Skip to main content

How to ensure emails are routed to Exclaimer Cloud before being routed to third-party security solutions

Payal Arya
  • Updated

Scenario

When using Exclaimer Cloud with a third-party security solution (for example, Mimecast; Proofpoint; Barracuda; Reflexion and so on), you may find that emails do not route the way you would like them to or do not have a signature applied.

Recommended! The recommended setup for Exclaimer Cloud in conjunction with a third-party security solution is as follows:
Sender > Office 365 > Exclaimer Cloud > Office 365 > third party security solution > Recipient.

The following list of smart hosts or security solutions are known to work when using Exclaimer Cloud - Signatures for Office 365:

  • Fusemail (Exclaimer Cloud is known to work with Fusemail SecureSMART Suite, but cannot be used with Fusemail Hosted Exchange.)
  • Proofpoint
  • Symantec Cloud
  • Mimecast

If your chosen Smart Host or email security service is not listed above, this does not mean that it cannot be used when using Exclaimer Cloud - Signatures for Office 365.
(For Barracuda, please refer to How to Configure Office 365 Outbound Automatic Replies)

Resolution

WARNING! This solution assumes that you have already configured the Exclaimer Cloud rule and connectors. If not, please run the setup wizard from within the Exclaimer Cloud portal.

In the example below, we are using Mimecast, but you can follow the same steps for other Smart Host or third party security systems.

Currently, the connector is set to apply to all messages at the connector level and will likely appear similar to the following connector:

The above setup shows the correct SMTP address for the Mimecast smart host, but this setup bypasses Office 365 Transport Rules.

The objective of this solution is to modify the connector set up so that it uses a Transport Rule with a lower priority than the Exclaimer Transport Rule; therefore, ensuring that signatures are applied before messages are scanned by the third-party security solution.

Please follow the steps below to reconfigure your connector:

We recommend! As there may be downtime during the change - make this change out of hours where possible.
Step1: Reconfigure the third party security connector
  1. Log on to the Office 365 Portal as a Global Administrator.

  2. Open the admin center.

  3. Click admin centers and select Exchange.

  4. Select mail flow then select connectors.

  5. Reconfigure the connector to apply Only when I have a transport rule set up that redirects messages to this connector:

  6. For all other third-party solutions, leave all other connector settings as they are and save the connector.
    For Barracuda: reference extracted from How to Configure Office 365 Outbound Automatic Replies.
    1. Click Next then select the Route email through these smart hosts option and click the + symbol.

    2. Go to the Barracuda Email Security Service, and click the Domains tab. Copy your outbound hostname from the MX records, and enter it in the add smart host page:


    3. Click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issues by Trusted certificate authority (CA):

    4. Click Next. On the confirmation page, verify your settings and click Next. Office 365 runs a test to verify your settings.
    5. When the verification page displays, enter a test email address and click Validate. Once the verification is complete, your mail flow settings are added.
Step 2: Add a new mail flow rule
  1. In the admin center, under mail flow, select rules.

  2. Click the (plus) button to add a new rule.

  3. Give the rule a name - for example: Send to Mimecast.

Step 3: Configure the new mail flow rule
  1. Scroll down and click the More options link to enable additional rule options.

  2. Add a condition that states The sender is located inside the organisation. This will ensure that all emails sent from your Office 365 tenancy are routed through the connector.

  3. Add another condition that states The Recipient is located Outside the organisation. This will ensure that your internal emails sent from your Office 365 tenancy are not routed through the connector and prevent mail loops.

  4. Add an action that states Redirect messages to the following connector and select your third party Security connector.



  5. Click Save to save the new rule. It will now be shown in the rules list with the lowest priority (the greater the number, the lower the priority). Also, in this list, you will see an Exclaimer rule called Identify messages to send to Exclaimer Cloud, which has a priority of 1.



    NOTE: You can change the priority as long as it remains below the Exclaimer Cloud rule. 
Step 4: Amend the Exclaimer mail flow rule
  1. Open the rule named Identify messages to send to Exclaimer Cloud.

  2. Scroll down until you see the option to Stop processing more rules:

  3. Select the Stop processing more rules option.
    When you enable this option, it will force the Exclaimer rule to run and prevent Office 365 from running the third party Security Connector rule until the email is returned from Exclaimer Cloud with a signature attached.

    Your Office 365 set up is now complete.
Step 5: Add your .onmicrosoft address to the Exclaimer portal
NOTE: The options within this section are not available in the new UI yet.

The final step of this process is to return to the Exclaimer Cloud portal to ensure emails are routed to Office 365 once the signature has been applied:

  1. Log in to the Exclaimer Cloud portal, launch your subscription, click the options list from the top-right of your screen and select Settings. 

  2. The Settings window is displayed; select the Mail Flow tab.

  3. Under Mail Routing, click Edit.

  4. From the Mail routing mode drop-down list, select Static domain.

  5. In Domain name, enter your .onmicrosoft address (listed in your Office 365 tenancy under Domain Name):

  6. Click Save to save the changes.

Your setup is now complete. When you send a test email, you will be able to see (from the message headers) that the email routes from Office 365 to Exclaimer Cloud, then from Exclaimer Cloud back to Office 365 and from Office 365 to Mimecast - as expected.

NOTE: If you experience any problems or would like to have someone from Exclaimer on the telephone or via a remote session during the setup process, please let us know or raise a support ticket.