Hmail as a part of Exchange online hybrid solution

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Freedom
Normal user
Normal user
Posts: 44
Joined: 2008-01-29 17:25
Location: Slovakia
Contact:

Hmail as a part of Exchange online hybrid solution

Post by Freedom » 2020-12-28 16:41

Please, who can help with Hmail as a part of hybrid solution with Exchanage online?

I have 10 users. I was using Hmail as IMAP/SMTP server.
Now I need move 2 user/mailboxes to Office 365 to Exchange online.
I would have 2 users on Office 365 Exchange online and 8 users on Hmail server using the same internet domain.

Hmail stay as default SMTP server for that domain.
Mx record is pointed to my hmail server as before.
All emails received for this domain are managed by hmailserver.
Two users which have mailbox on Exchange online have thier Hmail mailbox forwarded to Office 365 account like user@o365tenentname.onmicrosoft.com

Sending emails from IMAP users to Exchange online user works fine. This email forwarding what was set works fine.
Receving emails from external works fine for IMAP users as well as for Exchnage online users.
Sending emails from Office 365 to external works fine. SPF record was modified so that now include also a office 365 sendouts

Sending emails from Exchange online to IMAP users end with this error 550 5.0.350 Remote server returned an error -> 530 SMTP authentication is required.

Problem is that office 365 have milions of ip adresses and you never know which one is used to deliver email so i dont know what to do?

I cant use IP ranges to exclude office 365 cos i dont have all the office 365 IP adresses and I cant imagine to manage all the ranges in time to have permament working solution.
I am not sure as a part of the solution to turn off reqired authentification for Local to Local on my Internet IP range due to security reason? or?

Who can help to find a solution for this problem?

mikedibella
Senior user
Senior user
Posts: 390
Joined: 2016-12-08 02:21

Re: Hmail as a part of Exchange online hybrid solution

Post by mikedibella » 2020-12-28 21:33

I'm going to make a lot of assumptions here. You'll need to tell me if any of these assumptions are incorrect for the way you've setup your hybrid environment:

1. Your email "vanity" domain MX record points to your hMailServer instance.
2. Your Exchange Online tenant is setup with the authoritative domain on the onmicrosoft.com namespace only. You did not add your vanity domain to the list of "accepted domains" in Exchange Online.
3. The mailboxes on Exchange Online have an additional email address set to the address hosted in hMailServer. This address is set as the "Reply To" address.
4. The Exchange Online hosted mailboxes also have a mailbox in hMailServer, but the Forwarding tab for the mailbox is set to redirect the message to the onmicrosoft.com address. Keep original message is unchecked.

If all these assumptions are true, you should be able to solve your routing issue by clearing the Require SMTP authentication check box for Local to local email addresses on the Internet IP range. This will have the effect of allowing unsolicited email to be received from the Internet for local addresses with spoofed local sender addresses, but other anti-SPAM measures should keep that activity under control. Just make sure you leave Local to external e-mail addresses and External to external e-mail addresses checked or your server will be an open relay.

Freedom
Normal user
Normal user
Posts: 44
Joined: 2008-01-29 17:25
Location: Slovakia
Contact:

Re: Hmail as a part of Exchange online hybrid solution

Post by Freedom » 2020-12-29 18:46

1. my email domain "xyz.com" MX record is pointed to my hmail instance
2. I add my email domain "xyz.com" to office 365 tenant. My office 365 domains are "xyz.com" and "xyz.onmicrosoft.com". My reply email adress at office 365 is "xyz.com", "xyz.com" is default accepted domain at exchange online and domain type for this is "Internal Relay".
3. mailboxes at office 365 tenat have two email adresses one is "xyz.com" and the second one is "xyz.onmicrosoft.com". "xyz.com" is primary email address and reply addres for office 365. I add this to my SPF record "include:spf.protection.outlook.com -all" (my current spf record include my hmail as well include protection.outlook.com)
4. Exchange online mailboxes also has mailbox on hmail instance, but those mailboxes on hmail instance are forwarded to "user@xyz.onmicrosoft.com" with keep copy of emails on hmail. I will delete those hmail mailboxes later on, when I know my hybrid solution is really working as it should. Then I will delete mailboxes on hmail and create a forwarding rules for both users which was move to office365...

to make clear what i have setup on my office 365, you can find in this article, it describes exactly what i want to do...
http://howtomicrosoftofficetutorials.bl ... email.html

the only problem I find out is when I want to comunicate between office 365 users and IMAP users, but only office 365 users cant sent email back to hmail instance due this authentification issue.

I go true a lot of microsoft doc and find 4 huge IP ranges which are used with exchange online port 25, so I add them to my hmail instace and un check the required authentification for local to local
*.mail.protection.outlook.com 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48 TCP: 25

I include the screan of one of the IP ranges i set on my hmail instance.... i think in this case is more secure rather then to open this for all internet trafic and count only at SPF is working well. But your note was very helpfull. Sometimes you need a second opinion to move forward, when you get stuck.

Currently with this change i have made and also thx to your reply, my Office 365 users can send email to imap users on hmail instace. I also solved a small problem with dkim what I recently find. Hmail instance has its own dkim key and office 365 its own. I have to figure out on my own cos i cant find anything about this at all.
Attachments
office365.JPG

mikedibella
Senior user
Senior user
Posts: 390
Joined: 2016-12-08 02:21

Re: Hmail as a part of Exchange online hybrid solution

Post by mikedibella » 2020-12-29 18:57

Google the Powershell Commands New-DKIMSigningConfig and Get-DKIMSigningConfig for info on setting up DKIM for your MSOL domains. MS will host the public keys on the onmicrosoft.com domain. You will create CNAMEs on your domain to point to them.

Post Reply