This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 12%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYG%3C/text%3E%3C/svg%3E)
Hello,
I read Exchange Server hybrid deployments https://learn.microsoft.com/en-us/exchange/exchange-hybrid and Transport routing in Exchange hybrid deployments https://learn.microsoft.com/fr-fr/exchange/transport-routing.
I setup the Exchange hybrid, "Modern Hybrid Topology", I didn't enable centralized mail transport. I only selected one test domain to be part of the hybrid configuration. All mailboxes are still in our local Exchange 2016 environment.
After that, I noticed that we were not able to sent email from a production domain for a few recipients. These emails were stopped by our SEG flagged for spoofing. I think this happens only for MS365 recipients. I thus disabled connectors created by the wizard. After a few hours, I was able to release theses emails. (why exactly I still don't know)
If I have understood, in any deployment scenario, emails sent in on-prem are directly sent to the internet.
My misunderstanding is why the spoofing emails happened? First of all as I only selected my test domain to be part of the hybrid scenario, I expected only change for this one. Secondly as it is only local outbound, emails are sent directly from there to the Internet. What changed?
Hope I'm clear enough, thanks so much for reading, help will be much appreciated.
Kind regards,
Yann
@Yann Greder
The connector created by HCW is only used when sending email to the email address for your Office 365 (yourdomain.mail.onmicrosoft.com):
According to your description, you can successfully send email after disabling this connector, so I think you try to send email to Exchange online mailbox hosted on your Office 365 tenant. Could you send email to other tenant's Exchange online mailbox?
If you could send email to other tenant's Exchange online mailbox successfully, I think this issue is caused by the mail filter tool that you used. From this article we can know that don't place any filter tool between Exchange on-premises and Exchange online:
Check your filter tool and the connector created by HCW to ensure that email is delivered directly from Exchange on-premise to Exchange online.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
thank you for your reply.
According to your description, you can successfully send email after disabling this connector
I'm not completely sure about this. I will enable the connector outside normal working hours.
so I think you try to send email to Exchange online mailbox hosted on your Office 365
Actually it was Exchange online mailbox but not ours.
If you could send email to other tenant's Exchange online mailbox successfully,
That's the opposite.
I'll come asap with more information.
Yann
I am writing here to confirm with you any update about this thread now?
Hi,
Okay I spent more time to understand what's going on. Mail flow from/to on-prem from/to internet are successfully delivered. My issue, I still have to resolve it, is indeed because I have a SEG between the on-prem to MS365.
HCW created a new connector. Unfortunately this one is not used, probably a miss configuration. It means that every emails are sent with the default connector and then go through our SEG.
Current result, emails sent to *.onmicrosoft.com are "correctly" sent, I have a successfuly report BUT, emails are (I guess and I'm not able to explain) redirected from MS to us, and in this case they are flagged for spoofing by our SEG.
My current conf for the connector "Outbound to Office 365"
=> MX record associated with this connector
Address space
SMTP *.mail.onmicrosoft.com 1
checkbox "Scoped send connector" not checked
Source server
My exchanges server
FQDN
same FQDN than default connector
Do you have an idea why emails to MS are not sent with the connector "Outbound to Office 365" ?
Thank you
Yann
I'm not able to send an email from my on-prem to mytenant.onmicrosoft.com and *.mail.protection.outlook.com and inedit.ch.
The Address space in the send connector(Outbound to Office 365) which created by HCW is yourOnlineDomain.mail.onmicrosoft.com rather than *.mail.onmicrosoft.com.
This connector only used when send emails to your Office 365 tenant.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Yann Greder
Any update about this thread now?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 97%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
I finally understood that the connector "is only used when sending email to the email address for your Office 365". Sorry for my misunderstanding.
I still have topology issue. Requirements are all emails must go trough on-prem. Our SEG must check inbound and outbound emails.
DNS MX records are directed to the SEG server. Centralized mail transport is enabled.
inbound Internet to on-prem/online
DNS to our SEG --> Exchange on-prem | Lookup if Online --> Exchange online
Outbound on-prem to internet
User --> Exchange on-prem --> SEG --> internet
Outbound Exchange online to internet
User --> EOP --> Exchange on-prem --> SEG --> internet
With these topologies does it mean that I don't respect the rule to not "Place any device between your on-prem and Exchange server"? It would mean, that I cannot use my own SEG ?
I'm stucked here.
Your assistance is really grateful,
Yann
For the Outbound mail flow in Exchange on-premise, you could create two connectors(the "Address space" will control emails choose which connector):
I finally resolved my issue.
this topology work fine
Blockquote
inbound Internet to on-prem/online
DNS to our SEG --> Exchange on-prem | Lookup if Online --> Exchange onlineOutbound on-prem to internet
User --> Exchange on-prem --> SEG --> internetOutbound Exchange online to internet
User --> EOP --> Exchange on-prem --> SEG --> internet
Here is the documentation of our SEG
https://www.clearswift.com/sites/default/files/documents/technical-guides/setup-and-config/Configuring%20the%20Clearswift%20SECURE%20Email%20Gateway%20with%20Office%20365%20V3_0%20FINAL.pdf
Configure the SEG to Prevent Relaying Spoofed Email from
Office 365
To further limit the ability of third parties to use Office 365 accounts to relay spoofed
messages through your SEG it is recommended that you configure Office 365 to add an XHeader to all of the emails that originate from one of your domains. You can > then configure
your SEG to only deliver messages that appear to originate from your email domains and
contain the appropriate X-Header value. This will help to address any attempts by third
parties to use their own Office 365 account to spoof messages so that they appear to
originate from one of your email domains.