Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

FortiMail Cloud and Office 365 guidance question

I just got finished setting up FortiMail Cloud for Office 365 (setup as gateway for inbound traffic only) and had a question I am having trouble getting definitive answers on. I am sending and receiving email just fine; however, I know I have some tuning and tweaking still to do. Also, I know I am asking this question from a O365 guidance side of things, but as it relates to the new integration with FortiMail, I'm hoping someone can share some guidance on what worked best for them advice.

 

One setting I put into place was defining the IPs of my FortiMail Cloud instance into the Anti-Spam Connection Filter Policy at O365. I did this as it seemed O365 was declaring an inordinate amount of SPAM from FortiMail Cloud. According to Microsoft, the IP Allow List skips spam filtering but still scans for malware and high-confidence phishing. I am getting more email alerts from O365 about "Phish delivered due to an IP allow policy" (I assume due to the Connection Filter Policy and since it's no longer scanning for spam). Is there something else I needed to do or not do from the O365 side of things with  FortiMail Cloud... I guess I am just looking for some O365 settings guidance I need to look out for or address with this kind of setup?

 

1 Solution
Cajuntank

So just an update to this, I finally got through a Microsoft ticket to get this answered and was told that me adding the FML Cloud IPs to the Connection filter policy was redundant (and thus technically not necessary) to my enabling the Enhanced  Filtering for Connectors since those FML Cloud IPs were specified there and is again, the recommended best practice approach according to Microsoft. Thanks for responses.

View solution in original post

5 REPLIES 5
AEK
SuperUser
SuperUser

If I understand well you are receiving on your O365 many spam mails through your FML. If so then you probably didn't configure well you spam filtering on your FML.

Using the default antispam profile usually provides good results. If you share your antispam profile config maybe we can help.

AEK
AEK
Cajuntank
Contributor II

Sure I can supply that; however, I feel I have a good grasp of that side of things, it's just on the O365 side of things, before I declared the FortiMail IPs in the connection filter policy, O365 was declaring way more spam than normal. Once I added those IPs in, O365 now just gives me occasional daily notifications of the Phish due to IP allowed policy. I was just wondering if I did things correctly on the O365 side of things and was looking for guidance there in case there was something I needed to do more on that side.

In regards to the FortiMail spam profile, I pretty much followed the tuning that was mentioned in this link   https://www.reddit.com/r/fortinet/comments/awn1kz/initial_fortimail_configuration_and_tuning/

 

AEK

From mail server side don't add FML's IP in the allow list, you need to declare it as MTA for incoming mails and add connector for outgoing mails (if needed).

AEK
AEK
Cajuntank
Contributor II

Those FML Cloud IPs were added to the Enhanced Filtering for Connectors as per Microsoft recommendation

 https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail...

I guess the only other thing I did was add those IPs to my default Connection filter policy (under the Anti-Spam policies), which looks to be, after more reading and research, the only thing in question as I don't see where in the flow of things, this comes into play with that Enhanced filtering turned on. Again, not using FML Cloud for outgoing mail and I was "throwing things at it" during a time of when I seem to be getting O365 to be flagging a lot of typically legitimate email as SPAM, thus my hesitation to remove those IPs from the Connection filter policy as of yet until I do more research.

Cajuntank

So just an update to this, I finally got through a Microsoft ticket to get this answered and was told that me adding the FML Cloud IPs to the Connection filter policy was redundant (and thus technically not necessary) to my enabling the Enhanced  Filtering for Connectors since those FML Cloud IPs were specified there and is again, the recommended best practice approach according to Microsoft. Thanks for responses.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors