Exchange Online relay connector and TLS

Kenny Stern 51 Reputation points
2021-11-18T15:11:29.687+00:00

Currently in hybrid mode with Exchange and Exchange Online. We've migrated all mailboxes but would like to keep using an Exchange on-prem server for SMTP relay. I have a connector in Exchange online for relay that is secured by verifying the IP address of the sender and I have the external IP address of the Exchange server added. This is working fine but I've noticed that RequireTLS is set to False and there is not TLSSenderCertificateName on this connector.
So my questions are...
Are emails that are relayed through our on-prem Exchange server to Exchange online encrypted?
If not, what do I need to do to ensure that they are?

Thanks

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,747 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,792 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,229 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 152.3K Reputation points MVP
    2021-11-18T15:53:35.097+00:00

    Yes, that TLSSenderCertificateName attribute only comes into play when TLS is forced.

    In a hybrid environment, you force TLS

    Exchange on-prem will send messages using TLS and Exchange Online will use TLS by default as well - so you are covered.

    THe only way it wont would be using a SMTP relay that doesnt support TLS or you created a connector that disabled that.


1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 152.3K Reputation points MVP
    2021-11-18T15:14:48.213+00:00

    They are because it will use Opportunistic TLS.

    https://learn.microsoft.com/en-us/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections?view=o365-worldwide

    By default, Exchange Online always uses opportunistic TLS. This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections, then by default the message will be sent unencrypted if the recipient organization doesn't support TLS encryption. Opportunistic TLS is sufficient for most businesses. However, for business that have compliance requirements such as medical, banking, or government organizations, you can configure Exchange Online to require, or force, TLS. For instructions, see Configure mail flow using connectors in Office 365.

    If you want to force TLS you can:

    https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.