How to integrate FortiMail into Office 365

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

FortiMail can be integrated with Office 365 to protect your incoming and outgoing emails.

Configuring DNS in Office 365

Before getting started you’ll need to quickly configure Office 365.

 1.  Go to the Manage domains page.

 2.  Choose Add domain to start the setup wizard.

 3,  Enter your domain name.

 4.  Add your DNS records and then select Okay, I’ve added the record.

1.1 DNS

 5.  Go to your DNS server.

 6.  Change the MX record from Office 365 to FortiMail.

1.5 DNS Point

Configuring FortiMail to Accept Office 365

You will now have to configure your FortiMail unit to accept mail from your domain and then forward the mail to Office 365.

 1.  Go to Mail Settings > Domains > Domains.

2.1 FortiMail Office

 2.  Select New to create a new domain or right click a domain and select Edit to edit an existing domain.

 3.  Enter the domain name.

 4.  Enter the SMTP server.

Configuring Office 365 to Accept FortiMail

 

Now you’ll have to configure Office 365 to accept incoming mail from your FortiMail unit once it’s been checked.

 1.  Go to the Exchange admin center section.

 2.  Select mail flow.

 3.  Select the Plus Sign dropdown menu and select Create a new rule…

3-3 Exchange

 4.  Enter a name for the new rule.

 5.  Select More options.

3-5 More Options

 6.  Enter the IP address.

3-6 IP

 7.  Configure new rule to drop all inbound mail, unless it comes from FortiMail servers and select the Accept only from FortiMail checkbox in the rules section of the Exchange admin center section.

3-8 FML3-7 Check

Configuring Outbound Settings in FortiMail

Now that your inbound mail settings are configured in both Office 365 and FortiMail, you’ll need to configure your outbound settings in FortiMail.

 1.  Open the FortiMail CLI.

 2.  Enter the following commands:

config policy access-control receive
   edit 1
       set sender-ip mask 23.103.132.0/22
       set action relay
   next
   edit 2
       set sender ip-mask 23.103.144.0/22
       set action relay
   next
   edit 3
       set sender-ip-mask 23.103.191.0/24
       set action relay
   next
   edit 5

<snip) etc

 3.  Add ability Office 365 as a trusted relay to FortiMail.

4-3 Relay

Configuring Outbound Settings in Office 365

Now you’ll need to make Office 365 relay outgoing mail to FortiMail

 1.  Create a new connector and enter a descriptive name and description. Select Next.

5-1 Connector

 2.  Select Office 365 from the From dropdown menu and Partner organization from the To dropdown menu. Select Next.

5-2 To From

 3.  Select the Only when I have a transparent rule set up that redirects messages to this connector radio button. Select Next.

 4.  Configure the IP or FQDN of the FortiMail. Select Next.

5-4 IP

 5.  Select the Any digital certificate, including self-signed certificates radio button. Select Next

Review the new connector settings and select Next.

 6.  Select Validate. Office will now perform the steps necessary for validation. When it is finished, select Close

The Status section should say “Succeeded” if the process was successful. Select Save.

5-6 Validate

Your incoming and outgoing messages will now be protected by FortiMail. You should now take the time to apply a FortiMail AntiVirus and AntiSpam profile.

Note: You can disable Office 365 AntiSpam services if you feel they are no longer required.

  • Was this helpful?
  • Yes   No
  • We noticed that there are two steps left out to integrate with O365:

    1) You must enable the connector for it to work, validate does not work with the connector disabled.

    2) You must create a new transport rule that references the new connector:

    • Ted Barnes

      Thanks Stu you saved me a lot of trouble.

      • Stuart Berman

        An issue we noticed is that internal email would get routed by Office 365 to FortiMail when it should have been rerouting back through the Hybrid Connector to our on premise Exchange server.

        As an example, externally we use example.com as our public domain.
        Internally we use example.net.
        Some servers on the internal network send email to internal users as server123@example.net because they were not set up properly.
        Any responses would get lost when they were sent by O365 to FortiMail.
        So we had to add those internal domains to the ‘exception list’ in the FML rules pictured above.
        We also had to create a new connector for those domains that sends all mail destined for those internal domains to the Hybrid Connector.

        The “FML connector” routes outbound mail to FortiMail instead of directly to the Internet.
        The Hybrid Mail Flow Outbound Connector send mail directly from O365 to internal Exchange. It is aware of your defined domains.
        The new internal domain connector was created for domains not registered as standard domains but required to be handled as legitimate email.
        The Hybrid Mail Flow Inbound Connector accepts mail from the internal Exchange system to O365.