Lock down Microsoft Office 365 to Email Security.cloud IP address ranges

Products

Email Security.cloud

Issue/Introduction

Steps to help prevent spam emails by locking down Microsoft Office 365 to accept messages only from Email Security.cloud IP ranges

Environment

Email Security.cloud

Resolution

To restrict the flow of email between your Office 365 organization and the Email Security.cloud service, set up connectors in Exchange Online or Exchange Online Protection (EOP) to use only the IP address ranges for Email Security.cloud.

To specify multiple IP addresses, use Classless Inter-Domain Routing (CIDR) ranges in the format ###.###.###.###/xx, where xx is a number from 24 to 32.

Note: By configuring the connector in this manner, any email that does not originate from Email Security.cloud IP address ranges will be rejected.

To require that all emails are sent from a specific IP address range, please create a connector that ensures mail is accepted only from Email Security.cloud IP ranges from all domains. Please check Configure Microsoft® Office 365™ for inbound mail for further details.

IPV4 IP addresses and Classless Inter-Domain Routing (CIDR)

IPV4 IP addresses must be specified in the format ###.###.###.###, where ### is a number from 0 to 255.

You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format ###.###.###.###/xx, where xx is a number from 24 to 32, as shown in Table 1. To help you with this, we have provided all Email Security.cloud IP address ranges up to /24 for each region below.

Table 1 Email Security.cloud IP address ranges to /24 - All regions

216.82.240.0/24

216.82.241.0/24

216.82.242.0/24

216.82.243.0/24

216.82.244.0/24

216.82.245.0/24

216.82.246.0/24

216.82.247.0/24

216.82.248.0/24

216.82.249.0/24

216.82.250.0/24

216.82.251.0/24

216.82.252.0/24

216.82.253.0/24

216.82.254.0/24

216.82.255.0/24

85.158.136.0/24

85.158.137.0/24

85.158.138.0/24

85.158.139.0/24

85.158.140.0/24

85.158.141.0/24

85.158.142.0/24

85.158.143.0/24

95.131.104.0/24

95.131.105.0/24

95.131.106.0/24

95.131.107.0/24

95.131.108.0/24

95.131.109.0/24

95.131.110.0/24

95.131.111.0/24

46.226.48.0/24

46.226.49.0/24

46.226.50.0/24

46.226.51.0/24

46.226.52.0/24

46.226.53.0/24

46.226.54.0/24

46.226.55.0/24

117.120.16.0/24

117.120.17.0/24

117.120.18.0/24

117.120.19.0/24

117.120.20.0/24

117.120.21.0/24

117.120.22.0/24

117.120.23.0/24

67.219.240.0/24

67.219.241.0/24

67.219.242.0/24

67.219.243.0/24

67.219.244.0/24

67.219.245.0/24

67.219.246.0/24

67.219.247.0/24

67.219.248.0/24

67.219.249.0/24

67.219.250.0/24

67.219.251.0/24

67.219.252.0/24

67.219.253.0/24

67.219.254.0/24

67.219.255.0/24

194.106.220.0/24

194.106.221.0/24

195.245.230.0/24

195.245.231.0/24

193.109.254.0/24

193.109.255.0/24

103.9.96.0/24

103.9.97.0/24

103.9.98.0/24

103.9.99.0/24

Creating connectors using a PowerShell script

To speed up the process of entering IP addresses, you can use the following PowerShell script.

Note: We recommend that you use the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell.

<#

Synopsis

This script contains all Email Security.cloud IP address ranges converted to a Classless Inter-Domain Routing (CIDR) range of IP addresses to /24, allowing for quick entry into Office 365.

Note: Office 365 allows CIDR ranges from /24 to /32.

Description This script creates a new connector for Office 365 that is restricted to Email Security.cloud IP addresses based on https://knowledge.broadcom.com/external/article/150693.

The connector is named "Email Security.cloud IP Address Ranges".

Notes - When prompted for a username and password, enter your Office 365 admin credentials. - New connectors will be disabled by default.

#>

Set-ExecutionPolicy RemoteSigned -Force

#Checks if the ExchangeOnlineManagement module is present if (Get-Module -ListAvailable -Name ExchangeOnlineManagement) { Import-Module ExchangeOnlineManagement } else { Install-Module ExchangeOnlineManagement }

$UserCredential = Connect-ExchangeOnline

New-InboundConnector -Enable $False -Name "Email Security.cloud IP Address Ranges" -SenderDomains * -RestrictDomainsToIPAddresses $true -RequireTls $false -SenderIPAddresses 216.82.240.0/24, 216.82.241.0/24, 216.82.242.0/24, 216.82.243.0/24, 216.82.244.0/24, 216.82.245.0/24, 216.82.246.0/24, 216.82.247.0/24, 216.82.248.0/24, 216.82.249.0/24, 216.82.250.0/24, 216.82.251.0/24, 216.82.252.0/24, 216.82.253.0/24, 216.82.254.0/24, 216.82.255.0/24, 67.219.240.0/24, 67.219.241.0/24, 67.219.242.0/24, 67.219.243.0/24, 67.219.244.0/24, 67.219.245.0/24, 67.219.246.0/24, 67.219.247.0/24, 67.219.248.0/24, 67.219.249.0/24, 67.219.250.0/24, 67.219.251.0/24, 67.219.252.0/24, 67.219.253.0/24, 67.219.254.0/24, 67.219.255.0/24, 85.158.136.0/24, 85.158.137.0/24, 85.158.138.0/24, 85.158.139.0/24, 85.158.140.0/24, 85.158.141.0/24, 85.158.142.0/24, 85.158.143.0/24, 95.131.104.0/24, 95.131.105.0/24, 95.131.106.0/24, 95.131.107.0/24, 95.131.108.0/24, 95.131.109.0/24, 95.131.110.0/24, 95.131.111.0/24, 46.226.48.0/24, 46.226.49.0/24, 46.226.50.0/24, 46.226.51.0/24, 46.226.52.0/24, 46.226.53.0/24, 46.226.54.0/24, 46.226.55.0/24, 117.120.16.0/24, 117.120.17.0/24, 117.120.18.0/24, 117.120.19.0/24, 117.120.20.0/24, 117.120.21.0/24, 117.120.22.0/24, 117.120.23.0/24, 193.109.254.0/24, 193.109.255.0/24, 194.106.220.0/24, 194.106.221.0/24, 195.245.230.0/24, 195.245.231.0/24, 103.9.96.0/24, 103.9.97.0/24, 103.9.98.0/24, 103.9.99.0/24

Disconnect-ExchangeOnline -Confirm:$false -InformationAction Ignore -ErrorAction SilentlyContinue

Note: Please enable the connector via the O365 console when you are ready to start routing emails via Email Security.cloud.

Additional information

See Configure mail flow using connectors in Office 365 at Microsoft.com for more information.

See Set up connectors for secure mail flow with a partner organization at Microsoft.com for more information.

See Additional considerations when configuring IP Allow lists at Microsoft.com to specify ranges outside the 24 to 32 range.