Exchange
Instructions for integrating with SecuMailer.
Introduction
Exchange is able to direct traffic to certain recipients (recipient based routing), it does not however contain functionality for routing based on the sender (sender based routing). By using a redirect mail flow rule it is possible to do a form of sender based routing that is sufficient for directing traffic to SecuMailer without violating the Exchange way-of-working. The high level approach is that any mailbox that needs to be integrated with SecuMailer is placed in a specific Distribution Group. Next to that a new mail contact is created that uses a non-existent email address / domain (to prevent any undesirable external routing). A new mail rule is created that redirects email from members of the Distribution Group to the Contact with the non-existent email address. This Contact is associated with a Send Connector which in turn forwards all email to the SecuMailer Mail Relay (and thereby into the SecuMailer system).
The integration method outlined in this document has been tested with Microsoft Exchange 2016. There is no reason to assume this method will not work in older versions of Exchange, however this has not been verified by SecuMailer. The basic idea is to direct traffic from certain addresses / mailboxes towards SecuMailer. It is not necessary to direct all email traffic towards SecuMailer unless this is your intended desire.
Exchange Admin Center
Please open a browser and provide the url for your Exchange Admin Center.
Create Distribution Group
In EAC select recipients
in the main menu and subsequently select groups
from the context menu. Click on the +
symbol and select Distribution Group
from the dropdown menu. You should now see the pop-up named new distribution group
.
Please fill in Display name
.
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use
SecuMailer
.
Please fill in Alias
.
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use
SecuMailer
.
Please select the Organizational unit
that contains the mailboxes that you wish to connect with SecuMailer. Please set the Owners
according to your organization’s standards. Please add as Members
the mailbox(es) that you wish to connect with SecuMailer.
Please deselect
Add group owners as members
as this would automatically add the administrators to the group that will forward all email via SecuMailer (unless this is your intention).
Please apply any other setting that you apply within your organization on this Distribution Group. After you are finished setting all options please click on the Save
button to store your Distribution Group configuration.
Create Contact
You should still be in the recipients
context (if not please click on recipients
in the main navigation). Please select contacts
in the context menu. Click on the +
symbol and select Mail contact
from the dropdown menu. You should now see the pop-up new mail contact
(see below).
Please fill in Display name
.
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use
SecuMailer Relay
.
Please fill in Name
.
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use
SecuMailer Relay
.
Please fill in Alias
.
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use
SecuMailer Relay
.
Please fill in External email address
and use the following convention:
SMTP:secumailer@secumailer.relay
The domain secumailer.relay
doesn’t exist which is intentional. After you are finished setting all options please click on the Save
button to store your Contacts configuration.
Create Transport Rule
In this section you will create two Transport Rules. The first transport rule will handle external BCC recipients, the second rule will direct your mail traffic towards the SecuMailer platform.
External BCC recipients
Due to how mail relay integration works SecuMailer can’t work with BCC recipients, this information gets lost in the protocol exchange. Internal BCC recipients are not affected but to make sure no inadvertent external BCC recipients are used we require a transport rule that will decline usage of external BCC recipients. In EAC select mail flow
in the main menu and subsequently select rules
from the context menu. Click on the +
symbol and select create a new rule
from the dropdown menu. You should now see the pop-up named new rule
(see below).
Please fill in Name
.
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “No external BCC”.
Carry out the following steps:
At dropdown list
Apply this rule if…
please selectThe sender is a member of…
and select and add the distribution group you created in paragraph "Create Distribution Group" and click on theOK
button.Click on the button
Add condition
to add the second condition. At the second dropdown list selectThe recipient...
and in the sub dropdown list selectis internal/external
. In theselect recipient location
popup select the optionOutside the organization
and click onOK
.Click on the button
Add condition
to add the third and last condition. At the third dropdown list selectA message header …
and in the sub dropdown list selectmatches these text patterns
. To the right of the dropdown click on theEnter text
link and in the popup titledspecify header name
fill in the following:X-MS-Exchange-Organization-BCC
and click onOK
. Next click on the link titledEnter text patterns …
and in the popup titledspecify words or phrases
fill in the following:$
and click on the+
symbol to the right and subsequently click onOK.
At the next drop down under the labelDo the following...
select the optionBlock the message
and in the sub drop down selectReject the message with the explanation
. In the popup titledspecify rejection reason
you can provide an explanation why this message is blocked. An example that you might use is:
“Your message is blocked and not delivered due to our policy not allowing external BCC recipients”. Click on ‘OK’.
Scroll down the form and check the box at
Stop processing more rules.
Click onSave
. You are now done with the first transport rule
Redirect traffic to SecuMailer
You are still in the rules
section of mail flow
. Please create the second transport rule by clicking on the +
symbol and select create a new rule
from the dropdown menu. You should now see the pop-up named new rule.
Please carry out the following steps:
Please fill in
Name
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Redirect to SecuMailer”.
At dropdown list
Apply this rule if…
please selectThe sender is a member of…
and select and add the distribution group you created in paragraph "Create Distribution Group" and click on theOK
button.At dropdown list
Do the following…
please selectRedirect the message to…
and select and add the contact you created in paragraph "Create Contact" and click on theOK
button.At
Except if …
click on the buttonadd exception
. If you don’t see this option please scroll down until you see the linkMore options…
and click on the link, this should give you the possibility of adding an exception. In the dropdown list selectThe recipient…
and selectinternal/external
. In the popup window selectinternal
and click onOK
.Click on the button
add exception
to add a second exception. In the dropdown list selectA message header…
and in the sub dropdown list selectmatches these text patterns
. To the right of the dropdown click on theEnter text
link and in the popup titledspecify header name
fill in the following:X-MS-Exchange-Organization-BCC
and click onOK
. Next click on the link titledEnter text patterns…
and in the popup titledspecify words or phrases
fill in the following:$
and click on the+
symbol to the right and subsequently click onOK
. After you are finished setting all options please click on theSave
button to store your Mail Rule configuration.
Create Send Connector
You should still be in the mail flow
context (if not please click on mail flow
in the main navigation). Please select send connectors
in the context menu. Click on the +
symbol. You should now see the pop-up new send connector
(see below).
Please fill in Name
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer”.
Click on button Next
. Please select Route mail through smart hosts
and click on the +
symbol.
You will get a pop-up titled “add smart host”.
Please fill in the following value: mail-relay.secumail.cloud
. Click on the Save
button. Click on the Next
button to proceed.
Please select option Basic authentication
and select Offer basic authentication only after starting TLS
. At the User name
and Password
fields please fill in the values supplied by SecuMailer. If you haven’t received these values please contact SecuMailer Support at support@secumailer.com. Click on the Next
button to proceed to the next screen.
Please click on the +
symbol. In the popup please fill in Full Qualified Domain Name (FQDN)
with value: secumailer.relay
Click on the Save
button to proceed. The new send connector
windows should look as follows:
Click on the Next
button to proceed. In the next popup click on the +
button.
Please select your server and click on the Add
button. Please click on the OK
button.
The new send connector
windows should look as follows (with your mail server shown rather than the example server):
Please click on Finish
Change Send Connector Port
Please start the Exchange Management Shell.
Please type: Get-SendConnector
With the next command you switch the SecuMailer Send Connector to use port 587 rather than port 25. This instruction assumes you have used “SecuMailer” as the name for your Send Connector. If you have chosen a different name for the Connector please use that name. Please type:
Set-SendConnector -identity "SecuMailer" -Port:587
Hit enter to execute. If all went well the command completes without any issues.
Firewall
Please make sure you allow port 587 outgoing to mail-relay.secumail.cloud to allow the email traffic to reach the SecuMailer platform.
Disabling Rich Text Format
Microsoft uses an outdated format for emails called “Rich Text Format” (or RTF in short). The RTF format is only supported by Outlook and can’t be read on the standard mail clients of Apple devices or Android devices. Microsoft advises to disable Rich Text Format to avoid inadvertently sending mails in this format.
To disable RTF please start the Exchange Management Shell. This instruction assumes you have used “SecuMailer Contact” as the name for your Contact setting. If you have chosen a different name for the Contact please use that name. Please type:
Set-MailContact -Identity "SecuMailer Contact" -UseMapiRichTextFormat Never
Hit enter to execute. If all went well the command completes without any issues.
The integration is now completed. Please send a couple of test emails from the address you connected with SecuMailer and verify they arrive correctly at an email address you have access to.
NTA 7516
The NTA 7516 functionality requires two additional changes to your Exchange configuration:
Creation of a separate Distribution Group
Creation of a mail flow rule
NTA 7516 Distribution Group
For the creation of the Distribution Group please see the relevant instructions in this manual. You can name this Distribution Group "SecuMailer NTA7516".
After you have created the Distribution Group please create a new mail flow rule.
NTA 7516 Mail Flow Rule
In EAC select mail flow
in the main menu and subsequently select rules
from the context menu. Click on the +
symbol and select create a new rule
from the dropdown menu. You should now see the pop-up named new rule
(see below).
Please fill in Name
.
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516”.
At dropdown list Do the following… please select Redirect the message to… and select and add the contact you created in paragraph "Create Contact" and click on the OK button.
Please carry out the following steps:
At dropdown list
Apply this rule if…
please selectThe sender is a member of…
and select and add the distribution group you created in NTA 7516 Distribution Group and click on theOK
button.In the next dropdown list named
Do the following
select the optionModify the message properties
and selectSet a message header
. In the text to the right of the option click on the firstEnter text...
link and in the message header popup fill in: X-SecuMailer-NTA7516 and click onOK
. Click on the secondEnter text...
link and in the message value popup fill in: true and click onOK
.Click on the button
add action
to add a second Action. At dropdown listDo the following…
please selectRedirect the message to…
and select and add the contact you created in paragraph "Create Contact" and click on theOK
button.Click on the button
Add exeption
to add a exeption. At dropdown list selectThe recipient...
and in the sub dropdown list select isinternal/external
. In the select recipient location popup select the optioninside the organization
and click onOK
.
This completes the Transport Rule for NTA 7516. Please click on Save
to finalize the setup.
Appendix Exclaimer & CodeTwo
If the customer is using Exclaimer or CodeTwo, please see the separate section on configuring SecuMailer together with Exclaimer or configuring SecuMailer together with CodeTwo .
Last updated