Some companies still have their SMTP service on-premises and that creates a lot of work for the mail administrators. There are several advantages in having such service on the Cloud, such as: high availability, spam control, security (where your servers are not dealing with Internet traffic), virus, resiliency and so forth.
For this article, we will assume that you have a domain that is receiving e-mail from the Internet just fine and we will be transitioning such an environment to Exchange Online Protection (EOP) in 45 minutes or less.
Are you ready? Wait! Before we start the counter, make sure that you have all the following key points covered:
- Make sure that you have access to perform changes in your Public DNS
- Make sure that the IP being used by your on-premises Exchange Server/Mail Server has a reverse properly configured
- Perform an inventory of your current mail flow and settings
- A cell phone handy (required during the validation process with Microsoft)
- A blank page and paper to gather the information required to set it up the environment
- Read this entire article before starting the technical steps
Step 01: Get Exchange Online Protection (EOP) trial subscription (10 minutes)
The first step is to get a trial subscription for Exchange Online Protection and that can be done through this link (Figure 01)
The process does not require more than 5 minutes, and the only thing that we need to define during the process is the account name for the first administrator (we will be using admin) and the company name (we will be using APatricioINFO). After providing these two pieces of information the e-mail address to log on to the service will be provided (in a format like this [email protected]), as shown in Figure 02.
The final step will be the personal information including a phone number (Microsoft will either call or send an SMS message to validate it). After that, we will have access to the Office365 portal that can be accessed anytime using https://portal.office365.com. Initially, we may not have access to EOP (Figure 03) but since we are on the clock here, we can continue configuring the domains and after a few minutes, we will see the Exchange Online Protection item when clicking on Admin menu located on the right upper corner of the Office365 portal.
Step 02: Configuring the domain in EOP… (10 minutes)
In order to receive e-mails in EOP we must configure the domains in the Office365 admin center, let’s log on with our new administrator account (the one with @company.onmicrosoft.com) and let’s click on Domains and then add domain (Figure 04).
The new page will be a wizard with three simple steps. We will perform just the first one to get EOP up and running. Click on Specify a domain name and confirm ownership or Start Step 1. In the new wizard, type in the domain name (in our case apatricio.info), and click Next (Figure 05).
In the Confirm ownership step. Select General Instructions on the right side if you do not see your DNS provider in the list. The most important thing on this page is to find out the information required to be added to your Public DNS in order to prove that you are the owner of the domain.
As we can see in Figure 06, we need to add either a TXT or MX record to validate. We will use the TXT method, and we will add a new TXT entry in your public DNS containing the information provided (which is the string MS=ms57850062) and then wait a couple of minutes (it really depends of your Public DNS TTL and propagation settings), then click on Done and verify now.
If the validation works fine, a message saying Great! We confirmed that you own domain.name will be displayed, click on Finish.
This process is straightforward, however if you encounter some issues, these hints will help you to address the issue:
- If the validation does not work you can click on continue later and go back after a few minutes to retry the operation (the validation information will not change)
- You can always use https://mxtoolbox.com and use txt:apatricio.info to verify if you can see the information previously entered, and a correct configuration should be similar to the Figure 07.
Now that we have the domain configured, we need to take note of a few settings that we will configure later on. The first step is to select the domain that we have just created in the portal, and click on Manage DNS (Figure 08).
In the new page (Figure 09), copy the MX information to that paper that you have set aside at the beginning of this article (in our case apatricio-info.mail.protection.outlook.com) and that will be the information that we will configure in our Public MX records and Exchange/e-mail server in our on-premises in a few minutes. Since you are here, also copy the SPF information listed on the same page.
Step 03: Configuring Inbound and Outbound mail (10 minutes)
At this point in the game, we configured already the domain and now we need to configure the mail routing in the Exchange Online Protection.
Logged on the Office Portal, click on Admin, and then Exchange Online Protection, click on mail flow item on the left side and then click on accept domains. Double click on the valid domain (apatricio.info) and make sure that Internal Relay is selected, click save (Figure 10).
The most important step is to configure the connectors, they are responsible for all mail flow, click on connectors. In order to get a better understanding of the Inbound and Outbound connectors we added the diagrams beside each section to show the direction of the email flow (Figure 11).
In order to configure the Inbound Connector, click on + in the Inbound Connectors area. In the new page, define a name for the new connector, select On-premises, in the Sender Domains configure *, in the Sender IP Addresses configure the Public IP used by the SMTP service of your on-premises environment.
In order to configure the Outbound Connector, click on + in the Outbound Connectors area. The first step is to select On-Premises, add the Public IP used by the SMTP Services of your on-premises in the Outbound Delivery section, select the option route all accepted domains through this connector, and click on save.
Step 04: Switching over the SMTP service to EOP… (15 minutes)
Now that we configured all routing in EOP we can start configuring the Public DNS to transition from the current design to use only EOP.
The first step is to change the MX record to the name that we wrote down in Step 02 (something like apatricio-info.mail.protection.outlook.com). In our Public DNS, we will configure the MX record to use only the entry provided by Microsoft. To test such configuration open http://www.mxtoolbox.com and the results should be similar to Figure 12.
We will see in a future article here at MSExchange.org how to protect even more by allowing only Microsoft servers to connect on your SMTP Server from the Internet.
Since we are in the Public DNS, we are going to change the current SPF record and add the string include:spf.protection.outlook.com to your existent SPF record (do not add such string right at the beginning or at the end of the current string). If you do not have an SPF record, then create a new TXT record and add the following string: V=spf1 include:spf.protection.outlook.com –all
After that, we can use http://www.mxtoolbox.com site and enter spf:apatricio.info and the results for your domain should be similar to figure 13.
The last step is to configure your internal mail server to forward all mail traffic to the EOP servers and you need to configure your send connector (if using Exchange Server we need to configure it to use a smart host). The configuration that is required is to make sure that all traffic to the Internet is forwarded to that same name that we wrote down on Step 2 as smart host, as shown in Figure 14 (using Exchange server 2013).
Stop the clock! How was it? The main goal of this article was to show how easy is to configure the simple settings to transition your on-premises environment to use Exchange Online Protection. After performing the changes described here all your mail flow will be secure through Exchange Online Protection.
Bear in mind, that the service has several features to be configured and we will be talking about them in a future article here at MSExchange.org. In this article we configured the basics to get you going, but there is a lot of room for improvements, such as: directory synchronization and filtering at EOP level, filters, transport rules, spam and so forth.