custom receive connector for Exchange Hybrid deployment

Occasional Visitor


In preparation for our migration to Exchange Online we are in progress of deploying the HCW. I have read a lot of information and found that there must be a direct inbound SMTP (port 25) connection to an Exchange OnPrem server of Edge Server.

The fact is that all mail is delivered first through a mail gateway appliance (barracuda).

This source says it`s not possible to use any service, server of device between Exchange Online and Exchange Onprem Transport routing in Exchange hybrid deployments | Microsoft Docs

Don't place any servers, services, or devices between your on-premises Exchange servers and Microsoft 365 or Office 365 that process or modify SMTP traffic. Secure mail flow between your on-premises Exchange organization and Microsoft 365 or Office 365 depends on information contained in messages sent between the organization. Firewalls that allow SMTP traffic on TCP port 25 through without modification are supported. If a server, service, or device processes a message sent between your on-premises Exchange organization and Microsoft 365 or Office 365, this information is removed. If this happens, the message will no longer be considered internal to your organization and will be subject to anti-spam filtering, transport and journal rules, and other policies that may not apply to it.”


My idea is to create a custom exchange receive connector (different IPs internal and external and NIC for the Exchange server, including MX record and certificate) and configure this in Exchange Online as well. I couldn`t find any reference about such configuration? Is this the way to go or are there different (more easier) ways to do this?

Our Hybrid configuration will be in place for a long time and mail has to flow between Online and Onprem. The mail should still being received by the mail gateway appliance, further in the project we will migrate the MX records and mail will be directly delivered in Exchange Online.

I also found a PowerShell command that lists all datacenter IPs for mail flow. It`s a deprecated command but still works. Is it a good idea to put theese Ip`s in a ACL on the firewall?

I hope I`ve explained it well enough to understand my question.

0 Replies