If you are using Microsoft Office 365 as your mail service, setting up your mail flow to include GlobalCerts SecureMail Gateway(s) is done using a 'Connector' and routing rules. First you need to set up a connector to your SMG. Then, you'll create mail flow rule(s) that will utilize this connector when needed.
Before configuring routing on your Office 365 tenant, first set up your SMGs to allow relayed email from Office 365, and also to route inbound mail back to Office 365 properly.
In the SMG web administration, please go to "Network Configuration" -> "Host Access Control" and check the box for "Office 365" under the "Allowed to Send Outbound" section, and click "Set" This will allow Microsoft's IP ranges to relay outbound email through your SMGs:
White-listing Office 365 ranges
Then, go to "Network Configuration" -> "Mail Routing" and add entries for your tenants' domain(s) under 'Local Delivery'. For example, you would add the domain "yourdomain.com" in the first box, and then "yourdomain-com.mail.protection.outlook.com" in the second box. This entry should be whatever your MX record is supposed to be from Office 365. See example below:
inbound routing to Office 365
Please make sure to enter your domain(s) mail routing on ALL SMGs if you have multiple servers
Setting up a Connector to your SMG
- Login to your Office 365 tenant's Exchange Admin center
- In the menu, click on Mail Flow, then Connectors. Click on the "+" icon to create a new connector.
- For the mail flow scenario select From "Office 365" and To "Partner Organization" and click Next.
- Name the connector 'SMG' and give it a description, click Next.
- Select "Only when I have a transport rule set up that redirects messages to this connector" on the next page, click Next.
- On the next page, check "Route email through these smart hosts" click the "+" icon to add a route. Enter your FQDN here, for example "securemail.yourdomain.com", click "Save" then click Next.
- Next, Make sure to check the box "Always use Transport Layer Security (TLS) to secure the connection (recommended)" so that your mail is sent via encrypted TLS connections to our service. This is vital!
- For additional assurance, you can select that "the subject name or subject alternative name (SAN) matches this domain name:" and enter *.yourdomain.com in the box.
- On the next page, review the connector, click Next
- Validate the connector by entering in a test email address. This can be our email 'firstname.lastname@example.org' or one of your external email addresses. Don't worry if it says the validation failed. Click 'Save'.
Setting up an Outbound Mail Flow Rule
- Login to your Office 365 tenant's Exchange Admin center.
- In the menu, click on Mail Flow, then "Rules". Click on the "+" icon to "create a new rule...".
- Name the rule something like "Route outbound to SMG"
- Click "more options..." at the bottom.
- Under "*Apply this rule if..." select "The recipient is..." "external/internal" and select "Outside the organization" click OK.
- If you would like to add additional conditions, click "Add Condition" or "add exception" and provide further restrictions on when to use the connector. You can use this rule to limit secure email functionality to certain users or groups.
- Outlook Calendar emails cannot be auto-parsed if they're signed or encrypted. To add an exception for them, click "add exception" button, then choose "The message properties..." -> "include the message type" and then select "Calendaring" as the type.
- Under "Do the following" select "Redirect the message to" "the following connector" and select the "SMG" connector you established earlier.
- Click Save.
If you have established an SPF record in your DNS for your domain, please remember to include our service in the record by adding "a:securemail.yourdomain.com" to your record. This will help ensure that your messages delivered via your SMG will be pass SPF spam checks, and won't be caught in junk filters.
Inbound Mail Routing
Since your users will now GlobalCerts secure accounts, other customers may now automatically send encrypted emails to your users using certificate-based S/MIME encryption. These MUST pass through the SMG to be decrypted and verified unless you have installed the user's private key on their mail clients.
If you don't receive S/MIME emails from any of our other customers, and also do not wish for the SMG to harvest S/MIME certificates from inbound signed emails, then you may leave the SMG out of your inbound mail path and disregard this section.
In general we recommend keeping your Existing MX record as Office 365 so that it may process inbound mail connections first. In this configuration it can block spam and phishing emails more effectively. Then, signed or encrypted emails will be routed to the SMG for decryption and/or signature validation and harvesting, and finally routed back to Office365 for delivery.
To route inbound mail through the SMG, you will create another mail flow rule similar to the one above, except the Conditions will be:
- "The sender..." -> "is external/internal" and select "Outside the organization"
- "The recipient..." -> "domain is" and then add all the domains that you would like to route inbound mail for (any domains in your tenant that have secure users)
- "The message properties..." -> "include the type" and specify the following: "Encrypted" (This will only redirect S/MIME encrypted emails instead of all inbound email. You may specify a second rule and include the type "Signed" as well to redirect all signed emails through the SMG as well.)
- Under "Do the following" select "Redirect the message to" -> "the following connector" and select the "SMG" connector you established earlier.
- IMPORTANT: To ensure a message never 'loops' between Office 365 and our service, click the "Add Exception" and select "A message header..." -> "includes any of these words" and enter "X-GlobalCerts-Milter" for the header name and add "securemail.yourdomain.com" (replacing this with the actual hostname(s) of your SMG(s)) as a word for the header value. Make sure to list all your SMG hostnames as words here. The will prevent the rule from triggering if the message has already passed through your SMG.
Ensuring Delivery of Inbound Messages
To ensure that all inbound emails from our service are delivered to your Office 365 tenant, it is best to 'whitelist' the IP address of our service in the Exchange administration. Please follow these steps:
- Login to your Office 365 tenant's Exchange Admin center
- Go to "Protection" -> "Connection Filter".
- There should be a 'Default' policy there that you can edit by double clicking it.
- Then select the "connection filtering" and add your SMG IP address(es) to the "allowed IP addresses" box.
As always, GlobalCerts is there to assist you in setting up your mail routing properly. At your discretion you can allow GlobalCerts support delegated access to your Office 365 tenant so that we may set these rules for you.