Blog Post

Exchange Team Blog
4 MIN READ

Updated Requirements for SMTP Relay through Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 19, 2023
Update 11/13/2023: We added new information on how to know when this change is released to your organization. Today, we are announcing an update to our requirements for SMTP relay through Exchange ...
Updated Feb 22, 2024
Version 19.0
announcements
exchange online
transport
OleksiiD's avatar
OleksiiD
Copper Contributor
Nov 10, 2023

Hi,

Carolyn_Liu 

A bit about the environment:

  • Exchange Online (no on-prem Exchange servers)
  • Company's domain - DOMAIN.COM
  • Some emails are routed to 3rd party server hosted in Azure. Let's assume the server FQDN is SERVER-A.centralus.cloudapp.azure.com
  • After processing the email SERVER-A returns it to EO (a dedicated connector was created with IP authentication).
  • The envelope sender address P1 (MAIL FROM) can be empty.

 

Questions

  1. Does it mean that after November 1st we must switch to the certificate authentication in the inbound connector?
  2. How does EO validate the cert? What the cert requirements are?
    1. Can the cert be self-signed? OR is MUST be issued by the trusted root CA?
    2. Should the cert contain sending server FQDN in CN or subject alternative names SAN ("SERVER-A.centralus.cloudapp.azure.com" in our case)? If so, should server FQDN be added to the accepted domains? if not, how does EO know that the server is allowed to send emails belonging to DOMAIN.COM?
    3. Should the cert be issued to DOMAIN.COM?
    4. Should the cert contain both DOMAIN.COM and server FQDN?
    5. Any other checks?

Oleksii,

Thanks.