Office 365 question

You can use UTM before mails are sent to O365! We do the same.

Just make sure your MX-records for your domain(s) keep pointing to your UTM and in UTM make sure to route mails for your domain(s) to the O365 servers which Microsoft specifies as being the servers where MX records should point.

In my case I have several domains and use SMTP Profiles for it, for every domain I have:

Domains: the domainname where mail is received
Routing: Route by static host list -> O365 specified MX record (yourdomain-yourtld.mail.protection.outlook.com)

This will work, however O365 might complain that the DNS-check fails as their MX-record is either not listed or doesn't have highest prio.

Thank you for reply,

We have also multiple email domains and we have a single SMTP profile.

As I said before we have configure the UTM with WAF for our exchange and we are going to configure a Hybrid migration and later in time we will remove our exchange server and we want even after removing the Exchange server our UTM keep on scanning the emails for all of the domains. should we  we leave the WAF rules as they are? or we should we create a DNAT rule to allow all in comeing requests on port 25 to the UTM?

I understand that we should point the MX of all domains to the UTM but how should we route mails for our domain(s) to the O365 servers?

Thanks you.

See the attached image on how I have configured each maildomain to forward to O365. I think you need to create SMTP profiles separately for each maildomain since they need different DNS-hostnames to forward to.

I don't have any experience with hybrid setup so I cannot really advise in whether or not to keep your WAF rules or what to do with DNAT rules. I think Microsoft has more documentation on how to set up the local environment in a hybrid situation.

Thank you for the update,

your mailboxes are in the Office 365 and you dont have a on-permis Exchange server and with your currecnt configuration your utm does the work of scanning of the virus and spam correct?

Can you please tell me if you are useing a DNAT rule or a WAF rules from incoming mails to the UTM?

Thanks

You are correct. I have neither DNAT or WAF. In DNS I have configured the MX-record to point to the public IP-addresses of the UTM. In UTM whenever you configure SMTP profiles, UTM will automatically accept emails destined for the domains you configure, so there's no DNAT or WAF necessary when everything is in O365 (there are no exchange servers inside my own UTM).

In a hybrid environment you may need WAF (for OWA access and/or I suppose you may need transport rules between O365 and your own Exchange server, but please read through Microsofts documentation because I don't have experience nor knowledge of hybrid Exchange installations).

You are correct. I have neither DNAT or WAF. In DNS I have configured the MX-record to point to the public IP-addresses of the UTM. In UTM whenever you configure SMTP profiles, UTM will automatically accept emails destined for the domains you configure, so there's no DNAT or WAF necessary when everything is in O365 (there are no exchange servers inside my own UTM).

In a hybrid environment you may need WAF (for OWA access and/or I suppose you may need transport rules between O365 and your own Exchange server, but please read through Microsofts documentation because I don't have experience nor knowledge of hybrid Exchange installations).