Exchange

Instructions for integrating with SecuMailer.

Introduction

Exchange is able to direct traffic to certain recipients (recipient based routing), it does not however contain functionality for routing based on the sender (sender based routing). By using a redirect mail flow rule it is possible to do a form of sender based routing that is sufficient for directing traffic to SecuMailer without violating the Exchange way-of-working. The high level approach is that any mailbox that needs to be integrated with SecuMailer is placed in a specific Distribution Group. Next to that a new mail contact is created that uses a non-existent email address / domain (to prevent any undesirable external routing). A new mail rule is created that redirects email from members of the Distribution Group to the Contact with the non-existent email address. This Contact is associated with a Send Connector which in turn forwards all email to the SecuMailer Mail Relay (and thereby into the SecuMailer system).

The integration method outlined in this document has been tested with Microsoft Exchange 2016. There is no reason to assume this method will not work in older versions of Exchange, however this has not been verified by SecuMailer. The basic idea is to direct traffic from certain addresses / mailboxes towards SecuMailer. It is not necessary to direct all email traffic towards SecuMailer unless this is your intended desire.

Exchange Admin Center

Please open a browser and provide the url for your Exchange Admin Center.

Create Distribution Group

In EAC select recipients in the main menu and subsequently select groups from the context menu. Click on the + symbol and select Distribution Group from the dropdown menu. You should now see the pop-up named new distribution group.

Please fill in Display name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer.

Please fill in Alias.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer.

Please select the Organizational unit that contains the mailboxes that you wish to connect with SecuMailer. Please set the Owners according to your organization’s standards. Please add as Members the mailbox(es) that you wish to connect with SecuMailer.

Please deselect Add group owners as members as this would automatically add the administrators to the group that will forward all email via SecuMailer (unless this is your intention).

Please apply any other setting that you apply within your organization on this Distribution Group. After you are finished setting all options please click on the Save button to store your Distribution Group configuration.

Create Contact

You should still be in the recipients context (if not please click on recipients in the main navigation). Please select contacts in the context menu. Click on the + symbol and select Mail contact from the dropdown menu. You should now see the pop-up new mail contact (see below).

Please fill in Display name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer Relay.

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer Relay.

Please fill in Alias.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer Relay.

Please fill in External email address and use the following convention:

SMTP:secumailer@secumailer.relay

The domain secumailer.relay doesn’t exist which is intentional. After you are finished setting all options please click on the Save button to store your Contacts configuration.

Create Transport Rule

In this section you will create two Transport Rules. The first transport rule will handle external BCC recipients, the second rule will direct your mail traffic towards the SecuMailer platform.

External BCC recipients

Due to how mail relay integration works SecuMailer can’t work with BCC recipients, this information gets lost in the protocol exchange. Internal BCC recipients are not affected but to make sure no inadvertent external BCC recipients are used we require a transport rule that will decline usage of external BCC recipients. In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “No external BCC”.

Carry out the following steps:

  • At dropdown list Apply this rule if… please select The sender is a member of… and select and add the distribution group you created in paragraph "Create Distribution Group" and click on the OK button.

  • Click on the button Add condition to add the second condition. At the second dropdown list select The recipient... and in the sub dropdown list select is internal/external. In the select recipient location popup select the option Outside the organization and click on OK.

  • Click on the button Add condition to add the third and last condition. At the third dropdown list select A message header … and in the sub dropdown list select matches these text patterns. To the right of the dropdown click on the Enter text link and in the popup titled specify header name fill in the following: X-MS-Exchange-Organization-BCC and click on OK. Next click on the link titled Enter text patterns … and in the popup titled specify words or phrases fill in the following: $ and click on the + symbol to the right and subsequently click on OK. At the next drop down under the label Do the following... select the option Block the message and in the sub drop down select Reject the message with the explanation. In the popup titled specify rejection reason you can provide an explanation why this message is blocked. An example that you might use is:

“Your message is blocked and not delivered due to our policy not allowing external BCC recipients”. Click on ‘OK’.

  • Scroll down the form and check the box at Stop processing more rules. Click on Save. You are now done with the first transport rule

Redirect traffic to SecuMailer

You are still in the rules section of mail flow. Please create the second transport rule by clicking on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule.

Please carry out the following steps:

  • Please fill in Name

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Redirect to SecuMailer”.

  • At dropdown list Apply this rule if… please select The sender is a member of… and select and add the distribution group you created in paragraph "Create Distribution Group" and click on the OK button.

  • At dropdown list Do the following… please select Redirect the message to… and select and add the contact you created in paragraph "Create Contact" and click on the OK button.

  • At Except if … click on the button add exception. If you don’t see this option please scroll down until you see the link More options… and click on the link, this should give you the possibility of adding an exception. In the dropdown list select The recipient… and select internal/external. In the popup window select internal and click on OK.

  • Click on the button add exception to add a second exception. In the dropdown list select A message header… and in the sub dropdown list select matches these text patterns. To the right of the dropdown click on the Enter text link and in the popup titled specify header name fill in the following: X-MS-Exchange-Organization-BCC and click on OK. Next click on the link titled Enter text patterns… and in the popup titled specify words or phrases fill in the following: $ and click on the + symbol to the right and subsequently click on OK. After you are finished setting all options please click on the Save button to store your Mail Rule configuration.

Create Send Connector

You should still be in the mail flow context (if not please click on mail flow in the main navigation). Please select send connectors in the context menu. Click on the + symbol. You should now see the pop-up new send connector (see below).

Please fill in Name

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer”.

Click on button Next. Please select Route mail through smart hosts and click on the + symbol.

You will get a pop-up titled “add smart host”.

Please fill in the following value: mail-relay.secumail.cloud. Click on the Save button. Click on the Next button to proceed.

Please select option Basic authentication and select Offer basic authentication only after starting TLS. At the User name and Password fields please fill in the values supplied by SecuMailer. If you haven’t received these values please contact SecuMailer Support at support@secumailer.com. Click on the Next button to proceed to the next screen.

Please click on the + symbol. In the popup please fill in Full Qualified Domain Name (FQDN) with value: secumailer.relay

Click on the Save button to proceed. The new send connector windows should look as follows:

Click on the Next button to proceed. In the next popup click on the + button.

Please select your server and click on the Add button. Please click on the OK button.

The new send connector windows should look as follows (with your mail server shown rather than the example server):

Please click on Finish

Change Send Connector Port

Please start the Exchange Management Shell.

Please type: Get-SendConnector

With the next command you switch the SecuMailer Send Connector to use port 587 rather than port 25. This instruction assumes you have used “SecuMailer” as the name for your Send Connector. If you have chosen a different name for the Connector please use that name. Please type:

Set-SendConnector -identity "SecuMailer" -Port:587

Hit enter to execute. If all went well the command completes without any issues.

Firewall

Please make sure you allow port 587 outgoing to mail-relay.secumail.cloud to allow the email traffic to reach the SecuMailer platform.

Disabling Rich Text Format

Microsoft uses an outdated format for emails called “Rich Text Format” (or RTF in short). The RTF format is only supported by Outlook and can’t be read on the standard mail clients of Apple devices or Android devices. Microsoft advises to disable Rich Text Format to avoid inadvertently sending mails in this format.

To disable RTF please start the Exchange Management Shell. This instruction assumes you have used “SecuMailer Contact” as the name for your Contact setting. If you have chosen a different name for the Contact please use that name. Please type:

Set-MailContact -Identity "SecuMailer Contact" -UseMapiRichTextFormat Never

Hit enter to execute. If all went well the command completes without any issues.

The integration is now completed. Please send a couple of test emails from the address you connected with SecuMailer and verify they arrive correctly at an email address you have access to.

NTA 7516

The NTA 7516 functionality requires two additional changes to your Exchange configuration:

  • Creation of a separate Distribution Group

  • Creation of a mail flow rule

NTA 7516 Distribution Group

For the creation of the Distribution Group please see the relevant instructions in this manual. You can name this Distribution Group "SecuMailer NTA7516".

After you have created the Distribution Group please create a new mail flow rule.

NTA 7516 Mail Flow Rule

In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516”.

At dropdown list Do the following… please select Redirect the message to… and select and add the contact you created in paragraph "Create Contact" and click on the OK button.

Please carry out the following steps:

  • At dropdown list Apply this rule if… please select The sender is a member of… and select and add the distribution group you created in NTA 7516 Distribution Group and click on the OK button.

  • In the next dropdown list named Do the following select the option Modify the message properties and select Set a message header. In the text to the right of the option click on the first Enter text... link and in the message header popup fill in: X-SecuMailer-NTA7516 and click on OK. Click on the second Enter text... link and in the message value popup fill in: true and click on OK.

  • Click on the button add action to add a second Action. At dropdown list Do the following… please select Redirect the message to… and select and add the contact you created in paragraph "Create Contact" and click on the OK button.

  • Click on the button Add exeption to add a exeption. At dropdown list select The recipient... and in the sub dropdown list select is internal/external. In the select recipient location popup select the option inside the organization and click on OK.

This completes the Transport Rule for NTA 7516. Please click on Save to finalize the setup.

Appendix Exclaimer & CodeTwo

If the customer is using Exclaimer or CodeTwo, please see the separate section on configuring SecuMailer together with Exclaimer or configuring SecuMailer together with CodeTwo .

PreviousManualsNextMicrosoft 365

Last updated