Exchange Hybrid Setup
Using Microsoft Exchange in a hybrid setup is possible with mailcow. With this setup you can add mailboxes on your mailcow and still use Exchange Online Protection. All mailboxes setup in Exchange will receive their mails as usual, while with the hybrid approach additional Mailboxes can be setup in mailcow without any further configuration.
This setup becomes very handy if you have enabled the Office 365 security defaults and third party applications can no longer login into your mailboxes by any of the supported methods.
- The mx Record of your domain needs to point at the Exchange mail service. Log into your Admin center and look out for the dns settings of your domain to find your personalized gateway domain. It should look like this
contoso-com.mail.protection.outlook.com. Contact your domain registrant to get further information on how to change mx record.
- The domain you want to have additional mailboxes for must be setup as
internal relay domainin Exchange.
- Log in to your Exchange Admin Center
- Select the
mail flowpane and click on
- Select the domain and switch it from
Set up the mailcow¶
Your mailcow needs to relay all mails to your personalized Exchange Host. It is the same host address we already looked up for the mx Record.
- Add the domain to your mailcow
- Add your personalized Exchange Host address as relayhost
- Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. (Admin > Configuration & Details > Configuration Dropdown > Forwarding Hosts)
- Go to the domain settings and select the newly added host on the
Sender-dependent transportsdropdown. Enable relaying by ticking the
Relay this domain,
Relay all recipientsand the
Relay non-existing mailboxes only.checkboxes
From now on your mailcow will accept all mails relayed from Exchange. The inbound filtering and so the neural learning of your cow will no longer work. Because all mails are routed through Exchange the filtering process is handled there.
Set up Connectors in Exchange¶
All mail traffic now goes through Exchange. At this point the Exchange Online Protection already filters all incoming and outgoing mails. Now we need to set up two connectors to relay incoming mails from our Exchange Service to the mailcow and another one to allow mails relayed from the mailcow to our exchange service. You can follow the official guide from Microsoft.
For the connector that handles mails from your mailcow to Exchange Microsoft offers two ways of authenticating it. The recommended way is to use a tls certificate configured with a subject name that matches an accepted domain in Exchange. Otherwise you need to choose authentication with the static ip address of your mailcow.
The easiest way to validate the hybrid setup is by sending a mail from the internet to a mailbox that only exists on the mailcow and vice versa.
- The connector validation from Exchange to your mailcow failed with
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient firstname.lastname@example.org not found by SMTP address lookup
Possible Solution: Your domain is not set up as
internal relay. Exchange therefore cannot find the recipient
- Mails sent from the mailcow to a mailbox in the internet cannot be sent. Non Delivery Report with error
550 5.7.64 TenantAttribution; Relay Access Denied
Possible Solution: The authentication method failed. Make sure the certificate subject matches an accepted domain in Exchange. Try authenticating by static ip instead.
Microsoft Guide for the connector setup and additional requirements: https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment