• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Configure enforced TLS with a partner in Office365

Configure enforced TLS with a partner in Office365

April 29, 2020 - by Zsolt Agoston - last edited on April 30, 2020

Configure enforced TLS with a partner in Office365In our previous article we discussed enforced TLS with Exchange. More precisely with on-premises Exchange servers. We established that Exchange uses opportunistic TLS, meaning it prefers encryption but it is not enforced if the other party only supports plain SMTP traffic. In this article we take a look on setting up enforced TLS between our Office365 Exchange tenant and a partner organization. Our domain is alwayshotcafe.com just like before. The chosen partner is opentechtips.com.

Prepare for Forced TLS in Office365

The process is very similar to the earlier discussed way, only naming changed a little. When administering Exchange Online we don't have "Send" and "Receive" connectors per se, we simply have "Connectors". We can set the direction - the from-to sides - during setup. This means that we configure two connectors: one for inbound, one for outbound connections.

1. Force inbound TLS

First, we set up a specific inbound connector that only accepts emails from the partner, opentechtips.com if the emails are encrypted.

PS:

New-InboundConnector -Name "Force TLS - inbound" -SenderDomains *.opentechtips.com -RequireTls:$true -Enabled:$true

using ECP:

Configure enforced TLS with a partner in Office365
Configure enforced TLS with a partner in Office365
Configure enforced TLS with a partner in Office365
Configure enforced TLS with a partner in Office365
Configure enforced TLS with a partner in Office365
Configure enforced TLS with a partner in Office365
Configure enforced TLS with a partner in Office365

2. Set up the Outbound connector

Then we configure the outbound connector. The process is the same, only the direction is swapped. With PowerShell we use the New-OutboundConnector cmdlet. If the WebUI is preferred, the steps are the same only the direction differs. As before, we use MX record routing, and enforce TLS without validating the domain.

If we need tighter security we could specify the remote domain(s) that are accepted, using the "-TLSDomain" switch. Note that the SSL certificate of the remote server needs to contain that domain if this option is used. That SSL domain can be different from the recipient domain we send emails to, it depends on the remote server configuration.

PS:

New-OutboundConnector -Name "Force TLS - outbound" -RecipientDomains *.opentechtips.com -UseMXRecord:$true -TlsSettings EncryptionOnly -Enabled:$true

with ECP:

Configure enforced TLS with a partner in Office365

 

The direction is reversed, this time it is for messages from our tenant to the partner.

Configure enforced TLS with a partner in Office365
Configure enforced TLS with a partner in Office365

All Done Now only encrypted SMTP traffic is allowed between us (alwayshotcafe.com) and opentechtips.com. If opentechtips tried to use a 3rd party mail service that only supports plain SMTP, our tenant will reject those emails, protecting the likely private material in them form eavesdroppers. Likewise our tenant will refuse to send outgoing emails towards opentechtips.com, if the receiving party doesn't support encrypted traffic.

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Prepare for Forced TLS in Office365
  • 1. Force inbound TLS
  • 2. Set up the Outbound connector

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}