For this edition of “Justin’s Tech Tip of the Week”, I am going to discuss configuring Inbound and Outbound connectors within Office 365 to use Forced TLS. These connectors are important especially if your organization, or you are working with an organization, that have strict security requirements with regard to their email/messaging and require these TLS connections in order to transact with others.
Configuring TLS Connectors in O365
The Free Trial of 365 Command is Designed to Quickly Enable You to Manage Microsoft Office 365 Online Services Better. Save time & money with advanced Office 365 management tools, analytics, reports, security insights & more.
For these types of companies/organizations, the default “Opportunistic TLS” that Microsoft utilizes by default is not acceptable and in many cases blocked by these companies.
To configure these connectors within Office 365, browse to the Exchange admin center (EAC) within the Office 365 tenant/GUI, and select “mail flow” from the left-hand menu options and then choose “connectors” towards the top of the screen. From here you will see that you can setup/configure both Inbound (Receive) and Outbound (SMTP) connectors
If your organization, or you are working with an organization, that requires senders/partners to send email inbound to you as secure and TLS encrypted then you will need to add Inbound connectors that fit this criteria.
Select the + sign under the sub-menu “Inbound Connectors” to begin adding a new inbound connector. After you give the connector a name and then select “Partner” underneath “Connector Type”, you will see a “Connection Security” section. From within “Connection Security” you will see two options, which are Opportunistic TLS and Force TLS.
The only valid choice here is to choose “Force TLS” for this scenario. Once you choose “Force TLS”, you will need to specify the FQDN that is embedded within the Sender’s SSL certificate for their email environment and input the information in the “Certificate” field. Most of the time, this information will need to be obtained directly from the partner themselves.
If the partner/organization you are working with is Dogs and Cats, Inc., and the FQDN that is embedded within their certificate for their organization is “mail.dogsandcats.com”, then you would input “mail.dogsandcats.com” in the “Certificate” field when choosing the Force TLS option for this connector.
If your organization works with Partners and/or organizations that requires that email being sent TO them to be encrypted via TLS/SSL, then you need to set up outbound connectors to those organizations here.
Select the + sign underneath “Outbound Connectors” to begin creating an adding a new outbound connector. This first section is similar to the Inbound Connector setup, in that you provide a name for the connector and then choose “Partner” when choosing a “Connector Type”.
Now, the Connection Security section has 4 options to choose from here, and three (3) specific to Forced TLS. In most cases, selecting either “Self-Signed certificate” or “Trusted certification authority (CA)” will suffice. However, in the remote chance that the partner that you are sending email outbound to has very strict security polices, then you will need to select the 4th option which states “Recipient certificate matches domain”.
For this 4th option, you will simply input the recipient domain of which you are sending to. So, if we look at our previous example with Dogs and Cats, Inc., for the outbound connector, you would input the “mail.dogsandcats.com” once again as this setting will validate that this matches what is found when the recipient’s certificate is checked by O365 (FOPE) for authenticity.
Now, we move onto the Outbound Delivery section. Here you will select the first option most of the time, which is “MX record associated with the recipient domain”.
The only situation where you would choose the 2nd option which is “Route mail through smart hosts”, is that if you partner has specific security requirements that requires you to send them email through a direct channel. In this case input the FQDN or IP addresses of the destination servers that they provide to you here.
Lastly, towards the bottom you would input the domains that will apply for this connector and that you be receiving mail and/or that you are sending outbound to via this connector. Sticking with our example, you would input “dogsandcats.com” here.
Now, we have completed setting up these particular inbound and outbound connectors! For this example, Dogs and Cats, Inc. should now be able to receive TLS encrypted emails from you and you should also be able to receive TLS encrypted email from them. Be sure to run some tests with the partner to verify all is well. This can be done by simply engaging in a send/receive email session with the partner and verify that the messages are being delivered.
You may be able to further verify that the message(s) have been TLS encrypted by looking at the message header of these emails. (This is dependent on whether or not a particular partner/organization’s email environment actually stamps the messages if they are TLS encrypted or not. If they do, you should see a line that indicates something like:
“using TLSv1 with cipher……”
Last but not least, you may need to add additional inbound and outbound connectors if you have multiple partners that also have TLS security requirements.
Thanks again, and this is “Justin’s Tech Tip of the Week”.