommend blocking some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh
Troubleshoot general issues and trends by using the reports in the Office 365 admin center or the Excel reporting workbook. Find single point specific data about a message by using the message trace tool. Learn more about reporting at Reporting and Message Trace in Exchange Online Protection. Learn more about the message trace tool at Trace an Email Message.