SMTP Relay configuration in full hybrid environment

New Contributor

Hello, I have a question regarding the configuration of the SMTP Relay in Full Hybrid environment. My infrastructure is full hybrid with a 2016 exchange server on premise. We also utilize a Barrauda Cloud gateway so all incoming mail flows to the Barracuda, then to the on-prem 2016 Exchange server and then from the 2016 Exchange to Exchange online.
Most of my mailboxes (and soon to be all) have been migrated to Exchange online. SMTP relay is currently being provided on the on-prem server for internal and external email, but we want to minimize the footprint of the on-prem server to a management platform only for security conserns and use M365 smtp relay.
Currently my public dns record for autodiscovery points to the exchange onprem server (Alias CNAME is exchange.domainname). MX records must point to the Barracuda network.
When trying to folllow setup for M365 SMTP relay the M365 admin center is questioning my MX and CNAME records beacuse they are not what it expects.
I don't use public folders. Is smtp relay to the online Exchange server possible in my environment? How do I configure this?

5 Replies
Hello

Where exactly are you receiving this complaint? while creating the connector?

Confirm please you are using Option 3 here https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-de...
Yes when creating/viewing the connector in the Admin Center it is complaining about the DNS record. It always expects to see yourdomain-com.mail.protection.outlook.com but our MX records contain the smarthost data instead. I expect M365 has no way to detect a defense gateway in front of thier services. Our autodiscover record is also not what is expected it is looking for autodiscover.outlook.com and we are still pointed at our domain.
Can you describe what options did you choose to create the connector? or add a screenshot, hiding any private info.
Current testing has been primary using the existing hybrid connectors for sending from on-prem to Exchange online. That connector is certificate based. I have created a new connector that uses the IP option where our external IP('s) for our firewall are listed. I will test this way and see how I get along my understanding is the IP method would be better for eliminating the possiblity for scanned email to be flagged as spam. The question still remains what do I list for the server address if I am setting up a copier for a scan to email function? I assume yourdomain-com.mail.protection.outlook.com is still appropiate though it does not match the MX record. What rules should be created to make sure the scanning device uses the desired connector?
You should be able to set yourdomain-com.mail.protection.outlook.com in your device as destination to send your email.
Is the device using a static IP Address? did you update your SPF record to add it?