Configure Dual Delivery: Office 365

This topic describes how to configure dual delivery for Microsoft Office 365 environments using a Journaling rule.

The general procedure is as follows:

Step 1: Create a connector that routes journaled messages to your sensor.

Step 2: Create a journal rule in Office 365 that copies messages to your sensor.

NOTE:

Cloud Email Protection requires that the X-MS-Exchange-Organization-AuthAs: header with the correct value for message directionality be added to all messages. See the Microsoft Exchange documentation for instructions about how to configure this. The following header and values are required for Cloud Email Protection to function correctly:

  • Internal messages: X-MS-Exchange-Organization-AuthAs: Internal
  • Inbound/outbound messages: X-MS-Exchange-Organization-AuthAs: Anonymous

Inbound and outbound messages that add the Internal value for this header will be treated by Cloud Email Protection as internal messages and will be scored differently, which can make Cloud Email Protection less effective against external attacks. See https://docs.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019 and https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/set-inboundconnector?view=exchange-ps for additional information.

Step 1: Create a Connector that Routes Journaled Messages to Your Sensor

To route journaled messages to the sensor, you will create a placeholder domain to which messages will be routed.

NOTE: You may have a more complex configuration in place. The goal is to configure this connector such that message coming from the journaling feature will receive special routing.

  1. Log into your Microsoft 365 Admin Center dashboard at https://admin.microsoft.com/ with an account that has appropriate administrative permissions to create the rule required.
  2. On the left menu click Show All to expand the menu, then click Exchange.
  3. On the left menu expand the Mail Flow section.
  4. Select connectors.
  5. Click + to create a new connector.
  6. On the Select your mail flow scenario page:
    • In the From drop-down list, select Office 365.
    • In the To drop-down list, select Partner organization.
  7. Click Next.
  8. On the New connector page:
  9. Click Next.
  10. Select the Only when email messages are sent to these domains radio button.
  11. Click + to add a new domain.
  12. Enter the domain that will redirect messages to use this connector. Your sales or support representative will provide you with the information to enter here, which will be in the form of "symbolicname.hosted .agari.com" where symbolicname is the symbolic name used for your organization.
  13. Click Next.
  14. Select the Route email through these smart hosts radio button.
  15. Click + to add a smart host.
  16. Enter the fully-qualified domain name of your sensor.
    • For agari.com hosted sensors, this will be the address from step 12.
    • For Sensors you host, you will get the Sensor domain name from your Sensor virtual machine interface.
  17. Click Next.
  18. Configure the TLS settings for the connections made to the sensor. It is recommended that you:
    • Select the Always use Transport Layer Security check box.
    • Select the Any digital certificate, including self-signed certificates radio button. (If you have installed verified TLS certificates on your sensor, you may want to select the Issued by a trusted certificate authority (CA) radio button.)
  19. Click Next, and then on the conformation screen, click Next again.
  20. Confirm that the sensor is reachable.
  21. Click +.
  22. Enter an email address that uses the same placeholder domain you specified earlier (in the above example, "symbolicname.hosted.agari.com"). The local part of the address to the left of the "@" sign is irrelevant; you can use any address.
  23. Click Validate.
  24. After a short delay, you will see a confirmation window.
  25. If validation fails, please contact your sales or support representative to troubleshoot. Validation may fail if you have another transport rule which takes precedence or intercepts the validation message. Validation may also fail if there is latency in the Microsoft administrative portal. (In these cases, wait a few moments and attempt to validate again.)

  26. Click Close.
  27. You can click the pencil icon for any failed results to view the log from that test and address any issues in the configuration.

  28. If you see "Succeeded" for both tasks, click Save.

You will now see the newly-created Connector in your list of Connectors.

Step 2: Create a Journal Rule to Copy Messages to the Sensor

Before creating your first journal rule, you will need to either specify an existing or create a new email account that will be used to receive Non-Delivery Reports (sometimes called "NDRs" or "bounce" messages). You should monitor messages sent to this address periodically to ensure that there are no connectivity issues between Office 365 and the machine hosting the sensor.

Create a New Account for Journaling

  1. Click Select Address.
  2. Click recipients
  3. Click the shared tab.
  4. Click + to create a new shared mailbox.
  5. Enter the mailbox information. Enter a descriptive display name and email address. For example, you can specify "JournalReportNDR" for the display name and "journal@yourdomain.onmicrosoft.com" for the email address. Optionally, you can grant access to a specific user or users to monitor this shared mailbox. You can also optionally choose "More options..." to define an alias for this shared mailbox.
  6. Click Save.

Create the Journaling Rule

  1. Log into your Microsoft 365 Admin Center dashboard at https://admin.microsoft.com/ with an account that has appropriate administrative permissions to create the rule required.
  2. On the left menu click Show All to expand the menu, then click Compliance.
  3. On the left menu expand the Data lifecycle management section and select Exchange Legacy.
  4. Click the journal rules tab.
  5. If there is an email address as the value of Send undeliverable journal reports to, continue with the next step. If the value is Select Address, click Select Address and add as new address, as described in Create a New Account for Journaling, and then continue.
  6. Click +.
  7. Enter the journaling rule details:
    • In the Send journal reports to field, enter an address that uses the domain you specified in Step 1: Create a Connector that Routes Journaled Messages to Your Sensor. For example, journal@symbolicname.hosted.agari.com.
    • In the Name field, enter Cloud Email Protection Sensor.
    • In the Journal messages sent or received from section, select:
      • Apply to all messages if you want all messages to be sent for analysis.
      • NOTE: If you select External Messages, the Office 365 journaling functionality may miss external messages spoofed as from internal domains.

      • A specific user or group, and select a group If you would like only messages to a subset of your user base to be evaluated, such as for testing purposes. The group you select here must be created via the "recipients > groups" section of the Exchange admin center. You can specify a Distribution Group, a Security Group, or, if you want to avoid changing the group as new members join or leave your organization, you can use a Dynamic Distribution Group.
  8. In the Type of message to journal section, select All messages.
  9. Click Next.
  10. Review the settings and click Submit to save the journal rule.

Messages will begin flowing to the sensor immediately.