question

Marc-8505 avatar image
0 Votes"
Marc-8505 asked AndyDavid commented

A pubblic certificate is needed to test a connector?

I am trying to setup a M365 outbound connector with the corresponded one on the on-prem exchange 2010 inbound. I am using a public IP (not associated to a CA) but I am receiveing erros evaluating it.
I read some documents on that argument and it seems is needed (not confirmed) to use a TLS securty option associated with a pubblic certificate to make it works.
Do I really need - mandatory- use a public certificate if I want to test a connector?

What is the best way to test a connector then?

Thanks

office-exchange-hybrid-itprooffice-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered

a third party cert is not needed if this is not a hybrid connection.

You can buy a 3rd party cert anywhere though.

Follow this for an example from Digicert. You can use the Exhcange 2013 guide - it still applies
https://www.digicert.com/kb/exchange-ssl-certificate.htm




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented

image.png (35.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please mark an answer as accepted so this can be closed. Thanks!

0 Votes 0 ·
Marc-8505 avatar image
0 Votes"
Marc-8505 answered AndyDavid converted comment to answer

another question: is it possible create a connector without TLS?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Marc-8505 avatar image
0 Votes"
Marc-8505 answered AndyDavid commented

Thank you.

then we are not in hybrid mode as the mailboxes are on-prem and not moved to Exchange Online. We moved all users to use some service as Teams and we are implementing EOP antispam.

Probably this is why it worked in that way.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ok, please mark an answer as accepted so this can be closed. thanks!

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered

No, hybrid mode is when you have run the hybrid wizard and you require mail flow between on-prem and Exchange Online mailboxes to be treated as trusted.
As I mentioned above, that requires a third party certificate

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Marc-8505 avatar image
0 Votes"
Marc-8505 answered AndyDavid commented

About hybryd.

If users will be added to on-prem to M365 (AD Azure connect) can I consider we are in Hybrid mode?

The validation has been solved removing from bothend the TLS security.

QUESTIONS: This setting worked because we are not in hybrid mode or because uncheck TLS we don't need a certificate (even we are in hybrid)?

Thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, hybrid mode is when you have run the hybrid wizard and you require mail flow between on-prem and Exchange Online mailboxes to be treated as trusted.

0 Votes 0 ·
KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered KyleXu-MSFT edited

@Marc-8505

Are you using a hybrid environment?

If you aren't using a hybrid environment, you could create send connector without a trusted CA certificate. Try to modify send connector connector to:
121522-qa-kyle-09-58-45.png
121503-qa-kyle-10-03-44.png
121502-qa-kyle-10-03-30.png
121430-qa-kyle-10-05-30.png
Indeed, if you aren't in hybrid, you don't need to create any send connector, Exchange online could send email to Internet without send connector.


If you are using a hybrid environment, a trusted CA certificate is needed. You don't need to create connector manually, just need to run HCW, this program will configurate connector for your directly.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Marc-8505 avatar image
0 Votes"
Marc-8505 answered

On the firewall has been open the port 25 and created a NAT from the public IP to the mail server.
On the firewall all the ips you mentioned have been added excluding the IPV6 (2a01:111:f400::/48, 2a01:111:f403::/48) not supported.

It is missing only the third party certificate (which I thought was unnecessary).

How can i buy/create a third party certificate?

What is the best way to test a connector ?

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

Does your firewall allow connections from Exchange Online to the internal mail server?
You will need a public IP for the on-prem mail server that is open on port 25 from Exchange online
IPs:

*.mail.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

Is this for hybrid? If so, the cert has to be a third party certificate

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Marc-8505 avatar image
0 Votes"
Marc-8505 answered

Creating the connector on O365 I have used this setting:

  • New connector: from O365 to Your organization email server

  • Use of connector: for email messages sent to all accepted domain in your organization

  • Routing: IP address (=> external , that point to the perimetral firewall-)

  • Security restriction: Always TLS + Any digital certificate

Validation result:
- validation failed
IP => - OK - Resolved
Connected IP => connection failed
-Detailed Log
450.4.4.317 Cannot connect to remote server....

When I have used a different security restriction setting (trusted CA):
- Security restriction: Always TLS + used by a trusted certificated =>( I have used an internal certificate issued by the server )

I have received the error below:

121289-validation-email.png



validation-email.png (249.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.