Integration of AVAS with Microsoft 365

Access portal.office.com logged in as the administrator of your domain, and then choose Exchange.

Configure Office 365 inbound with AVAS filtering. To integrate the MX records of AVAS with Office 365, follow the relevant Microsoft application note:

https://docs.microsoft.com/en-us/Exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud#scenario-1—mx-record-points-to-third-party-spam-filtering

It simply involves configuring the domain’s MX records to point to avas-mx-yourcompany-1 and -2.planisys.net instead of pointing to the MX of Office365, following the logic of step 1 (Scenario 1 – MX record points to third-party spam filtering).

This way, you will have greater antivirus, antimalware, and antispam protection than if you only point to the Office365 mailbox service.

In Office365 terminology, the AVAS service is known as “3rd party Cloud Service” and “3rd party Spam Filtering“.

Go to Exchange Admin Center

  1. Click on mail flow

  2. Click on connector

  3. Click on the + sign

  4. Choose “Partner Organization” in the From section, and “Office365” in the To section

  5. Click Next

  6. Choose “Use Sender’s IP address” and click Next

  7. Add the Planisys IP blocks with the + sign

    • 131.108.40.0/24

    • 131.108.41.0/24

    • 131.108.42.0/24

    • 131.108.43.0/24

    • 190.185.104.0/24

    • 190.185.105.0/24

    • 190.185.106.0/24

    • 190.185.107.0/24

    • 179.63.248.0/24

    • 179.63.249.0/24

    • 179.63.250.0/24

    • 179.63.251.0/24

    • 185.180.8.0/24

    • 185.180.9.0/24

    • 185.180.10.0/24

    • 185.180.11.0/24

  8. Check where it says “Reject Messages if they aren’t sent over TLS” and click Next

  9. Click Save

  10. Return to mail flow

  11. Click on rules

  12. Click on +

  13. Choose Bypass Spam filtering

  14. Give it a name, e.g., Planisys Avascloud

  15. click on “apply this rule if”

  16. click on “the sender”

  17. click on ” the IP address is in any of these ranges”

  18. Re-specify the Planisys IP ranges with the + sign, and finally press OK

  19. Click on “do the following”, “modify the message properties“, “set the spam confidence level SCL“, “bypass spam filtering“

  20. Click OK, click Save

  21. Click on mail flow

  22. Click on Accepted Domains

  23. Ensure your domain is listed, then click

  24. Mark it as Authoritative (not as Internal Relay)

  25. Click Save

With steps 22 to 26, we ensure that RV or Recipient Verification is enabled. This means Office365 will not accept emails to unknown mailboxes during the SMTP dialogue with AVAS-MX. This significantly reduces the number of bounces and prevents the backscattering effect.

Configure Office 365 outbound to allow all outgoing mail to pass through an AVAS relay. You will need to set up an outbound connector in Hosted Exchange.

You need to configure mail routing from the Office365 server to the AVAS outgoing relay server.

The first step is to log in to https://www.office.com/ with your corresponding email and password. Once logged in, to continue with the configuration, we need to access the admin part. To access this part, you just need to be on the main page and click on Admin. This way, we access the admin center, where we will proceed with our configuration.

When we are in the admin center, the next step will be to look for exchange. It may be that this section is already added to your admin center configuration. But if you are accessing for the first time and this section is not there, you need to add this part. To add this menu, on the admin center page there is a section that allows you to add the things we need. As seen in the photo.

When we click on ‘add’, the options we can add will appear, one of them being to add the exchange. We click on this option and add it. Once we have added this section, it will appear on the main page of the admin center.

We click on exchange and it redirects us to the exchange admin center page, as seen in the photo.

On the left side, different options appear. We base ourselves on the mail flow option.

When we have clicked on mail flow, the next step is to click on connectors and finally on the add symbol, as indicated in the photo.

When we have clicked on add, a new configuration window opens where we have to choose the mail flow scenario. How the configuration should look can be seen in the following photo.

The next step is to add a name to the connector we are creating (e.g., Planisys Outbound)

After adding the name, the next configuration provides when we want to use the connector we are creating. In our case, we will use this connector when we are going to send an email to a specific domain, the domain or more than one domain can be added by clicking on the add icon.

We always choose an asterisk “*” to denote that it is a SMART HOST, that is, an outgoing relay that will channel all our traffic.

This step consists of choosing the message route, that is, choosing a specific relay. For this, we will take the name of the AVAS, e.g., empresaxyz, and use avas-out-empresaxyz-1.planisys.net as the outgoing relay. If you have an AVAS with more than one outgoing relay, you can choose one of them, e.g., avas-out-empresaxyz-4.planisys.net

In this last step, we configure how Office 365 should connect to the AVAS relay. We always choose TLS to improve the security and privacy of your company’s outgoing traffic, and we also require that the digital certificate used by the AVAS relay be a certificate signed by a valid Certification Authority.

With these steps, we finish the configuration where a mini-summary of the configuration appears. We click ‘next’. Now we need to confirm the outgoing routing operation:

The next step will be verification. In the verification, we add any email to which we have read access, with which the verification will be done. Once the verification is finished, the result is shown, but apart from that, we also receive a confirmation message.

In the end, it should look like this (connectivity and test e-mail in “Succeeded”).

Next, we begin the validation, which consists of several steps: first, it is verified that the outgoing AVAS server is accessible, then it is confirmed that the AVAS server uses TLS with a valid certificate, and finally, the mail is sent, waiting for it to be accepted by the AVAS relay.

Message:

The following link https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 shows us which IP blocks Office365 sends from.

These blocks must be added to the AVAS interface in the Relays tab to ensure that the relay will accept mail from all those IP blocks.

After creating the connector, click on “protection” in the vertical left bar of the Office365 Admin.

A horizontal menu then appears, click on where it says “connection filter”.

Click on the pencil icon. This opens a pop-up, and there you need to click on “connection filtering”. Then click on the + sign at the top where it says “Allowed IP addresses” to add allowed IP addresses.

You need to add one block at a time by entering a block and pressing OK. The blocks are

131.108.40.0/22 185.180.8.0/22 190.185.104.0/22 179.63.248.0/22

Once these blocks are entered, click on the Save button.

Last Updated on 2024-08-21