Ensuring mail delivery: Bypass 3rd Party filters with Receive Connector

In many cases, allowing Hoxhunt to deliver emails directly to your email tenant (M365 Exchange Online, on-premise Exchange Server) is the best way to ensure most reliable mail delivery of Hoxhunt training emails.

 

Setting up a Receive Connector with Hoxhunt contains three steps:

  1. Create a Partner Receive Connector in on-premise Exchange/Exchange Online
  2. Make a note of the default MX record for your tenant/domains

  3. Configuration in the Hoxhunt admin portal

 

 

What is a Receive Connector?

Receive Connector is a way to establish a "pipe" between two mail servers, for example Hoxhunt and your organization's Exchange Online tenant in M365.

Please check the following articles from Microsoft for further information:

Configure mail flow using connectors in Office 365

Set up connectors for secure mail flow with a partner organization

 

Why does Hoxhunt recommend a Receive Connector?

To bypass third-party systems

In some scenarios Hoxhunt may need to bypass additional filtering systems (e.g. email scanners) that might affect normal mail flow to your mail server. Receive Connector is a feature that makes it possible for Hoxhunt to send simulation emails directly to your email system (e.g. M365 or on-premise Exchange). Receive Connector is always recommended for hybrid environments to minimize mail flow issues.

NOTE
Although it's possible to bypass many filter systems with allowlisting, Hoxhunt strongly recommends to configure a Receive Connector. Some filter vendors won't guarantee 100% deliverability for Hoxhunt training emails due to the filter system's design principles.

For more information on allowlisting different filter systems, please check our Knowledge base or contact your filter system vendor.

 

Receive_connector_diagram.png

Figure 1: Receive Connector is configured at "OFFICE365" to let "HOXHUNT" bypass other systems in the way.

 

To mitigate throttling and greylisting

In M365, Microsoft's EOP service is monitoring email sending patterns for unusual activity. In certain situations EOP service may start limiting your ability to receive Hoxhunt's emails because of changes in Hoxhunt's sending patterns. Receive Connector is one way to mitigate (minimize) this issue.

 

Step 1. Create a Partner Receive Connector

TIP
User interface may differ between on-premise Exchange Admin Center and M365 Exchange Admin Center. The following instructions and screenshots are based on M365 user interface.
  1. Go to M365 Exchange Admin Center.
  2. Navigate to Mail Flow > Connectors, and select + Add a connector.
    M365_EAC_Add_connector.png
     
  3. In New Connector screen, select Partner organization and click Next.
    M365_EAC_New_Connector.png

    NOTE: If you are configuring receive connector for an on-premise Exchange server, please select "Exchange" from the "To" field.

     
  4. In Connector name screen, provide a name for your Hoxhunt connector.
  5. Under What do you want to do after the connector is saved?, tick Turn it on and click Next.
    M365_EAC_Name.png
     
  6. In Authenticating sent email screen, select the second option to authenticate by sender IP address.
  7. Add the following IP addresses separately, and click + button to add them to the list below.
    193.3.183.0/25
    35.156.0.138
  8. Click Next.
    M365_EAC_Authenticating_sent_email.png
     
  9. Under Security restrictions screen, use the default values (see screensho) and click Next.
    M365_EAC_Security_restrictions.png

     
  10. Under Review connector screen, verify the configuration is correct and click Create connector.
    M365_EAC_Review_connector.png
     
You have now successfully configured Hoxhunt Receive Connector.
 
TIP: You can also use the following Powershell command to configure Receive Connector in M365 (Exchange Online):
New-InboundConnector -Name “Hoxhunt Receive Connector” -Enabled $true -SenderDomains * -RequireTls $true -SenderIPAddresses 193.3.183.0/25,35.156.0.138
 
 

Step 2. Make a note of the default MX record for your tenant/domains.

1. Go to M365 Admin Center.

2. Navigate to Settings > Domains.

3. Click on your default domain.
M365_AC_Settings_Domains.png


4. Switch to DNS records tab and click on the MX record.

5. In MX Record screen, next to Expected record, locate <MX-token>.mail.protection.outlook.com in column.

6. Make a note of the value in Points to address or value.

 

Example:

Your registered public domain name is company.com

-->

Your M365 tenant's MX record is company-com.mail.protection.outlook.com

TIP
With on-premise Exchange Server, the MX record is likely derived from the server's FQDN.

 

For more detailed instructions, please check these instructions (Microsoft) or these instructions (O365info.com).

 

Step 3. Configuration in the Hoxhunt admin portal.

 

  1. Navigate to the Hoxhunt admin portal -> Settings -> Email delivery
    1. https://admin.hoxhunt.com/settings/email-delivery 
  2. Scroll down to locate the Custom mail routing field, input the value from step 2.6 or the on-premises exchange server and Save


     

Considerations when bypassing certain security solutions with a receive connector

Check Point Harmony Email / Collaboration

When are bypassing Check Point Harmony Email & Collaboration with Partner Receive Connector, make sure you have placed Hoxhunt-related mail flow rules above any rule that would re-route the simulations to Check Point. Also make sure your last Hoxhunt-related mail flow rule has "Stop processing other rules" as its last action.

Otherwise, even when Hoxhunt simulations are delivered directly to your M365, such mail flow rules will re-route simulations to Check Point and back to M365. This type of re-routing can cause Microsoft Advanced Delivery not to detect the original sender IP properly, causing simulations to be inspected and even quarantined.

Mimecast

If you are using Mimecast's Internal Email Protect or Journaling, use the instructions in this article to allowlist Hoxhunt through your Mimecast. Also make sure you have configured Skip Listing so Hoxhunt's sender IP gets preserved.

If you don't have Mimecast's Internal Email Protect in use, we highly recommend to bypass Mimecast by setting up a Partner Receive Connector (this article) between Hoxhunt and your Exchange service for optimal delivery.

 

Frequently asked questions

We have more than one tenant configured to our Hoxhunt organization. We cannot receive all training emails via single tenant / Receive Connector.

Hoxhunt is able to support separate Receive Connectors for each of your domains. Please contact Hoxhunt Support for assistance.

Can we use something other than port 25 for mail delivery?

Contact Hoxhunt support at support@hoxhunt.com for assistance.

Increase the amount of allowed simultaneous inbound connections (on-premise Exchange only)

After you have configured a Receive Connector for Hoxhunt in your on-premise Exchange server, it might have a default limit of only 20 simultaneous inbound connections per sender. This can sometimes create sending issues for Hoxhunt.


To see the values of these Receive connector message throttling settings in Exchange, run the following command in the Exchange Management Shell:

Get-ReceiveConnector | Format-List Name,Connection*,MaxInbound*,MessageRate*,TarpitInterval


It’s possible to increase the value via Set-ReceiveConnector cmdlet. We suggest to increase MaxInboundConnectionPerSource value to 200 or more.
Here’s a great article about the default limits for different Receive Connector types:
https://docs.microsoft.com/en-us/exchange/mail-flow/message-rate-limits?view=exchserver-2019#message-throttling-on-receive-connectors

 

For more information about Receive connector please contact Hoxhunt Support.

Was this article helpful?

25 out of 25 found this helpful

Have more questions? Submit a request