We are in the process of migrating to Office 365. Currently we have a hybrid environment and all regular user accounts have been migrated to O365. I am left with some mailboxes that are used for alerts and the like for automated processes. These mostly function thru SMTP relays from the server running the process using the on-premise Exchange server as the relay. We have the Exchange server set to not allow relays except for a designated list of internal IPs.
We'd like to move that process into the O365 cloud. I have found the following articles:
Here's my issues. I want to do this without having any on-premise Exchange, hybrid or other SMTP server. We'd like to relay directly to the cloud.
Second, we use an email filtering service that we like and at the moment aren't going to abandon. So, our MX record points to that service and NOT the preferred DNS name that gets set up when you activate your tenant: firstname.lastname@example.org.
I might be able to relay thru the email filtering service, but I'm waiting to hear back from their tech support.
I have found that if I follow the first article in setting up an SMTP relay and I point my process to use the preferred DNS name that it works.
So that brings me to my main issue and question. I am assuming that if I can relay to that preferred DNS name from my server, that a hacker could probably also bypass my MX record and send to that DNS name from the outside as well. Currently we have a firewall rule that says to only accept incoming email that has pass thru our filtering service. So, if someone attempts to bypass the designated MX record, the email will fail to come in. With everything in O365, the traffic won't come thru our firewall anymore.
Am I right in assuming that anyone could use the preferred DNS name to send us mail and bypass our email filtering system? If so, can I, and how can I, block incoming email that doesn't pass thru our email filtering system.
I realize that creating such a block would infect break my SMTP relay directly to O365, but assuming I can relay thru my filtering service, that's OK. I also realize that O365 has builtin protections that I can also turn on, but I always think it's better to not get in what would obviously be trash in the first place then to let it in and then hopefully stop it later on.