connectors and email routing in office 365

Carolyn LiuProgram ManagerMicrosoft

Connectors and email routing in Office 365

SPR401

AgendaBasics Mail routing scenariosConnector configuration options Avoid common mistakesQ&A

Connector basicsWhat are connectorsWhy are connectors needed

Mail routing and customer type• Exchange Online (EXO)• Fully hosted – all mailboxes are in the cloud• Hybrid – some mailboxes are in the cloud, some are in on-premise

• Exchange Online Protection (EOP)• All mailboxes are hosted in on-premise, use EOP for protection only

Customer type determines mail flow and configuration

What are inbound/outbound connectors

c. Inbound connector of type Partner

Internet

On-premises

Partner

a bc

d

a. Inbound connector of type OnPremisesb. Outbound connector of type OnPremises

d. Outbound connector of type Partner

What are inbound/outbound connectors 

  Connector Type

Mailflow Direction

Inbound connector: mails enter O365 Outbound connector : mails leave O365

OnPremises Configure and enforce mailflow originating from on-premises servers

Configure and enforce outbound routing for mails leaving O365 service to on-premises servers.

Smart host must be used for outbound connector of

type OnPremises.

Partner Configure and enforce mailflow incoming from partner servers

(for e.g. partnerbank.com), or from a 3rd party service vendor (for e.g.

MessageLabs.com). 

Configure and enforce outbound routing for mails leaving O365 service to a partner (for e.g.

partnerbank.com), or to a 3rd party service vendor (for e.g. MessageLabs.com).

Use MX based routing or smart host in the

connector.

7

8

Tenant’s mail

Why connectors are neededOffice 365 only accept mails for customers Need to:• Use inbound connector to identify

customers • Use inbound connector to enforce

customized email routing

• Use outbound connector to relay email to your on-premise servers

• Use outbound connector to deliver emails to your partners based on your business requirement

Not tenant’s mail

emailstore Spam/

virus

Connector and mail routing end to end scenarios

When connectors are neededWhat connectors are needed

Fully hosted

Scenarios1. O365user1@contoso.com user2@chase.com2. O365user1@contoso.com user3@chase.com3. user3@yahoo.com O365user1@contoso.com4. user2@chase.com O365user1@contoso.com5. O365user1@contoso.com

O365user2@fabrikam.com

user1@yahoo.com

O365user1@contoso.comO365user2@fabrikam.com

4 Inbound connector

of type Partner

1 Outbound connector of type partner

3

2

user2@chase.com

No connectorneeded No

connectorneeded

Protection only – MX points to EOP

1. user1@contoso.com user3@yahoo.com

user3@yahoo.com

3.1

Inbound connector of type

OnPremises2.2

Outbound connector of type OnPremises

2.11.2

user1@contoso.com

No connectorneeded MX based

No connector needed MX based

4.2

1.1

4.1

Outbound connector of type

partner

3.2

user2@chase.com

Inbound connector of type partner

2. user3@yahoo.com user1@contoso.com

Scenarios

3. user1@contoso.com user2@chase.com

4. user2@chase.com user1@contoso.com

Hybrid – MX points to EOP

Scenarios1. user1@contoso.com user3@yahoo.com2. user3@yahoo.com user1@contoso.com

user3@yahoo.com

3.1

Inbound connector of type

OnPremises2.2

Outbound connector of type OnPremises

2.11.2

user1@contoso.com

No connectorneeded MX based No

connector needed MX based

4.2

1.1

4.1

Outbound connector of type

partner

3.2

user2@chase.com

Inbound connector of type partner

109

65

7.1 87.2

11O365user1@contoso.com

O365user2@fabrikam.com12

3. user1@contoso.com user2@chase.com

5. user1@contoso.com O365user1@contoso.com6. O365user1@contoso.com user1@contoso.com7. user1@contoso.com user2@chase.com8. O365user1@contoso.com user2@chase.com9. O365user1@contoso.com user3@yahoo.com10. user3@yahoo.com O365user1@contoso.com11. user2@chase.com O365user1@contoso.com12. O365user1@contoso.com O365user2@fabrikam.com

4. user2@chase.com user1@contoso.com

Hybrid – MX points to on-premise

Scenarios1. user1@contoso.com user3@yahoo.com2. user3@yahoo.com user1@contoso.com3. user1@contoso.com user2@chase.com4. user2@chase.com user1@contoso.com5. user1@contoso.com O365user1@contoso.com6. O365user1@contoso.com user1@contoso.com7. O365user1@contoso.com user2@chase.com8. user2@chase.com O365user1@contoso.com9. O365user1@contoso.com user3@yahoo.com10. user3@yahoo.com O365user1@contoso.com

user3@yahoo.com

4.2 Inbound connector of type OnPremises

4.3 Outbound connector of type OnPremises

2.1

1.2

user1@contoso.com

No connectorneeded MX based

2.3

3.1

Outbound connector of type

partner3.2

user2@chase.com

Inbound connector of type Partner

10.1

9

6

10.25

7

8O365user1@contoso.com

MX points to on-premise

2.21.1

4.1

Hybrid – MX points to EOP, CMT enabled

Scenarios1. user1@contoso.com user3@yahoo.com2. user3@yahoo.com user1@contoso.com3. user1@contoso.com user2@chase.com4. user2@chase.com user1@contoso.com5. user1@contoso.com

O365user1@contoso.com6. O365user1@contoso.com

user1@contoso.com7. user1@contoso.com user2@chase.com

user3@yahoo.com

9.2 Inbound connector of type OnPremises

11.2 Outbound connector of type OnPremises

1.2

user1@contoso.com

No connectorneeded MX based

3.1

Outbound connector of type

Partner8.3

user2@chase.com

Inbound connector of type Partner

9.3

6

57.1

7.2

4.1O365user1@contoso.com

8.21.1

2.1No connector needed MX based

10.1 2.2

4.28.1

9.110.2

10.311.3

11.1

3.2

8. O365user1@contoso.com user2@chase.com9. O365user1@contoso.com user3@yahoo.com10. user3@yahoo.com O365user1@contoso.com11. user2@chase.com O365user1@contoso.com

Hybrid – MX points to service provider

Scenarios1. user1@contoso.com user3@yahoo.com

user3@yahoo.com

Inbound connector of type OnPremises

user1@contoso.com

No connectorneeded MX based 3.1

Outbound connector of type Partner

4.19

11.2 57.1

11.1

7.2O365user1@contoso.com

1.2

9.1

4.3

4.2

2.3

3.2

2.1

Outbound of type OnPremises2.2

6

Inbound connector of type Partner

1.1 user2@chase.com

2. user3@yahoo.com user1@contoso.com3. user1@contoso.com user2@chase.com4. user2@chase.com user1@contoso.com5. user1@contoso.com O365user1@contoso.com6. O365user1@contoso.com user1@contoso.com7. user1@contoso.com user2@chase.com8. O365user1@contoso.com user2@chase.com9. O365user1@contoso.com user3@yahoo.com10. user3@yahoo.com O365user1@contoso.com 11. user2@chase.com O365user1@contoso.com

8

10.1

10.2

Recap• Who needs to create connectors• Fully hosted customers• No connector of type OnPremises is needed• May create connector of type Partner to meet your business

requirement

• Exchange Online Protection customers• Must have inbound and outbound connector of type OnPremises• May create connector of type Partner to meet your business

requirement

• Hybrid customers• Must have inbound and outbound connector of type OnPremises• May create connector of type Partner to meet your business

requirement• Use Hybrid Configuration Wizard (HCW) whenever possible

Connector configuration options

Where and how to create connectors• Office 365 tenant admin portal• https://login.microsoftonline.com/ • Under Exchange Admin -> mail flow -> connectors

• Use “Remote Powershell” cmdlets• New-InboundConnector/Set-InboundConnector/Get-InboundConnector• New-OutboundConnector/Set-OutboundConnector/Get-

OutboundConnector

• Best practice• Always test mail flow after you complete connector

creation/modification• Option: use a subdomain from one of the accepted domains to test

mailflow• Option: test outbound connector with the “Remote Connectivity

Analyzer”

Connector configuration options • Inbound of type OnPremises

1. Certificate or IP address to identify mailflow from on-premise environment for your organization

2. Enforce mutual authenticated TLS connection3. Preserve headers for Exchange organization for Hybrid scenario

• Inbound of type Partner1. Sender domain to identify mails from partner2. Enforce emails coming from certain IP addresses for a certain partner3. Enforce encryption only TLS, or mutual authenticated TLS connection

Connector configuration options• Outbound of type OnPremises

1. Smart host to relay mails to your on-premise SMTP servers2. Used by “Conditional Mail Routing”3. Recipients’ domains this connector applies to4. Enforce encryption only TLS, or mutual authenticated TLS connection5. Enable centralized transport routing for Hybrid customers (only

through HCW)6. Preserve headers for Exchange organization for Hybrid scenario

• Outbound of type Partner1. Option to use MX, or smart host to route mails2. Smart host should use to relay mails to your partner’s SMTP servers3. Recipients’ domains this connector applies to4. Enforce encryption only TLS, or mutual authenticated TLS connection5. Used by “Conditional Mail Routing”

Clarification for TLS options • Office 365 supports:

• Encryption only (use server certificate)• Client/server mutual authenticated TLS

• Messages enter into Office 365/EOP• Client: on-premise server or partner server• Server: O365/EOP service• Certificate domain name on connector: it is client’s certificate domain

name

• Messages leave from Office 365/EOP• Client : O365/EOP service• Server : on-premise server or partner server• Certificate domain name on connector: it is server’s certificate domain

name

Use smart host for outbound routing • Available options

• Allow IP addresses as well as FQDN• Allow multiple smart host entries

• Service behavior• Use round robin method to connect to a smart host when there are

multiple entries• Use MX record preference value if smart host is FQDN • Try all of the smart hosts until one succeeds to connect • Retry every 15 min if service failed to connect to any of the smart host

on the connector

Hybrid – MX points to service provider

Scenarios1. user1@contoso.com user3@yahoo.com

user3@yahoo.com

Inbound connector of type OnPremises

user1@contoso.com

No connectorneeded MX based 3.1

Outbound connector of type Partner

4.19

11.2 57.1

11.1

7.2O365user1@contoso.com

1.2

9.1

4.3

4.2

2.3

3.2

2.1

Outbound of type OnPremises2.2

6

Inbound connector of type Partner

1.1 user2@chase.com

2. user3@yahoo.com user1@contoso.com3. user1@contoso.com user2@chase.com4. user2@chase.com user1@contoso.com5. user1@contoso.com O365user1@contoso.com6. O365user1@contoso.com user1@contoso.com7. user1@contoso.com user2@chase.com8. O365user1@contoso.com user2@chase.com9. O365user1@contoso.com user3@yahoo.com10. user3@yahoo.com O365user1@contoso.com 11. user2@chase.com O365user1@contoso.com

8

10.1

10.2

• Supported scenarios• Internet -> 3rd party service -> O365 (hosted mailboxes)• Internet -> 3rd party service -> O365 -> on-premise• On-premise -> O365 ->3rd party->internet

• Not supported scenarios• On-premise -> 3rd party service-> O365->internet

• Best practice• Internet -> 3rd party service -> O365/On-premise • No connector is required, or create connector of type Partner• Never create inbound connector of type OnPremises

Use 3rd party service provider

Use conditional mail routing (criteria based routing)• Based on conditions in “Exchange Transport

Rules” (ETR) • A connector used by ETR cannot be used by

regular recipient based connector, vise versa• Best practice• Use this if you want to enforce TLS only for certain recipients• Use this when you need to route mails to different location based on

users

• InternalRelay• Not all mailboxes are hosted in Exchange Online• Requires outbound connector of type OnPremises

• Authoritative• User’s mailbox or MailUser exists in Exchange Online• For non-existent mailbox or MailUser, mail will be rejected• Requires outbound connector of type OnPremises to relay to your on-

premise server, if MailUsers exist for the domain

AcceptedDomain type and connectors

Avoid common mistakes

Avoid common mistakes – Part 11. All EOP and Hybrid customers must have inbound and outbound connector of

type OnPremises

2. Test connector using “Remote Connectivity Analyzer”

3. Do NOT create inbound connector of type OnPremises when using 3rd party service provider. Create Partner connector or do not create connector at all.

4. Do not use AssociatedAcceptedDomain unless you need to apply connector only for certain accepted domains

5. Be very careful when using IP restriction in inbound connector, it will reject mail when connection IP address does not match

6. InternalRelay domain requires outbound connector

Avoid common mistakes – Part 2 7. When using “Centralized Mail Transport”(a.k.a. CMC)

• Must have inbound connector of type OnPremises• Cannot have AssociatedAcceptedDomain set in inbound connector of OnPremises

8. Do not use * in RecipientDomains for outbound connector of type OnPremises, unless Centralized Mail Transport is enabled.

9. Make sure smart host in outbound connector is correctly configured

Note: Most of the above are already enforced in service configuration

Q & A

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

Send connectors in on-premise• Need to configure a send connector for

O365/EOP, use Smarthost based on your organization’s domain MX, in the form of contoso-com.protection.outlook.com

• HCW will do this for you for hybrid

Receive connectors in on-premise• EOP published outbound IP address is here. • You can enforce receive connector to only

accept mails from those IP addresses.

Use centralized mail transport • Mails sent from or to cloud mailboxes will

be routed to your organization’s on-premise SMTP server first

• Requires both inbound and outbound connector of type OnPremises

• Best Practice• Use Hybrid Configuration Wizard

Hosted – MX points to service provider

Scenarios

user3@yahoo.com

No connectorneeded MX based

Outbound connector of type Partner

2

4.2 4.1

O365user1@contoso.com

Inbound connector of type Partner

user2@chase.com

1. O365user1@contoso.com user2@chase.com2. O365user1@contoso.com user3@yahoo.com3. user3@yahoo.com O365user1@contoso.com 4. user2@chase.com O365user1@contoso.com

1

3.1

3.2