I plan to have an external domain with an MX record pointing to my edge firewall. The inbound mail will hit the NAT and be redirected to the SMTP service running on my SharePoint WFE. What is the best way to secure this setup against SPAM and malware arriving in attachments?

Also, I understand there's and "advanced" inbound email configuration that somehow uses Exchange. Does this method require physical access to the drop folder or is there some sort of connector from Exchange into SharePoint? We use cloud-hosted Exchange so I don't know if this "advanced" method would be available. Has anyone done this?

• Edited by Golfarama Friday, April 24, 2015 6:27 PM added/need additional info

Per Microsoft instructions SMTP is running directly on the SharePoint web front end server. Exchange does not run on the SharePoint server. Mail arrives from the Internet to my SharePoint SMTP inbound folder(s). SharePoint picks up the mail from there.

Are you suggesting that mail could come to my Exchange server first (which would filter spam with proper configuration) and then make it to SharePoint's SMTP service? If so, can you elaborate on how that is configured? I have not been able to find Microsoft documentation on this scenario. It is sort of covered on this page: https://technet.microsoft.com/en-us/library/cc262947.aspx?f=255&MSPPError=-2147217396 but my SharePoint server is in the same domain as my Exchange server. So how can email be routed within the same domain to multiple SMTP servers?

Thanks!

• Edited by Golfarama Monday, April 27, 2015 1:45 PM clarification

Thanks, John. SharePoint must be in a different domain than my Exchange server, right? Or else SharePoint would need to be able to pick up mail out of a folder on the Exchange box.

For me, Exchange is in the cloud. So I believe I must have SharePoint in a different domain so Exchange can forward to my SharePoint SMTP service. What do you think?

• Edited by Golfarama Monday, April 27, 2015 2:48 PM clarification

Exchange is in the cloud (hosted by Intermedia) and SharePoint is on prem. After doing a little more research I see where I can supposedly give SharePoint permissions to an AD container in Exchange and SharePoint can make new contacts in that container and point mail delivery for those contacts to the SharePoint SMTP deliver address. The trick is getting that kind of access into a hosted environment. We may have a tunnel between us and the hosted provider. If that is so then maybe this can all be done pretty securely.

If we cannot get some sort of access to an AD container I wonder if we couldn't just have the provider make some sort of manual contact in their AD environment that would redirect inbound SharePoint mail and push it over to the local SMTP service?

Does it sound like we are on the right track?

• Edited by Golfarama Monday, April 27, 2015 6:48 PM grammar

Reken,

Thank you for the excellent post! This is the kind of answer I was looking for and I think this is essentially the answer I came up with, as well. One question: Do you foresee any issues if my email is hosted externaly and the email domain is "testing.com" while at the same time the internal SharePoint web front end server (in DMZ) is named "server1.testing.com"?

Obviously my internal DNS has different entries for testing.com hosts than the external (Internet) DNS.

Note that this isn't my setup. I am a consultant trying to help a customer with existing infrastructure by doing as little infrastructure modification as possible.

• Edited by Golfarama 17 hours 12 minutes ago clarification

Hi,

There should be no issue about it. In such case, the SharePoint incoming email address may have same domain suffix as the user mailboxes in Exchange, but the SharePoint email addresses are actually not exist in your Exchange server. When messages to SharePoint arrive to Exchange, Exchange cannot find corresponding mailboxes for them, and then the messages will be routed to the outbound connector.

The only thing is that you need to create two A records for test.com in the public DNS registry, one for MX record for your Exchange server, and the other should point to your SharePoint front end.

Thanks,
Reken Liu