Outbound Email Via Exchange Online Protection When Using Hybrid Exchange Online

In a long term hybrid scenario, where you have Exchange Online and Exchange Server configured and mailboxes on both, internet bound email from your on-premises servers can route in two general ways.

The first is outbound via whatever you had in place before you moved to Office 365. You might have configured Exchange Online to also route via this as well.

The second is to route Exchange Server outbound emails via Exchange Online Protection. Your Exchange Online configuration does not need to be adjusted for this to work, as the default route for all domains to the internet (or the * address space as it is known) is via EOP as long as you create no alternative outbound connector for *.

This blog post looks at configuring Exchange Server so that your on-premises mailboxes also route out via Exchange Online Protection, and does it without changing the connectors made by the hybrid wizard. If you change the hybrid wizard connectors and then run the wizard again, it will reset things to how it wants them to be, which will remove your configuration changes.

This configuration setup results in a single new send connector created on-premises in Exchange Server (or one connector per site if you route emails from more than one Active Directory site). This new connector is not the Outbound to Office 365 connector that the hybrid wizard creates and so changes here do not break hybrid and changes to the hybrid wizard do not impact outbound mail flow.

This blog post also assumes you already have a working route outbound for all internet emails and you are swapping over to outbound via EOP, so these steps work though ensuring that is correct and will work before changing the route for *.

Examine the hybrid send connector to Office 365

[PS] C:\ExchangeScripts\pfToO365> Get-SendConnector out* | fl

AddressSpaces:                  {smtp:domainuk.mail.onmicrosoft.com;1}
AuthenticationCredential :
CloudServicesMailEnabled :      True
Comment : ConnectedDomains :    {}
ConnectionInactivityTimeOut :   00:10:00
DNSRoutingEnabled :             True
DomainSecureEnabled :           False
Enabled :                       True
ErrorPolicies :                 Default
ForceHELO :                     False
Fqdn :                          mail.domain.uk
FrontendProxyEnabled : 	        False
HomeMTA :                       Microsoft MTA
HomeMtaServerId :               SERVER01
Identity :                      Outbound to Office 365
IgnoreSTARTTLS :                False
IsScopedConnector :             False
IsSmtpConnector :               True
MaxMessageSize :                35 MB (36,700,160 bytes)
Name :                          Outbound to Office 365
Port :                          25
ProtocolLoggingLevel :          None
RequireOorg :                   False
RequireTLS :                    True
SmartHostAuthMechanism :        None
SmartHosts :                    {}
SmartHostsString :
SmtpMaxMessagesPerConnection :  20
SourceIPAddress :     
SourceRoutingGroup :            Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers :        {SERVER02, SERVER01}
TlsAuthLevel :                  DomainValidation
TlsCertificateName :            <I>CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE<S>CN=*.domain.uk, O=Acme Limited, L=London, S=London, C=GB
TlsDomain :                     mail.protection.outlook.com
UseExternalDNSServersEnabled :  False

The above PowerShell from the on-premises Exchange Management Shell shows you the hybrid send connector. As you can see this is set to route emails only for your hybrid address space (domainuk.mail.onmicrosoft.com in this example)

The other important attributes for EOP mail flow here are AddressSpaces, CloudServicesMailEnabled, DNSRoutingEnabled, Fqdn, RequireTLS, SmartHosts, and TLSAuthLevel. Setting these correctly on a new send connector will allow you to route other domains to EOP and then onward to the internet.

Create a new send connector

This blog is based upon information found in https://technet.microsoft.com/en-us/library/dn751020(v=exchg.150).aspx but it differs from the scenario described there within. In this scenario, as you have already run the hybrid wizard, the connector to the cloud from on-premises and from the cloud to your servers already exists. Therefore all we need to do is create an additional send connector on-premises to route all the other domains to EOP and the internet.

New-SendConnector -Name "Internet Email Outbound Via EOP" -AddressSpaces testdomain1.com,testdomain2.com -CloudServicesMailEnabled $true -Fqdn "CertificateHostNameValue" -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts "YourDomain_MX_Value" -TlsAuthLevel CertificateValidation -Usage Internet

In the above, the connector is originally created being able to route for two test domains (written as testdomainx.com above, comma separated in the list with no spaces). This ensures that you do not break your existing mail flow but allows you to test that the connector works and then later change the connector to support * address space. The FQDN value is your public certificate name on the Exchange Server and the “YourDomain_MX_Prefix” is the same value as you would use in your MX to route emails to Exchange Online (tenant-prefix-com.mail.protection.outlook.com for example).

Testing the connector

In the above new send connector, testdomain1.com is a domain hosted in a different Office 365 tenant. Testdomain2.com is a domain who’s email is not hosted in Office 365 at all. You need both test scenarios, as routing to domains inside Office 365 is more likely to work if the connector is not configured properly.

So from a mailbox on-premises, send an email to a recipient at both testdomain1.com and testdomain2.com. Do not set the connector up to use gmail or Outlook.com, as that will impact other senders within your organization. Use domains that no one else is likely to want to email.

Ensure that you do not get any NDR’s and check the recipient mailboxes to ensure delivery. Note that you are possibly likely to need to update your SPF record for the sending domain to additionally include the following:

  • include:spf.protection.outlook.com
  • ipv4:w.x.y.z (where w.x.y.z is the external IP address(es) of your on-premises Exchange transport servers)

Updating the connector

Once your mail flow tests work, and you can check the route by pasting the received message headers into http://exrca.com you should see that email routes into your Office 365 tenant, then leave EOP (the word “outbound” will be in one of the FQDNs – this server is on the external edge of EOP), then routed inbound to your email provider (or back into your recipient tenant).

Once mail flow works, you can either add more recipient domains to increase the scope of the test – for example add a domain that you email occasionally, such as the partner helping you with this work and a few other domains. Once all your testing is ready change this connector to have * as the address space and not list specific domains.

Set-SendConnector "Internet Email Outbound Via EOP" -AddressSpaces *

As your other connector for * is still up and running you will find that 50% of your email will use the new connector and 50% the old. Then you can disable the old connector to go 100% email outbound through EOP (you need an EOP licence per sender to do this, or if you have an Exchange Online licence for each user you are already covered).

Set-SendConnector "old_connector_to_internet_name" -Enabled $False

Finally when you have been routing on-premises email through EOP for a few weeks with the old connector disabled, you can delete the old connector and tidy up the configuration rather than leaving disabled connectors around.



14 responses to “Outbound Email Via Exchange Online Protection When Using Hybrid Exchange Online”

  1. Rkast avatar

    Great write-up! Im currently at customer which will need this, routing * to eop in hybrid.

  2. Ric avatar

    Just what I needed. Absolutely brilliant!

  3. Tom Phillips avatar
    Tom Phillips

    I have been searching for this exact write for weeks, not knowing if i should update the existing outbound connector that hybrid wizards created or what. You answered all my questions. The only thing i’m worried about is you mentioned about licenses. i only have about 10 mailbox left on premise, but majority of outbound on-premise trafffic will come from other systems using on-premise exchange to route to internet or our mailbox (cloud/onpremise) will those email also route using this new connector? Also for Mx record we have multiple email domain in our organization, so which one do I use as our smarthost when configuring the outbound connector? Thanks again, you cleared up 95% of this for me, which o365 support didn’t and no other article I found online.

    1. Brian Reid avatar

      Licences – one per person left on-premises if they do not have an Exchange Online licence. The Exchange Online licence holders are already covered. For the MX – I would pick your primary, but any will do.

  4. Sam avatar

    Brian, your blog is a most valuable resource! Out of interest, in an Exchange 2010 environment (where CloudServicesMailEnabled is not available). How would you create the Send-Connector to ensure all emails flows out via. EOP?

    Many thanks!

    1. Brian Reid avatar

      In 2010 its all to do with having the correct certificate on the Exchange Server and the inbound connector in Exchange Online referring to the same certificate. See https://c7solutions.com/2017/07/xoorg-edge-and-exchange-2010-hybrid for a discussion on how some of that works. Note that Exchange 2010 has a support lifecyle ending Oct 2020, so it could be that after this date the above will stop working.

  5. Lubinda Akamandisa avatar
    Lubinda Akamandisa

    Just what i needed. spent weeks trying to figure this out. Thanks very much

  6. Fernando Gualano avatar
    Fernando Gualano

    Hi Brian! Thank you for your post!
    Is it not necessary to specify the TlsCertificateName parameter in the New-SendConnector command? Thanks!

    1. Brian Reid avatar

      Its not required, but if you have more than one valid certificate bound to SMTP that the connector could use then you need to specify the certificate. The connector will use public certs (valid) over internal certs and will avoid out of date certs unless there are no other options. If your Inbound Connector in 365 lists a required certificate and you have more than one valid certificate on the server you need to specify the correct one.

  7. Ahmed avatar

    what is FQDN parameter in the commandline?

    1. Brian Reid avatar

      Your server name or name representing your public IP, of which the domaim should be on your certificate.

  8. Sanch avatar

    Hi, great article. You answered some question I had on the subject but not one.

    After doing this, on-premise Exchange will route e-mail to EOP and then to Internet. But EOP will scan email coming from on-premise Exchange. And will also do a SPF check right ?

    Is there a way in EOP to trust mail flow coming from on-premise Exchange ?

    1. Brian Reid avatar

      Your public IPs from your on-premises Exchange Servers need to be in your SPF record so that EOP trusts the server and treats your email correctly.

  9. Ray Cockshell avatar
    Ray Cockshell

    Every now and then you come across a life saver like this.
    Many, many thanks.
    Only addition I had to make was to add -SourceTransportServers in our multi-server environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.