A pubblic certificate is needed to test a connector?

Marc 631

I am trying to setup a M365 outbound connector with the corresponded one on the on-prem exchange 2010 inbound. I am using a public IP (not associated to a CA) but I am receiveing erros evaluating it.
I read some documents on that argument and it seems is needed (not confirmed) to use a TLS securty option associated with a pubblic certificate to make it works.
Do I really need - mandatory- use a public certificate if I want to test a connector?

What is the best way to test a connector then?

Thanks

0 comments

Answer accepted by question author

Andy David - MVP 160.3K MVP Volunteer Moderator

a third party cert is not needed if this is not a hybrid connection.

You can buy a 3rd party cert anywhere though.

Follow this for an example from Digicert. You can use the Exhcange 2013 guide - it still applies
https://www.digicert.com/kb/exchange-ssl-certificate.htm

0 comments

10 additional answers

Marc 631 Reputation points

2021-08-07T21:10:35.733+00:00

On the firewall has been open the port 25 and created a NAT from the public IP to the mail server.
On the firewall all the ips you mentioned have been added excluding the IPV6 (2a01:111:f400::/48, 2a01:111:f403::/48) not supported.

It is missing only the third party certificate (which I thought was unnecessary).

How can i buy/create a third party certificate?

What is the best way to test a connector ?

Thanks
Was this answer helpful?

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Andy David - MVP 160.3K Reputation points MVP Volunteer Moderator

2021-08-07T19:53:30.343+00:00

Does your firewall allow connections from Exchange Online to the internal mail server?
You will need a public IP for the on-prem mail server that is open on port 25 from Exchange online
IPs:

*.mail.protection.outlook.com
40. 92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

Is this for hybrid? If so, the cert has to be a third party certificate
Was this answer helpful?

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Marc 631 Reputation points

2021-08-07T19:21:11.523+00:00
Creating the connector on O365 I have used this setting:
- New connector: from O365 to Your organization email server
- Use of connector: for email messages sent to all accepted domain in your organization
- Routing: IP address (=> external , that point to the perimetral firewall-)
- Security restriction: Always TLS + Any digital certificate
Validation result:
- validation failed
  IP => - OK - Resolved
  Connected IP => connection failed
  -Detailed Log
  450.4.4.317 Cannot connect to remote server....
When I have used a different security restriction setting (trusted CA):
- Security restriction: Always TLS + used by a trusted certificated =>( I have used an internal certificate issued by the server )
I have received the error below:
Was this answer helpful?

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Andy David - MVP 160.3K Reputation points MVP Volunteer Moderator

2021-08-07T17:49:52.857+00:00

It doesnt have to be a third party certificate unless its for a hybrid connection.
You can tell the outbound connector from 365 to accept any cert.

Not sure what you mean by "I am using a public IP (not associated to a CA) "

What are the errors?
Was this answer helpful?

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

A pubblic certificate is needed to test a connector?

10 additional answers

Your answer