Share via
Kenny Stern 51Reputation points
Currently in hybrid mode with Exchange and Exchange Online. We've migrated all mailboxes but would like to keep using an Exchange on-prem server for SMTP relay. I have a connector in Exchange online for relay that is secured by verifying the IP address of the sender and I have the external IP address of the Exchange server added. This is working fine but I've noticed that RequireTLS is set to False and there is not TLSSenderCertificateName on this connector.
So my questions are...
Are emails that are relayed through our on-prem Exchange server to Exchange online encrypted?
If not, what do I need to do to ensure that they are?
Thanks
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,486 questions
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,602 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,071 questions
Sign in to follow
0 commentsNo comments
0{count} votes
Sign in to comment
Accepted answer
Andy David - MVP 147.6KReputation points • MVP
2021-11-18T15:53:35.097+00:00 Yes, that TLSSenderCertificateName attribute only comes into play when TLS is forced.
In a hybrid environment, you force TLS
Exchange on-prem will send messages using TLS and Exchange Online will use TLS by default as well - so you are covered.
THe only way it wont would be using a SMTP relay that doesnt support TLS or you created a connector that disabled that.
Kenny Stern 51Reputation points
2021-11-18T16:54:40.637+00:00 Excellent. thanks so much
Sign in to comment
1 additional answer
Sort by: Most helpful
Andy David - MVP 147.6KReputation points • MVP
2021-11-18T15:14:48.213+00:00 They are because it will use Opportunistic TLS.
By default, Exchange Online always uses opportunistic TLS. This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections, then by default the message will be sent unencrypted if the recipient organization doesn't support TLS encryption. Opportunistic TLS is sufficient for most businesses. However, for business that have compliance requirements such as medical, banking, or government organizations, you can configure Exchange Online to require, or force, TLS. For instructions, see Configure mail flow using connectors in Office 365.
If you want to force TLS you can:
Kenny Stern 51Reputation points
2021-11-18T15:48:50.46+00:00 Is that true even if the setting on the Exchange Online receive connector for TLSSenderCertificateName is blank? The concern is that emails going from our on-prem Exchange server, which is only used for SMTP relay, are not encrypted to 365. Sounds like you are saying they are but want to be sure.
Thanks for the quick reply.
Sign in to comment
Sign in to answer