Microsoft 365

Introduction

O365 is able to direct traffic to certain recipients (recipient based routing), it does not however contain functionality for routing based on the sender (sender based routing). By using a redirect mail flow rule it is possible to do a form of sender based routing that is sufficient for directing traffic to SecuMailer without violating the Microsoft 365 way-of-working. The high level approach is that any mailbox that needs to be integrated with SecuMailer is placed in a specific Distribution Group. Next to that a new mail contact is created that uses a non-existent email address / domain (to prevent any undesirable external routing). A new mail rule is created that redirects email from members of the Distribution Group to the Contact with the non-existent email address. This Contact is associated with a Send Connector which in turn forwards all email to the SecuMailer Mail Relay (and thereby into the SecuMailer system).

Microsoft 365 Admin center

Please log in to your Microsoft 365 Admin Center(via https://portal.office.com).

Select Admin Centers → Exchange.

You will see the Exchange Admin Center as shown above.

Configure Connector

Please click on mail flow, followed by connectors. In the connector view click on the +New Connector link to open the New Connector popup (see below). In the corporate Microsoft 365 versions you need to select the send connector.

In the Connection from list select Microsoft 365, after selection select in the Connection to list select for Partner organization. Click Next.

Next step is to give the connector a name. You may choose anything you like, if you can’t think of anything then put in SecuMailer. You can add a description if you wish in the Description field, it is not mandatory. You can keep the checkbox at What do you want to do after connector is saved? selected. Click on Next to go the step.

The next steps determines when you want to use the connector. Please select the first radio button Only when I have a transport rule set up that redirects messages to this connector and click on Next.

The next step determines where you want to deliver email that is associated with this transport rule. Please select the second radio button Route email through these smart hosts and click on the + symbol. In the new popup fill in mail-relay.secumail.cloud and click on Save.

The Add a connector popup should show mail-relay.secumail.cloud as new smart host. Click Next to go to the next step.

In this step you need to configure the secure connection with the SecuMailer mail relay. Please make sure that the first checkbox is on, it's named Always use Transport Layer Security (TLS) to secure the connection (recommended). Select the radio button Issued by a trusted certificate authority (CA). Please activate the checkbox And the subject name or subject alternative name (SAN) matches this domain name: and fill in mail-relay.secumail.cloud (see below). Click on Next.

You are now at the final step of the Transport Rule flow. The connector needs to be validated through a remote e-mail domain. This cannot be the domains used within the Microsoft 365 tenant, Fill in an e-mail address (likely Gmail or another address) and click on Validate .

You should see a summary of the Transport Rule settings you applied in the previous steps.

Verify your settings and click on Create connector. Herby the connector is created.

Configure Distribution Group

In Exchange Admin select recipients in the main menu and subsequently select groups from the context menu.

Click on add a group. You should get a choice for the type of the newly to created group, choose for mail-enabled security. Click Next.

Please fill in Name

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer AVG.

The description is not mandatory, Click Next.

You should add a owner to this new group, like an Administrator or Manager. Click Next.

Add users to this new group or add them later to this new group, Click Next.

Please fill in Email address

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use secumailer_avg.

Click Next.

You should see a summary of the settings you applied in the previous steps.

Verify your settings and click on Create group. Hereby the Secumailer AVG group is created, Click on close.

Add members to Distribution Group

To add members to the specific group that you wish to connect with the specific SecuMailer function, head back to recipients in the main menu and subsequently select groups from the context menu. Under the specific tab mail-enabled security. click on the specific group you want to add members

Click on Members followed by View all and manage members.

When click on + Add Members. you can add other users to this specific group.

Create mail flow rules

In this section you will create two mail flow rules:

1) that will direct your mail traffic towards the SecuMailer platform.

2) that will direct out of office e-mails though public internet.

Mail Flow Rule Redirection to SecuMailer

In this section you will create the mail flow rule that will direct your mail traffic towards the SecuMailer platform.

In the Exchange Admin please go to mail flow and then rules. Please create the mail flow rule by clicking on the + symbol and select create a new rule from the drop down menu. You should now see the pop-up named new rule.

Please carry out the following steps. Please fill in Name If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Redirect to SecuMailer AVG”.

At drop down list Apply this rule if… please select The sender is a member of… and select and add the distribution group you created in section Configure Distribution Group and click on the OK button. At drop down list Do the following… please select Modify the message properties..., then select Set a message header and set the message header to X-Secumail-Id and the value to the value that was supplied to you by SecuMailer. Click on the button Add action to add another action to the mail flow rule. At drop down list Do the following… please select Redirect the message to… and select option the following connector, this will start a popup where you can select the SecuMailer connector you configured in section Configure Connector.

Select connector At Except if … click on the button add exception. If you don’t see this option please scroll down until you see the link More options… and click on the link, this should give you the possibility of adding an exception. In the drop down list select The recipient… and select internal/external. In the popup window select internal and click on OK.

Please click on Next to set the additional settings

The default settings doesn’t need to be changed, so click on Next.

Click on Finish to save this Rule.

Mail Flow Rule Out Of Office Message

In this section you will create the mail flow rule that will route your out-of-office e-mail towards the public internet. This is needed since the sender is out of office and cannot respond to notifications in case a recipient cannot be reached securely. These message typically don't contain personal information and can be send without securing the message.

Please do check with you Security Officer before applying this rule.

In the Exchange Admin please go to mail flow and then rules. Please create the mail flow rule by clicking on the + symbol and select create a new rule from the drop down menu. You should now see the pop-up named new rule.

Please carry out the following steps. Please fill in Name If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Out Of Office Exception SecuMailer”.

At drop down list Apply this rule if… please select The Message properties and select include the message type Automatic reply and click on the Save button. At drop down list Do the following… please select Modify the message properties..., then select Set a message header and set the message header to X-SecuMailer-OOO and the value totrue.

At Except if select The recipient and is external/internal. In the pop-up select Inside the organization.

Click on the Next button.

In the follewing screen check the option Stop processing more rules

Click next to complete the configuration.

Click on Finish to save this Rule.

Disabling Rich Text Format

Microsoft uses an outdated format for emails called “Rich Text Format” (or RTF in short). The RTF format is only supported by Outlook and can’t be read on the standard mail clients of Apple devices or Android devices. Microsoft advises to disable Rich Text Format to avoid inadvertently sending mails in this format.

To disable RTF please go to mail flow section in Exchange Admin and select remote domains. Select the name Default. Click on Edit text and character set.

Change the setting from Follow user settings to Never

The integration is now completed. Please send a couple of test emails from the address you connected with SecuMailer and verify they arrive correctly at an email address you have access to.

NTA 7516

The NTA 7516 functionality requires two additional changes to your Exchange configuration:

• Creation of a separate Distribution Group

• Creation of a mail flow rule

NTA 7516 Distribution Group

In Exchange Admin select recipients in the main menu and subsequently select groups from the context menu.

Choose Mail-enabled security

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer NTA Group.

The description is not mandatory, Click Next.

Assign members and click Next.

Please fill in Alias

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use SecuMailer_NTA.

Please fill in Email address

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use secumailer_nta.

Click Next.

You should see a summary of the settings you applied in the previous steps.

Verify your settings and click on Create group. Hereby the Secumailer NTA group is created, Click on close.

NTA 7516 Mail Flow Rule - 1

In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516 Rule - 1”.

Please carry out the following steps:

• At dropdown list Apply this rule if… please select The sender is a member of… and select and add the distribution group you created in NTA 7516 Distribution Group and click on the OK button.

• In the next dropdown list named Do the following select the option Modify the message properties and select Set a message header. In the text to the right of the option click on the first Enter text... link and in the message header popup fill in: X-SecuMailer-NTA7516 and click on OK. Click on the second Enter text... link and in the message value popup fill in: true and click on OK.

This completes the Transport Rule 1 for NTA 7516. Please click on Save to finalize the setup.

NTA 7516 Mail Flow Rule - 2

In EAC select mail flow in the main menu and subsequently select rules from the context menu. Click on the + symbol and select create a new rule from the dropdown menu. You should now see the pop-up named new rule (see below).

Please fill in Name.

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516 Rule - 2”.

Please carry out the following steps:

• At dropdown list Apply this rule if… please select The sender is a member of… and select and add the distribution group you created in NTA 7516 Distribution Group and click on the OK button.

• At drop down list Do the following… please select Modify the message properties..., then select Set a message header and set the message header to X-Secumail-Id and the value to the value that was supplied to you by SecuMailer.

• Click on the button Add action to add another action to the mail flow rule

• At drop down list Do the following… please select Redirect the message to… and select option the following connector, this will start a popup where you can select the SecuMailer connector you configured in section Configure Connector.

• At Except if … click on the button add exception. If you don’t see this option please scroll down until you see the link More options… and click on the link, this should give you the possibility of adding an exception. In the drop down list select The recipient… and select internal/external. In the popup window select internal and click on OK.

This completes the Transport Rule 2 for NTA 7516. Please click on Save to finalize the setup.

Rule Order

For the rules to work correctly the following order must be maintained:

1. Out Of Office Exception SecuMailer

2. SecuMailer NTA 7516 Mailflow Rule - 1

3. SecuMailer NTA 7516 Mailflow Rule - 2

4. SecuMailer AVG mailflow Rule

WARNING: The SecuMailer NTA7516 rules have to have a higher priority then the regular Secumailer AVG mailflow rule, so that the highest security set is always used if the case a user is a member of both AVG and SecuMailer NTA7516 groups.

This completes the Transport Rules for NTA 7516. Please click on Save to finalize the setup.

Appendix Exclaimer & CodeTwo

If the customer is using Exclaimer or CodeTwo, please see the separate section on configuring SecuMailer together with Exclaimer or configuring SecuMailer together with CodeTwo .