Thursday, 6 July 2017

Office 365 Exchange online Outbound email blocked by Spamhaus (CBL)

Seems MS can't give a straight answer, but users on some trials are reporting difficulties with sending email (internal and external) due to transport restrictions enforced by MS.

MS uses the Spamhaus CBL to match IP in the header of the sending device. X-Originating-IP

Generally block lists are used for abusive SMTP/email servers, but MS are using it against Exchange clients (Outlook / Active Sync and OWA). Presumably to kerb spammers abusing the trial.

Error

Resulting in a NDR

Remote Server returned '550 5.7.501 Service unavailable, Client host blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (AS16042849)'

The NDR will contain the IP of the actual device where the message was generated, not the Exchnage server IP, as it the case with some other platforms.

X-Originating-IP: [1.125.48.104]



The Fix:

Modify the default connection filter to allow these IP's

  • Use the EAC to edit the default connection filter policy - detailed here
  • Use powershell to add multiple (max 1273) subnets (max subnet size /24)
PS> $UserCredential = Get-Credential

PS> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection


PS> $sn=@{Add="1.124.0.0/24",
"1.124.1.0/24",
"1.124.2.0/24",
...<snip>...
"1.127.255.0/24"}

PS> Set-HostedConnectionFilterPolicy “Default” –IPAllowList $null
PS> Set-HostedConnectionFilterPolicy “Default” –IPAllowList $sn

Links

Telstra Mobile IP's - http://wq.apnic.net/apnic-bin/whois....AINTERNET49-AU
Powershell command ref above - https://technet.microsoft.com/en-us/...xchg.160).aspx
EAC - IPAllowList Limits - https://technet.microsoft.com/en-us/...or=-2147217396