Office 365

From Roaring Penguin
Revision as of 15:47, 2 September 2016 by JohnMertz (talk | contribs)

Jump to: navigation, search

Special Considerations for Office 365

CanIt works with Office 365 as it does with any SMTP mail service; MX records for the domain are pointed to CanIt, and filtered mail is directed to the Office 365 server by configuring routing using Setup->Domain Routing in Canit. This routing address is initially filled with the one that you give us upon requesting the domain.

One issue with Office365 is that Microsoft doesn't provide access to an Active Directory system and does not properly validate recipients by default. Without changing anything in Office 365, you can work around this with CanIt by manually defining the list of possible recipients using Rules->Valid Recipients, and by enforcing the list with Preferences->Quarantine Settings->S-950. See below for better alternatives.

Options within the Office 365 portal

If you have access to the Office 365 management portal you should also be able to get valid recipient checks working correctly, allowing us to keep an up-to-date list of valid address automatically. This requires you to enable the Directory Based Edge Blocking (DBEB) feature. This is analogous to our Valid Recipient list, but will only then require you to keep the list current in one place. Instructions can be found here:

Finally, if you have your own external AD/LDAP which Office 365 is connecting to we can also use that for recipient verification, making the need for a SMTP-based verification process unnecessary. This is done using Setup->User Lookups and must be defined for use with Setup->Domain Mappings. This has the additional benefit of being able to detect existing aliases and to support authentication, as below.

Office 365 should also allow you to restrict incoming connection from only select IP addresses so that no spam is able to bypass our filter. At the time of writing, it appears that this should be set under Email Protection->Setup->Inbound Servers. The IP addresses for Hosted customers are available from the My Domains->My Domains page of our WebUI.

Integration for User Authentication

If, as above, you do have AD/LDAP, you can also use it for authentication using Setup->Authentication Mappings.

Since most Office 365 users take advantage of the instance of AD provided in the cloud portal it is likely that you won't be able to use LDAP. However, Office 365 does provide a public POP3 and IMAP service which you may be able to use for authentication of users accessing the Canit webui using the Setup->User Lookups wizard. Some clients have reported success with the following settings:


If these settings don't work, or if you have any other concerns about this integration, you will need to contact Microsoft for more information.

Supporting SPF Checks

Office 365 may checks for SPF results. As a result, any sender that has a valid SPF record will be flagged after it passes through us and has a possibility of being rejected since we are bound not to be included in those records.

For this reason, we strongly recommend enabling Sender Rewriting Scheme. In the default stream for your realm, go to Preferences : Quarantine Settings and set S-930 Enable SRS (Sender Rewriting Scheme) to Yes

This will allow us to re-write the sender address in such a way that the Office 365 will not flag the failed SPF checks. We also check for SPF records, so you will not lose any security as a result of this change.