Administrator Manual - Microsoft 365 Configuration
Retarus Email Security can be setup as an inbound email gateway through which all incoming email traffic for your domains passes before reaching your Microsoft 365 accounts. Among other things, Retarus Email Security filters out spam and viruses and then forwards emails to the Microsoft 365 servers. Please follow the instructions below in Inbound Configuration to configure this setup.
You can likewise specify the Retarus Email Security as the outbound mail gateway through which all mail is sent from your domain via your Microsoft 365 account to the recipient. As the outbound gateway, the Retarus Email Security processes the email before final delivery. By using the configuration described in Outbound Configuration, you set up the Microsoft 365 email servers to pass all outgoing email from your domain to the Retarus Email Security.
Inbound Configuration
Follow these steps to configure your Inbound connection via Retarus.
MX record lookup
Look up the MX records via DNS lookup – or via your Microsoft 365 portal:
Log in to your Microsoft 365 portal (https://admin.microsoft.com).
Navigate to Microsoft 365 admin center - Settings - Domains.
Click on your domain (or select the domain via the checkbox and click on the Check health button).
Navigate to the DNS records tab, click on MX and note down the value from the Points to address or value column.
Domain configuration at Retarus
Add your domain via the Retarus EAS portal:
Log into the EAS portal (https://eas.retarus.com).
Go to Administration - Email Services - Service Configuration.
Navigate to the Domain tab.
Click on the Add domain button below the list.
Enter your domain and select a profile (if any).
Under the Connection settings tab, go to Type of destination address and select A-Record from the drop-down list.
As Destination server, enter the value that you noted down before in the Microsoft 365 portal.
Select all other options as desired.
Microsoft 365 rule to bypass spam filtering
When the steps above are completed, you are already able to receive Inbound emails in your Microsoft 365 environment via Retarus.
If you wish to only use Retarus spam filtering features for preventing spam entering your organisation, you should make sure that Retarus is configured as a trusted relay and spam filtering by Microsoft 365 is bypassed. In order to avoid unwanted blocking of emails by Microsoft 365 you should follow the advice provided in the respective Microsoft article.
To complete the configuration of this rule you will need the IP addresses of the Retarus hosts which currently are:
62.245.148.862.245.148.994.199.92.18194.199.92.18294.199.89.3494.199.92.18594.199.92.17794.199.92.17894.199.92.17994.199.92.18094.199.92.18894.199.92.18994.199.92.19094.199.92.191
The IP addresses listed here should also be included in any other allowlist/firewall specific to your organization to make sure that the traffic reaches you under all circumstances.
The use of Transport Rules and setting the SCL value to -1 has been deprecated by Microsoft in October 2023.
Optional Microsoft 365 Inbound Connector
An “Inbound Connector” is not required for receiving Inbound emails via Retarus. Only if you would like to make sure that emails must reach your Microsoft 365 servers from Retarus and from nowhere else, you may configure a dedicated connector. If you would like to do this, please make sure to follow the steps described below:
Log in to the Exchange admin center at https://admin.exchange.microsoft.com
(or log in to https://admin.microsoft.com and navigate to Admin centers - Exchange).In the menu on the left side, click on Mail flow - Connectors.
Click on + Add a connector.
In the New connector dialogue, choose Connection from: Partner organization.
On the next page (Connector name), enter a descriptive name, e.g. “Inbound via Retarus”.
On the next page (Authenticating sent email), choose the first option (By verifying that the sender domain matches one of the following domains) and add the asterisk wildcard (*):
On the following page (Security restrictions), the first option (Reject email messages if they aren’t sent over TLS) may be left activated, without the sub-option concerning certificates.
Activate the second checkbox (Reject email messages if they aren’t sent from within this IP range) and add the following IP addresses:
62.245.148.862.245.148.994.199.92.18194.199.92.18294.199.89.3494.199.92.18594.199.92.17794.199.92.17894.199.92.17994.199.92.18094.199.92.18894.199.92.18994.199.92.19094.199.92.191
On the following Review connector page, you may check your settings again and click on Create connector.
Outbound Configuration
Before following the steps described below, please contact Retarus Customer Support to enable Retarus Email Security to accept emails from your Microsoft Office 365.
Do not continue until Retarus has advised you to continue with the configuration.
Other than for Inbound traffic, for Outbound, a Microsoft 365 “Outbound Connector” is mandatory. Therefore, create a new Outbound Connector by following these steps:
Log in to the Exchange admin center at https://admin.exchange.microsoft.com
(or log in to https://admin.microsoft.com and navigate to Admin centers - Exchange).In the menu on the left side, click on Mail flow - Connectors.
Click on + Add a connector.
In the New connector dialogue, choose Connection from: Office 365 and Connection to: Partner organization and click on Next.
On the next page (Connector name), enter a descriptive name, e.g., “Outbound via Retarus”.
On the following page (Use of connector), choose the Only when email messages are sent to these domains option, enter the asterisk wildcard (*), and click on the + and then on Next.
(You could also choose the first option, but in this case, you need to create an additional transport rule afterward.)
On the following page (Routing), choose Route email through these smart hosts, click on the +, and enter gkdin.rmx.de (Munich data center) as the smart host. Do the same again to add gkdin.de1.retarus.com (Frankfurt data center) and click on Next:
On the next page (Security restrictions), choose TLS settings as desired. We recommend choosing Always use Transport Layer Security (TLS) to secure the connection (recommended). Connect only if the recipient’s email server certificate matches this criteria: Issued by a trusted certificate authority (CA).
On the next screen (Validation email), specify an email address to which a test email is sent in order to validate the connector settings.
After a successful test, you may click on Next, verify your settings a last time, and finally create the new connector.