Configure a document-based connector to relay email messages through Part 365

  • Commodity
  • five minutes to read
  • Applies to:
    Commutation Online

Introduction

If your organization has a hybrid deployment (on-bounds plus Microsoft Office 365), y'all often accept to relay email messages to the Cyberspace through Office 365. That is, messages that you send from your on-premises environment (mailboxes, applications, scanners, fax machines, and then on) to Net recipients are first routed to Office 365, and so sent out.

Figure shows email relayed from your on-premises email servers to the Internet through Office 365.

Figure: Email relayed from your on-premises e-mail servers to the Internet through Part 365

For this relay to work correctly, your arrangement must follow these steps:

  1. Create one or more than connectors in Office 365 to authenticate e-mail messages from your on-premises mail servers by using either the sending IP address or a certificate.

  2. Configure your on-premises servers to relay through Part 365.

  3. Configure your setup so that either of the following conditions is true:

    • Sender domain

      The sender domain belongs to your organization (that is, you accept registered your domain in Office365).

      Note For more than information, encounter Add User and Domain in Office 365.

    • Certificate-based connector configuration

      Your on-premises electronic mail server is configured to employ a certificate to send email to Office 365, and the Mutual-Proper name (CN) or Subject Alternate Name (SAN) in the certificate contains a domain name that you have registered in Office 365, and y'all accept created a certificate-based connector in Function 365 that has that domain.

If neither of the atmospheric condition in step iii is true, Function 365 tin't make up one's mind whether the bulletin that was sent from your on-bounds environment belongs to your organisation. Therefore, if you lot use hybrid deployments, you should make certain that you run across either of the step three conditions.

Summary

Showtime July 5, 2017, Office 365 no longer supports relaying electronic mail messages if a hybrid environment customer has non configured their environment for either of the step 3 conditions. Such messages are rejected and trigger the following error message:

550 5.7.64 Relay Access Denied ATTR36. For more data, see KB 3169958.

Additionally, you must run into the second condition ("certificate-based connector configuration") in step iii in the Introduction department if your organisation requires that whatsoever of the following scenarios keep to work afterwards July 5, 2017.

Notation

The original deadline for this new procedure was moved from Feb 1, 2017, to July 5, 2017, to provide sufficient fourth dimension for customers to implement the changes.

Scenarios in which Office 365 does not support relaying email messages by default

  • Your organization has to transport non-commitment reports (NDRs) from the on-premises surroundings to a recipient on the Cyberspace, and information technology has to relay the letters through Office 365. For example, somebody sends an email bulletin to john@contoso.com, a user who used to exist in your organisation's on-premises environment. This causes an NDR to be sent to the original sender.

  • Your system has to send messages from the email server in your on-premises surroundings from domains that your organization hasn't added to Office 365. For example, your organization (contoso.com) sends email as the fabrikam.com domain, and fabrikam.com doesn't belong to your organization.

  • A forwarding dominion is configured on your on-premises server, and messages are relayed through Office 365.

    For example, contoso.com is your organization'due south domain. A user on your organization's on-premises server, kate@contoso.com, enables forwarding for all letters to kate@tailspintoys.com. When john@fabrikam.com sends a message to kate@contoso.com, the message is automatically forwarded to kate@tailspintoys.com.

    From the point of view of Office 365, the message is sent from john@fabrikam.com to kate@tailspintoys.com. Considering Kate'south mail is forwarded, neither the sender domain nor the recipient domain belongs to your organization.

Figure shows a forwarded message from contoso.com that's allowed to be relayed through Office 365.

Figure: A forwarded message from contoso.com that's allowed to be relayed through Office 365 because the step 3 "document-based connector configuration" condition is met

More information

You can fix a certificate-based connector for Office 365 to relay letters to the Cyberspace. To do this, use the following method.

Stride i: Create or modify a certificate-based connector in Office 365

To create or modify a document-based connector, follow these steps:

  1. Sign in to the Function 365 portal (https://portal.office.com), click Admin, and and then open the Exchange admin eye. For more data, meet Substitution admin center in Exchange Online.

    Screenshot shows steps to open the Exchange admin center.

  2. Click mail service catamenia, click connectors, and and then do one of the following:

    • If there are no connectors, click (Add together) to create a connector.

      Screenshot shows there are no connectors in the Exchange admin center, click Add icon likes plus shape to create a connector.

    • If a connector already exists, select information technology, and so click (Edit).

      Screenshot shows selecting the connector in the Exchange admin center, and then clicking Edit icon likes pen shape.

  3. On the Select your post flow scenario folio, select Your system's email server in the From box, and so select Part 365 in the To box.

    Notation

    This creates a connector that indicates that your on-premises server is the sending source for your messages.

    Screenshot of the Select your mail flow scenario page, which selects your organization's email server in the From box, and then selects Office 365 in the To box.

  4. Enter the connector name and other information, and and so click Next.

  5. On the New connector or Edit connector page, select the outset choice to employ a Transport Layer Security (TLS) certificate to identify the sender source of your organization's letters. The domain name in the choice should lucifer the CN name or SAN in the certificate that you're using.

    Note

    This domain must be a domain that belongs to your organization, and you accept to take added it to Office 365. For more data, run into Add together Domains in Function 365.

    For case, Contoso.com belongs to your organization, and it's role of the CN name or SAN proper name in the certificate that your organization uses to communicate with Function 365. If the domain in the document contains multiple domains (such equally mail1.contoso.com, mail2.contoso.com), we recommend that the domain in the connector UI be *.contoso.com.

    Note

    Existing hybrid customers who used the Hybrid Configuration Magician to configure their connectors should check their existing connector to brand sure that it uses, for example, *.contoso.com instead of postal service.contoso.com or <hostname>.contoso.com. This is because mail.contoso.com and <hostname>.contoso.com may not be registered domains in Office 365.

    Figure shows an example of setting up the connector to use the contoso.com format.

    Figure: Setting up the connector to use the "contoso.com" format (for example)

Pace 2: Register your domain in Office 365

To annals your domain, follow the steps in the post-obit Office article:

Add together users and domain to Function 365

In the Microsoft 365 Admin Center, click Setup, and so click Domains to see the list of domains that are registered.

Screenshot shows steps to see the registered domains.

Step iii: Configure your on-bounds environment

To configure your on-premises environment, follow these steps:

  1. If your organization uses Exchange Server for its on-premises server, configure the server to transport letters over TLS. To exercise this, see Set up up your electronic mail server to relay mail service to the Internet via Role 365.

    Note

    If you've already used Hybrid Configuration Wizard, you can go on to utilize information technology. However, make sure that you use a document that matches the criteria that'due south outlined in Stride one, sub-stride v of this department.

  2. Install a certificate in your on-bounds surroundings. To do this, see Pace 6: Configure an SSL document.

References

For more than information well-nigh how to address the connector setting requirement, see Important connector notice.

For more data about how to relay letters through Office 365, see the "Setting up mail flow where some mailboxes are in Office 365 and some mailboxes are on your system's mail servers" section of Mail service menstruation best practices for Exchange Online and Function 365.

Still demand help? Go toMicrosoft Community or the Exchange TechNet Forums.