By default, Office 365/Exchange Online allows mail to be received from any external source. This is done using a ‘hidden’ default inbound connector. The properties of this connector cannot be viewed or modified, even in Exchange Online Powershell.
This is all well and good and allows you to be able to send/receive mail out of the box in Office 365, however is does cause a problem if you are using a 3rd party mail solution such as Mimecast or Websense. If you do happen to be using a 3rd party mail filter and you leave the default inbound connector alone, somebody could bypass your filter by sending you mail directly to your Office 365 hostname. From a best practices and security point of view, this is most definitely a bad thing.
To combat this and limit Office 365 from receiving mail only from your mail filter, go into your Exchange Admin centre and create a new Inbound Connector under Mail Flow>Connectors.
The settings of your Inbound Connector should be as follows:
Connection Security: Force TLS (only if your mail filter supports forced TLS. This will add an extra layer of security. Otherwise, use Opportunistic TLS)
Sender Domains: *
Sender IP Addresses: 184.108.40.206 (enter your mail filters IP addresses here)
This example states that Office 365 will only receive mail from the IP address 220.127.116.11 and nothing else. The * wildcard under Sender Domains applies the connector to all mail. If I were to use Exchange Online Powershell to perform the same task, my command would look like this:
New-InboundConnector -Name Lockdown -ConnectorType Partner -RequireTls $true -SenderIPAddresses 18.104.22.168 -SenderDomains *
This simple configuration change will ensure that nobody can bypass your mail filter and spam you with invitations to enlarge something or other 🙂