Exchange Online Notes
Last Updated: May 15, 2022
Office 365 Exchange
Use Connect-ExchangeOnline
to connect.
If you want to connect to a delegated organization, use:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline `
-UserPrincipalName "<username>"`
-DelegatedOrganization "<domain.com>" `
-ShowProgress $true
Allow everyone to access room/equipment meeting details
Set-MailboxFolderPermission "<email>:\Calendar" -User Default -AccessRights LimitedDetails
Don't change subject to requesters name on resource calendar
Set-CalendarProcessing -Identity "email" -DeleteSubject $False -AddOrganizerToSubject $False
Allow booking conflicts
Set-MailboxCalendarSettings -Identity "email" -AllowConflicts $True
Add alias
To add a mailbox alias make sure that proxyAddress attribute is set in AD. The primary is capitalized.
proxyAddress:
- SMTP:<primary email>
- smtp:<alias>
Allow sending from an alias
Set-OrganizationConfig -SendFromAliasEnabled $True
Hide a mailbox (Active Directory Synced)
To hide a mailbox if you have your directory synced, make sure that these AD attributes are set:
msExchHideFromAddressLists
: TruemailNickname
: Alias of the User (eg: If the UPN of the user is [email protected], then alias is user). This should not be left blank.
If you have the resources, an easier way is to do a hybrid Exchange setup, but this requires another Windows server license.
Exchange Online Security
Block auto forward
New-TransportRule "Block auto forwarding" `
-FromScope InOrganization`
-MessageTypeMatches AutoForward`
-RejectMessageReasonText "Auto forwarding is blocked" `
Strip IP Address from header
This may be removed by default now. A while ago this was included in emails sent by Outlook.
New-TransportRule "Strip IP Address from outbound emails" `
-SentToScope NotInOrganization`
-Priority 0 `
-RemoveHeader "x-originating-ip"`
-Mode Audit
Add External Tag (Native)
Set-ExternalInOutlook -Enabled $true
To add emails to the allow list you can run:
Set-ExternalInOutlook -AllowList admin@fabrikam.com,admin@fourthcoffee.com
Add External Tag (Subject)
New-TransportRule "External Email Warning (Subject)" `
-FromScope NotInOrganization -SentToScope InOrganization `
-PrependSubject "[EXTERNAL] " -Priority 0 `
-ExceptIfSubjectContainsWords "EXTERNAL" `
-ExceptIfSenderDomainIs "email.teams.microsoft.com","microsoft.com","messaging.microsoft.com" `
Add External Disclaimer
$Disclaimer='<p><div style="background-color:#FFEB9C; width:100%; border-style: solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:Calibri; color:Black; text-align: left;"><span style="color:#9C6500"; font-weight:bold;>CAUTION:</span> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</div><br></p>'
New-TransportRule "External Email Warning" `
-FromScope NotInOrganization `
-SentToScope InOrganization `
-Priority 0 `
-ApplyHtmlDisclaimerText $Disclaimer
-ExceptIfSenderDomainIs "email.teams.microsoft.com","microsoft.com","messaging.microsoft.com" `
-ApplyHtmlDisclaimerLocation Prepend
-ApplyHtmlDisclaimerFallbackAction Wrap
The rule adds the below header to all external messages:
DKIM Setup
This method will allow you to generate 2048-bit keys. At the time of writing, the Admin interface could only generate 1024-bit keys and you had to use PowerShell to generate then 2048-bit keys.
New-DkimSigningConfig -DomainName techstormpc.com -KeySize 2048 -Enabled $True
Get-DkimSigningConfig -Identity techstormpc.com | Format-List Selector1CNAME, Selector2CNAME
Set-DkimSigningConfig -Identity techstormpc.com -Enabled $true
The second command will output something like this, which you will need to create DNS Records from.
Selector1CNAME : selector1-techstormpc-com._domainkey.techstormpc.onmicrosoft.com
Selector2CNAME : selector2-techstormpc-com._domainkey.techstormpc.onmicrosoft.com
Create the following CNAME Records with 3600 as the TTL:
selector1._domainkey -> selector1-techstormpc-com._domainkey.techstormpc.onmicrosoft.com
selector2._domainkey -> selector2-techstormpc-com._domainkey.techstormpc.onmicrosoft.com
Test it using https://email-test.had.dnsops.gov/.
Apply message encryption (OME)
This applies encryption to the message if the subject contains secure
.
New-TransportRule "Apply email encryption" `
-SubjectContainsWords secure `
-ApplyOME $True
Secure email gateway setup
If you have a secure email gateway in front of your EXO environment, such as Proofpoint, Mimecast, or Cisco IronPort, see below for additional setup.
Lock inbound emails to specific gateway
Use this method to block inbound connections to Exchange Online that are not from the specified server(s).
If you don't perform this step, people can still send emails directly to Microsoft and bypass your email gateway.
The following example is for Proofpoint Essentials. Replace the SenderIPAddresses
property to whatever is applicable to your environment.
New-InboundConnector `
-Name "Proofpoint Essentials Inbound Connector" `
-SenderDomains * `
-ConnectorType "Partner" `
-RequireTls $true `
-Enabled $true `
-SenderIPAddresses 148.163.159.0/24,148.163.158.0/24,148.163.157.0/24,148.163.156.0/24,148.163.155.0/24,148.163.154.0/24,148.163.153.0/24,148.163.152.0/24,148.163.151.0/24,148.163.150.0/24,148.163.149.0/24,148.163.148.0/24,148.163.147.0/24,148.163.146.0/24,148.163.145.0/24,148.163.144.0/24,148.163.143.0/24,148.163.142.0/24,148.163.141.0/24,148.163.140.0/24,148.163.139.0/24,148.163.138.0/24,148.163.137.0/24,148.163.136.0/24,148.163.135.0/24,148.163.134.0/24,148.163.133.0/24,148.163.132.0/24,148.163.131.0/24,148.163.130.0/24,148.163.129.0/24,148.163.128.0/24,67.231.149.0/24,67.231.148.0/24,67.231.147.0/24,67.231.146.0/24,67.231.145.0/24,67.231.144.0/24,67.231.156.0/24,67.231.155.0/24,67.231.154.0/24,67.231.153.0/24,67.231.152.0/24 `
-RestrictDomainsToIPAddresses $true
You can test to see if this works through telnet by connecting to your Microsoft tenant-specific MX server.
That address is in the format domain-tld.mail.protection.outlook.com
, such as techstormpc-com.mail.protection.outlook.com
.
If you have it forced over TLS, you can also test it over tls by replacing the telnet command with
openssl s_client -debug -starttls smtp -crlf -connect <MX_ADDRESS>:25
telnet <MX_ADDRESS> smtp
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 BN8NAM04FT011.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 16 Mar 2022 01:09:21 +0000
ehlo
250-BN8NAM04FT011.mail.protection.outlook.com Hello [x.x.x.x]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
mail from: <[email protected]>
250 2.1.0 Sender OK
rcpt to: <[email protected]>
550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set [BN8NAM04FT011.eop-NAM04.prod.protection.outlook.com]
QUIT
Exchange online protection fix
Proofpoint recommends you set a transport rule to bypass spam filtering by setting SCL to -1 on all mail coming from Proofpoint.
This isn't the best option because it disables some security features that you get from Exchange Online Protection.
You can create an enhanced filtering rule to retrieve the originating IP address from the header.
Read more here.
Set-InboundConnector `
-Identity "Proofpoint Essentials Inbound Connector" `
-EFSkipIPs 148.163.159.0/24,148.163.158.0/24,148.163.157.0/24,148.163.156.0/24,148.163.155.0/24,148.163.154.0/24,148.163.153.0/24,148.163.152.0/24,148.163.151.0/24,148.163.150.0/24,148.163.149.0/24,148.163.148.0/24,148.163.147.0/24,148.163.146.0/24,148.163.145.0/24,148.163.144.0/24,148.163.143.0/24,148.163.142.0/24,148.163.141.0/24,148.163.140.0/24,148.163.139.0/24,148.163.138.0/24,148.163.137.0/24,148.163.136.0/24,148.163.135.0/24,148.163.134.0/24,148.163.133.0/24,148.163.132.0/24,148.163.131.0/24,148.163.130.0/24,148.163.129.0/24,148.163.128.0/24,67.231.149.0/24,67.231.148.0/24,67.231.147.0/24,67.231.146.0/24,67.231.145.0/24,67.231.144.0/24,67.231.156.0/24,67.231.155.0/24,67.231.154.0/24,67.231.153.0/24,67.231.152.0/24
Messages that are hit by this rule have the X-MS-Exchange-SkipListedInternetSender
and X-MS-Exchange-ExternalOriginalInternetSender
header added to them.
You should also see a proper value on the Authentication-Results
and Received-SPF
header rather than fail.
Proofpoint Security Awareness Setup
Additional set up must be performed since I opted out not to create the transport rule to set all incoming mail's spam confidence level to -1 (bypass).
You can assume that the messages with these headers are safe if they got past Proofpoint. Do not enable this if you don't have the connector in place.
New-TransportRule -Name "Proofpoint Security Awareness" `
-Enable $false `
-Mode Enforce `
-FromScope NotInOrganization `
-HeaderContainsMessageHeader "X-ThreatSim-Header"
-HeaderContainsWords "http://threatsim.com/speartraining"
-SetSCL -1
New-TransportRule -Name "Proofpoint Security Awareness - skip attachment scan" `
-Enable $false `
-Mode Enforce -FromScope NotInOrganization `
-HeaderContainsMessageHeader "X-ThreatSim-Header"
-HeaderContainsWords "http://threatsim.com/speartraining"
-SetHeaderName X-MS-Exchange-Organization-SkipSafeAttachmentProcessing `
-SetHeaderValue 1
New-TransportRule -Name "Proofpoint Security Awareness - skip link scan" `
-Enable $false `
-Mode Enforce `
-FromScope NotInOrganization `
-HeaderContainsMessageHeader "X-ThreatSim-Header"
-HeaderContainsWords "http://threatsim.com/speartraining"
-SetHeaderName X-MS-Exchange-Organization-SkipSafeLinksProcessing `
-SetHeaderValue 1