Exchange transport rule block outside but allow exceptions

In short, I have a transport rule in Exchange 2007 to block a DDG from receiving email from the internet, only internal email allowed.  In transitioning mail server to 365, I'll be sending mail to these users via a local smtp server that connects to AWS SES that sends the mail back to exchange, however these are treated as "outside" obviously.  I could add an exception to the transport rule to allow email from an address or distribution group to come through, but then I worry about spoofed emails getting to users and them thinking it is from an internal user.  I'm also considering adding an exception for anything with "out.amazonses.com" text pattern in the header through so anything coming from AWS SES is allowed, but then that would allow any email from amazonses.  

Any other ideas or which would be best to limit this group during the transition?

Also, going forward with 365, I'll probably set up a relay in 365 and redirect this local SMTP server to authenticate and connect to it, but will I be in the same position with 365 that the emails coming from my local SMTP server will be considered "outside"?
Brian_MBAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
Once you setup relay to O365, your SMTP server will send emails directly to O365 through O365 connector
O365 Connector will accept emails only from SMTP servers / other SMTP smart hosts you specified in connector, apart from that all external / other emails would have to hit O365 MX and need to pass all security checks and eventually obey external transport rule if any

No matter amazon is remain in between or not or even your SMTP server for that matter, as long as from address is yourdomain.com (accepted domain) while receiving emails through O365 connector at o365 end, the mail will be considered as internal and again it is not spoofed because sender IP (onpremise SMTP or Amazon sever) is added in onpremise to O365 connector
Any mail for which from address is otherdomain.com would be considered as outside. mail.
This is what definition of internal and external as far as I know
0
 
MaheshArchitectCommented:
what is this AWS SES SMTP? it is acting as smart host...

when you setup hybrid environment, hybrid config will add connector at O365 which will accept emails from your onpremise exchange, at that place you need to add public Ip of your smart host and exchange servers to connector to allow inbound mails to O365, this mails are definitely considered as inside

as long as MX is pointing onpremise exchange, group expansion will happen onpremise and O365 users won't receive external emails if they are part of restricted DG
0
 
Brian_MBAuthor Commented:
Amazon's smtp server.  We'll be getting rid of on premise exchange once 365 in place.  So in the interim, for hardware and software that is local, i am directing them to send email to a local smtp server instead of exchange since that will be going away.  The local smtp server connects to amazon smtp server as the smart host.  So the hardware may send a message to userA@mydomain.com from userB@mydomain.com, but since it is now going through amazon and back to exchange, it is no longer internal allowed email.  So, again, I can add a transport rule to allow anything with amazon in the message header through temporarily, but this setup with local hardware/software will still exist when using 365.  My plan is to just change the smarthost on the local smtp server to point to a relay I set up in 365 instead of amazon, that's where I don't know if 365 will treat email coming from my local smtp as inside or outside.
0
 
Brian_MBAuthor Commented:
Thank you.  I did set up a connector in 365 and my smtp server to use it.  I did verify with rules set in 365 to block external email, that email coming from my smtp server is considered internal if from domain matches domain in 365.

as far as the blocking external email rule for current exchange server, I think I'll go with exception matching the header for amazonses.com to receive email routed through the local smtp server temporarily.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.