If you are using Microsoft 365 as your mail service, setting up your mail flow to include GlobalCerts SecureMail Gateway(s) is done using a 'Connector' and routing rules. First you need to set up a connector to your SMG. Then, you'll create mail flow rule(s) that will utilize this connector when needed.
SMG Configuration
Before configuring routing on your Microsoft 365 tenant, first set up your SMGs to allow relayed email from Microsoft 365, and also to route inbound mail back to Microsoft 365 properly.
In the SMG web administration, please go to "Network Configuration" -> "Host Access Control" and check the box for "Microsoft Office 365" under the "Allowed to Send Outbound" section, and click "Set" This will allow Microsoft's IP ranges to relay outbound email through your SMGs:
White-listing Office 365 ranges
Then, go to "Network Configuration" -> "Mail Routing" and add entries for your tenants' domain(s) under 'Local Delivery'. For example, you would add the domain "yourdomain.com" in the first box, and then "yourdomain-com.mail.protection.outlook.com" in the second box. This entry should be whatever your MX record is supposed to be from Office 365. See example below:
inbound routing to Office 365 Setting up a Connector to your SMG
- Login to your Microsoft 365 tenant's Exchange Admin center
- In the menu, click on Mail Flow, then Connectors. Click on the "+" icon to create a new connector.
- For the mail flow scenario select From "Office 365" and To "Your organization's email server" and click Next.
- Name the connector 'SMG' and give it a description, click Next.
- Select "Only when I have a transport rule set up that redirects messages to this connector" on the next page, click Next.
- On the next page, check "Route email through these smart hosts" click the "+" icon to add a route. Enter your FQDN here, for example "securemail.yourdomain.com", click "Save" then click Next.
- Next, Make sure to check the box "Always use Transport Layer Security (TLS) to secure the connection (recommended)" so that your mail is sent via encrypted TLS connections to our service. This is vital!
- For additional assurance, you can select that "the subject name or subject alternative name (SAN) matches this domain name:" and enter *.yourdomain.com in the box.
- On the next page, review the connector, click Next
- Validate the connector by entering in a test email address. This can be our email 'support@globalcerts.net' or one of your external email addresses. Don't worry if it says the validation failed. Click 'Save'.
Setting up an Outbound Mail Flow Rule
- Login to your Microsoft 365 tenant's Exchange Admin center.
- In the menu, click on Mail Flow, then "Rules". Click on the "+" icon to "create a new rule...".
- Name the rule something like "Route outbound to SMG"
- Click "more options..." at the bottom.
- Under "*Apply this rule if..." select "The recipient is..." "external/internal" and select "Outside the organization" click OK.
- If you would like to add additional conditions, click "Add Condition" or "add exception" and provide further restrictions on when to use the connector. You can use this rule to limit secure email functionality to certain users or groups.
- Outlook Calendar emails cannot be auto-parsed if they're signed or encrypted. To add an exception for them, click "add exception" button, then choose "The message properties..." -> "include the message type" and then select "Calendaring" as the type.
- Under "Do the following" select "Redirect the message to" "the following connector" and select the "SMG" connector you established earlier.
- Click Save.
If you have established an SPF record in your DNS for your domain, please remember to include our service in the record by adding "a:securemail.yourdomain.com" to your record. This will help ensure that your messages delivered via your SMG will be pass SPF spam checks, and won't be caught in junk filters.
Inbound Mail Routing
Since your users will now have GlobalCerts secure accounts, other customers may now automatically send encrypted emails to your users by using certificate-based S/MIME encryption. These MUST pass through the SMG to be decrypted and verified unless you also have installed the user's private key on their mail clients.
If you don't receive S/MIME emails from any of our other customers, and also do not wish for the SMG to harvest S/MIME certificates from inbound signed emails, then you may leave the SMG out of your inbound mail path and disregard this section.
In general we recommend keeping your existing MX record as Microsoft 365's (mail.protection.outlook.com) so that it may continue filtering your inbound mail. In this configuration, it can block spam and phishing emails more effectively. Then, any signed or encrypted emails will be routed to the SMG for decryption and/or signature validation and harvesting, and finally routed back to Microsoft 365 for delivery.
To route inbound mail through the SMG, you will create another mail flow rule similar to the one above, except the Conditions will be:
- "The sender..." -> "is external/internal" and select "Outside the organization"
- "The recipient..." -> "domain is" and then add all the domains that you would like to route inbound mail for (any domains in your tenant that have secure users)
- "The message properties..." -> "include the type" and specify the following: "Encrypted" (This will only redirect S/MIME encrypted emails instead of all inbound email. You may specify a second rule and include the type "Signed" as well to redirect all signed emails through the SMG as well.)
- Under "Do the following" select "Redirect the message to" -> "the following connector" and select the "SMG" connector you established earlier.
- IMPORTANT: To ensure a message never 'loops' between Office 365 and our service, click the "Add Exception" and select "A message header..." -> "includes any of these words" and enter "X-GlobalCerts-Milter" for the header name and add "securemail.yourdomain.com" (replacing this with the actual hostname(s) of your SMG(s)) as a word for the header value. Make sure to list all your SMG hostnames as words here. The will prevent the rule from triggering if the message has already passed through your SMG.
Ensuring Delivery of Inbound Messages
To ensure that all inbound emails from our servers are securely delivered to your Microsoft 365 tenant, it is best to also create an inbound connector that forces TLS.
- Login to your Microsoft 365 tenant's Exchange Admin center and go to the Mail Flow -> Connectors page (https://admin.exchange.microsoft.com/#/connectors)
- Click on the "+" icon to add a new connector.
- For the mail flow scenario select From "Your organization's email server" and To "O365" and click Next.
- Name the connector 'Inbound SMG' and give it a description, click Next.
- Next, select the "By verifying that the IP address of the sending server matches..." option, and enter your SMG public IP address(es).
- Select "Reject email messages if they aren't sent over TLS" You may optionally specify the certificate subject name of the TLS certificate you installed on your SMG(s).
- Review and click "Create connector"
Creating this inbound connector should be enough to ensure proper delivery of inbound messages that are routed through your SMG.
However, you can also add the SMG to the IP Allow list if necessary:
- Go to the Microsoft 365 Defender portal's Anti-spam page (https://security.microsoft.com/antispam)
- Click on 'Connection filter policy (Default)' and click 'Edit connection filter policy'
- Add your SMG IP address(es) in the "Always allow messages from the following IP addresses..." textbox.
- Click 'Save'
As always, GlobalCerts is there to assist you in setting up your mail routing properly. At your discretion, you can allow GlobalCerts support delegated access to your Microsoft 365 tenant so that we may set these rules for you.