Update 11/13/2023: We added new information on how to know when this change is released to your organization.
Today, we are announcing an update to our requirements for SMTP relay through Exchange ...
Updated Feb 22, 2024
Version 19.0
Blog Post
Hi everybody!
My Scenario
Assume the following a verified set of SendConnector and InboundConnector which perfectly work together in terms of Hybrid mailflow. Therefore I consider condition 2. to be true.
Get-InboundConnector | Where-Object {$_.connectortype -like "*onprem*"} | select TlsSenderCertificateName,*restrict*
TlsSenderCertificateName RestrictDomainsToIPAddresses RestrictDomainsToCertificate
------------------------ ---------------------------- ----------------------------
*.mydomain.de False True
Get-SendConnector | Where-Object {$_.CloudServicesMailEnabled -eq $true -and $_.enabled -eq $true} | select fqdn,TlsCertificateName
Fqdn TlsCertificateName
---- ------------------
mail.mydomain.de <I>CN=RapidSSL TLS RSA CA G1, OU=http://www.digicert.com, O=DigiCert Inc, C=US<S>CN=*.mydomain.de
[Exchange Online] Get-AcceptedDomain | select domainname
DomainName
----------
[...]
myorg.mail.onmicrosoft.com
myorg.onmicrosoft.com
mydomain.de
Questions
a1) Can you tell from the above scenario definition if condition 1a. is true?*
a2) In other words, do you consider *.mydomain.de a match with AcceptedDomain mydomain.de in terms of 1a.?
*I was thinking if I was asking the obvious. However as far as I remember, Exchange Online considered TlsSenderCertificateName=mydomain.de NOT matching TlsCertificateName=*.mydomain.de (in terms of 2.), but demanded TlsSenderCertificateName=*.mydomain.de. Since then I consider Exchange as super picky when it comes to matching domains/certificates which I value a great (security) and a necessity, of course.