Hybrid Exchange + SMTP Proxy

Hi all,

I've followed the office 365 integration guide for hybrid exchange, and TLS appears to be working fine, and mail is flowing between the two sites, but it appears that the SMTP proxy causes mail routed from exchange online mailboxes to on-premises mailboxes to be marked as "outside the organization", and thus subject to anti-spoofing mail flow rules that I have configured on the internal exchange server.

Disabling the SMTP proxy and using a packet filter corrects this, and mail is correctly marked as internal, but of course it doesn't get inspected for GAV and spamblocker.

For now I've got 2 SMTP policies, one for office 365 as a packet filter with a FROM alias that includes all M365 IPs, and a proxy policy that accepts SMTP from all other external sources.

Just reaching out to see if anyone else is in the same situation and if you have done anything differently/better, where I can possibly run mail from exchange online through spamblocker/GAV/etc, whether it's internal mail or not.



  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Chris_Kelly
    This is likely going to be setting some sort of trust from the firebox's IP address -- since exchange is doing this, it may be worth asking Microsoft's support how to do that.

    -James Carson
    WatchGuard Customer Support

  • Options

    Hey @Chris_Kelly,

    This may depend upon where your DNS MX records are pointing to. The on prem Exchange or O365.

    Good documentation here on Transport Routing in Hybrid environments


    The very first sentence is this:

    "Don't place any servers, services, or devices between your on-premises Exchange servers and Microsoft 365 or Office 365 that process or modify SMTP traffic."

    Which a Proxy policy would do.

    If you want your Firebox to handle all the Spam filtering, GAV ...... then maybe your MX records should point to your external IP of your Firebox and then let the Exchange Transport connector handle routing email to accounts hosted in O365.

    • Doug

    It's usually something simple.

Sign In to comment.