Jatheon Support Center

Your go-to place for product documentation, guides, and troubleshooting tips.

Search

How to Configure Microsoft 365 Journaling to Jatheon cCore Appliance (via firewall)

Steven Tobolar
Steven Tobolar
  • Updated

 

Overview

Microsoft 365 (formerly Office 365) cannot directly route journaling messages to internal network devices, since these are typically behind firewalls and use private IP ranges. To journal messages to your Jatheon cCore appliance, you must configure journaling through a public DNS endpoint that forwards traffic to your internal Postfix server on the appliance.

This guide walks you through the setup process to ensure reliable and secure journaling from Microsoft 365 to Jatheon cCore.

Prerequisites

Before you begin, make sure you have the following:

  • A static public IP address on your firewall/gateway.
  • A public DNS record (A-record) pointing to that IP (e.g., fw.example.com).
  • Firewall configured to forward SMTP (TCP port 25) traffic from the public IP to your internal Jatheon cCore appliance.
  • Access to the MTA Setup configuration on the Jatheon appliance (contact Jatheon Support if needed).
  • Microsoft 365 Global Administrator or Exchange Administrator permissions.

Step 1: Create Public DNS Record

  1. In your DNS provider’s portal, create an A-record such as fw.example.com that points to your static public IP address.
  2. This hostname will be the destination Microsoft 365 uses to send journaled emails.

Step 2: Configure Firewall Port Forwarding

  1. On your firewall or gateway, allow inbound SMTP (TCP port 25) traffic to fw.example.com.
  2. Forward incoming traffic on port 25 to your Jatheon appliance’s internal FQDN.
    1. Example: fw.example.com:25 → 10.0.0.50:25
  3. If supported, log or restrict incoming SMTP connections to Microsoft 365 IP ranges for security.
  4. Ensure outbound responses are not blocked by NAT or security policies.

Step 3: Configure Postfix on the Jatheon cCore Appliance

Your Jatheon cCore uses Postfix as its internal MTA to receive and process journaled messages.

  • Log in to the Jatheon cCore administrative interface.
  • Navigate to MTA Setup.
  • In the Postfix configuration screen:
    • Destination: Enter the public DNS record of your firewall (e.g., fw.example.com).
    • Networks: Enter the LAN or NAT range of your firewall/gateway (e.g., 192.168.1.0/24). This allows the appliance to accept incoming mail relayed from that network.

Note: In this example, the internal FQDN of the appliance is vcore6.internal.jatheon.com. Replace it with your own internal hostname.

Verify other MTA parameters:

  • Hostname: your internal FQDN (e.g., vcore6.internal.jatheon.com).
  • Journalmaster recipient: journalmaster@vcore6.internal.jatheon.com (or your equivalent internal domain).
  • Mail Relay Host: leave blank unless you use a specific relay.

Save and apply configuration.

Step 4: Configure Microsoft 365 Journaling Rule

  1. Sign in to the Microsoft 365 Admin Center and open the Purview compliance portal: https://purview.microsoft.com.
  2. In the left nav, go to Solutions → Data lifecycle management → Exchange (legacy) → Journal rules.
  3. If required, under Settings → Send undeliverable journal reports to, enter an appropriate external address to receive non-delivery reports (NDRs) for undelivered journal reports.
  4. Click + New rule to create a new journal rule.
  5. Fill in the following fields:
    • Send journal reports to: enter your journal recipient address (e.g., journalmaster@fw.example.com).
    • Journal rule name: pick a descriptive name (e.g., “Jatheon Journaling”).
    • Journal messages sent or received from: choose Everyone (or a specific user/group if desired).
    • Type of message to journal: select All messages.
  6. Click Next, review the settings, then Submit to create the rule.
  7. Verify the rule status shows Enabled/On. You can also use PowerShell: Get-JournalRule to validate.

Step 5: Test and Validate

  1. Send a test message between two users in Microsoft 365.
  2. On the Jatheon appliance:
    • Check Postfix logs (/var/log/mail.log) for incoming connections from your firewall.
    • Verify acceptance of the journaled message to journalmaster@<internal-fqdn>.
  3. Confirm the message appears in the Jatheon archive.
  4. From an external host, test connectivity: telnet fw.example.com 25.

Troubleshooting

Issue Possible Cause Solution
No messages arriving DNS or firewall misconfiguration Verify DNS record and port forwarding; test with telnet
Connection refused Postfix not allowing source Ensure firewall subnet is included under Networks in MTA Setup
Journaling rule active but no flow Misconfigured destination Confirm fw.example.com resolves and that rule is enabled
Duplicate or delayed messages Multiple rules or loops Ensure only one journaling rule exists for all mail

Example Network Diagram

Microsoft 365 Cloud
Journaling Service
Firewall / Gateway
NAT Port 25 (SMTP)
DNS: fw.example.com
Jatheon cCore Appliance
Postfix / Journalmaster
FQDN: vcore6.internal.jatheon.com

Traffic flow: Microsoft 365 (journaling) → Public DNS on firewall (NAT 25) → Jatheon cCore (Postfix).

Summary

By setting up a firewall NAT rule, adjusting Postfix on your Jatheon cCore appliance, and creating a journaling rule in Microsoft 365, you can securely route all journaled mail through your public DNS endpoint into your internal archive system.

Example domains and hostnames (like vcore6.internal.jatheon.com) are for illustration only. Replace with your actual internal appliance names and network settings.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.