Exchange transport rule block outside but allow exceptions
In short, I have a transport rule in Exchange 2007 to block a DDG from receiving email from the internet, only internal email allowed. In transitioning mail server to 365, I'll be sending mail to these users via a local smtp server that connects to AWS SES that sends the mail back to exchange, however these are treated as "outside" obviously. I could add an exception to the transport rule to allow email from an address or distribution group to come through, but then I worry about spoofed emails getting to users and them thinking it is from an internal user. I'm also considering adding an exception for anything with "out.amazonses.com" text pattern in the header through so anything coming from AWS SES is allowed, but then that would allow any email from amazonses.
Any other ideas or which would be best to limit this group during the transition?
Also, going forward with 365, I'll probably set up a relay in 365 and redirect this local SMTP server to authenticate and connect to it, but will I be in the same position with 365 that the emails coming from my local SMTP server will be considered "outside"?
Any other ideas or which would be best to limit this group during the transition?
Also, going forward with 365, I'll probably set up a relay in 365 and redirect this local SMTP server to authenticate and connect to it, but will I be in the same position with 365 that the emails coming from my local SMTP server will be considered "outside"?
ASKER
Amazon's smtp server. We'll be getting rid of on premise exchange once 365 in place. So in the interim, for hardware and software that is local, i am directing them to send email to a local smtp server instead of exchange since that will be going away. The local smtp server connects to amazon smtp server as the smart host. So the hardware may send a message to userA@mydomain.com from userB@mydomain.com, but since it is now going through amazon and back to exchange, it is no longer internal allowed email. So, again, I can add a transport rule to allow anything with amazon in the message header through temporarily, but this setup with local hardware/software will still exist when using 365. My plan is to just change the smarthost on the local smtp server to point to a relay I set up in 365 instead of amazon, that's where I don't know if 365 will treat email coming from my local smtp as inside or outside.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you. I did set up a connector in 365 and my smtp server to use it. I did verify with rules set in 365 to block external email, that email coming from my smtp server is considered internal if from domain matches domain in 365.
as far as the blocking external email rule for current exchange server, I think I'll go with exception matching the header for amazonses.com to receive email routed through the local smtp server temporarily.
as far as the blocking external email rule for current exchange server, I think I'll go with exception matching the header for amazonses.com to receive email routed through the local smtp server temporarily.
when you setup hybrid environment, hybrid config will add connector at O365 which will accept emails from your onpremise exchange, at that place you need to add public Ip of your smart host and exchange servers to connector to allow inbound mails to O365, this mails are definitely considered as inside
as long as MX is pointing onpremise exchange, group expansion will happen onpremise and O365 users won't receive external emails if they are part of restricted DG