Sign up for Office 365
Learn more about Office 365
I am working with a trusted partner to arrange a TLS connection between our environments.
We have no on-premise servers, so our side is handled entirely with Office 365/ Exchange Online/FOPE.
The partner has requested that we answer the following questions, and i'm un sure what the answers are, hopefully someone can help...
1. The partner wishes to know the mail-routing method, whether it is using public MX record or via a static route to a designated host name or IP address.
2. The partner wishes to know the details of the certificates used for the connection (Issuer, Key Size, Encryption), if this is provided by FOPE how do I get this information?
3. The partner wants us to install their entrust root CA certificates. Is this possible?
Any help greatly appreciated.
I understand you’d like to arrange TLS connection with your partner.
I’d like to reply you one by one:
1), Office 365 uses Public MX record for mail-routing.
2), The FOPE inbound hostname is mail.messaging.microsoft.com. You can let your partner trust this Certificate name on their side.
To troubleshoot why a forced TLS recipient is not receiving messages, you can refer to
3), It’s not possible to install a new certificate, but FOPE supports many popular root CAs. For more information, you can refer to FOPE Trusted Root CA's.
Fore more information, you can refer to the following artcles:
Understanding Transport Layer Security (TLS) in FOPE
FOPE TLS FAQs
If you have any additional questions, please feel free to post them in the forum.
That's really helpful thanks.
Is it possible to get the details of the mail.messaging.microsoft.com certficate details? Encryption, Key size etc?
Here is an article about Certificate Management for your reference:
How are things going? Did Ayarn's information help you or do you need any further assistance?
I don't think Ayarn's post is relevant to this topic. I just need to know the key size, and encryption details of the mail.messaging.microsoft.com certificate.
Thank you for your reply.
As I understand, you want to setup a secure mail flow channel with your trusted partners using TLS connections.
For this situation, you may ask your partner to setup the secure mail flow channel with Office 365 referring following tips on their side.
1. Create the Outbound connectors with your Office 365 domain as Recipient Domain.
2. Make sure their organization trust the certificate mail.messaging.microsoft.com.
Note: It is not neccessary to concern about Issuer, Key Size, Encryption information of certificate mail.messaging.microsoft.com.
3. Configure TLS settings for connector
For detailed steps about configuring forced TLS connections between FOPE and regulated partner, please refer to article below.
Regulated Partner with Forced TLS Scenario
Did the above reply answer your questions? If you need additional information on this problem, feel free to let us know. Thank you.
I have managed to enable to TLS and the trusted company have connected ok, however they raised the following concern:
"...the MX record and the 220, 250 banners are not matching. This is a prerequisites for proper TLS establishment."
How can I change the banners to meet this requirement?
You mentioned that you are setting this up with a trusted partner. Is this a Microsoft Partner? Are you connecting to their Office 365 account or are you connecting to an on premise Exchange server? If it is an on premise Exchange server, what version is it?
If they are using Office 365 or Exchange 2010 SP2 they have a pre-established trust relationship with the Microsoft Federation Gateway, as you do as an Office 365 customer, and they don't need the MX record. They just need to use powershell to establish the trust relationship between your organization and theirs.
If they have an on premise Exchange server, this document explains how to establish the trust relationship:
Also, here are a couple excellent documents that explain how federation works:
Let me know if that helps,
It is with an on-premise 2007 server I believe.
I will go back to them with that information.
I would like to join the discussion since I have a similar thread open at community.office365.com/.../208734.aspx
My partner (PARTNER.COM) is asking me to provide the certificate details so he can setup his part. He is asking for Gateways, TLS certificate DN, TLS certificate issuer CA (Please provide CA name and URL to CA public key download) would you point me to the place where this information can be downloaded.
Btw. the partner is not on Office365 and most likely is not using any of the Mirosoft products except Exchange.
Alternatively I would like to setup my own CA certrificate on FOPE/Office365. Is this possible? If yes - how?
If they are using an Exchange 2007 server, this article may be more on point:
It looks like they will need to add a Exchange 2010 server with the Client Access server role installed in order to setup federated delegation.
So I can't set up a forced TLS connection to exchange 2007? They need to have 2010?
If you look through the documents I listed in my previous post, you will see how federated delegation works in Office 365. Since all Office 365 customers already have a trusted relationship with the Microsoft Federated Gateway, the organization that you want to federate with just needs to establish a trusted relationship with the gateway as well, then it will be simple to create the trust between your organizations.
If I'm reading the docs right, not directly with the 2007 server. But since the server isn't hosting mailboxes it may not be as expensive and may be able to be run from a virtual host. Here is a link to the licensing info for Exchange server:
This seems like a pretty big limitation that doesn't seem to be mentioned anywhere here...technet.microsoft.com/.../gg430177
Setting up an additional server simply isn't an option for the partner we are dealing with, as far as they are concerned, they have the capability to setup encrypted email via tls and have done so with several other clients, the fact that we can't isn't their problem.
I may have misunderstood what you were trying to do. I thought you were attempting to establish a federated trust with your partner and it appears, from the document you linked to, that you are just establishing secured communications. That is an entirely different animal.
That being said, it may be faster for you to open a ticket from your admin center and ask for it to be sent to the FOPE team. They have the resources and knowledge to assist you far better than I can in any FOPE related issue.
Sorry for the misunderstanding,
and now what about with EOP . I am told that mail.messaging.microsoft.com is no longer being used, ics this correct?
Do I need to update my previous connectors - what do we use instead for multiple do´mains, one of their MX records?