Overslaan en naar hoofdcontent gaan

How to ensure emails are routed to Exclaimer Cloud before being routed to third-party security solutions

Payal Arya
  • Bijgewerkt

Scenario

When using Exclaimer Cloud with a third-party security solution (for example, Mimecast; Proofpoint; Barracuda; Reflexion and so on), you may find that emails do not route the way you would like them to or do not have a signature applied.

The following list of smart hosts or security solutions are known to work when using Exclaimer Cloud - Signatures for Microsoft 365

  • Fusemail (Exclaimer Cloud is known to work with Fusemail SecureSMART Suite, but cannot be used with Fusemail Hosted Exchange.)
  • Proofpoint
  • Symantec Cloud
  • Mimecast

If your chosen Smart Host or email security service is not listed above, this does not mean that it cannot be used when using Exclaimer Cloud - Signatures for Microsoft 365.
(For Barracuda, please refer to How to Configure Office 365 Outbound Automatic Replies)

Resolution

Recommended! The recommended setup for Exclaimer Cloud in conjunction with a third-party security solution is as follows:
Sender > Microsoft 365 > Exclaimer Cloud > Microsoft 365 > third party security solution > Recipient.
WARNING! This solution assumes that you have already configured the Exclaimer Cloud rule and connectors. If not, please run the setup wizard from within the Exclaimer Cloud portal.

In the example below, we are using Mimecast, but you can follow the same steps for other Smart Host or third-party security systems.

Currently, the connector is set to apply to all messages at the connector level and will likely appear similar to the following connector.

View 1: Connector name and description



View 2: Connector trigger settings



View 3: Connector routing settings

The above setup shows the correct SMTP address for the Mimecast smart host, but this setup bypasses Microsoft 365 Transport Rules.

The objective of this solution is to modify the connector set up so that it uses a Transport Rule with a lower priority than the Exclaimer Transport Rule; therefore, ensuring that signatures are applied before messages are scanned by the third-party security solution.

Please follow the steps below to reconfigure your connector:

We recommend! As there may be downtime during the change - make this change out of hours where possible.
Step1: Reconfigure the third-party security connector
  1. Log on to the Microsoft 365 Portal as a Global Administrator.

  2. Open the admin center.

  3. Click admin centers and select Exchange.

  4. Select mail flow then select connectors.

  5. Reconfigure the connector to apply Only when I have a transport rule set up that redirects messages to this connector:

  6. For all other third-party solutions, leave all other connector settings as they are and save the connector.
    For Barracuda: reference extracted from How to Configure Office 365 Outbound Automatic Replies.
    1. Click Next then select the Route email through these smart hosts option and click the + symbol.

    2. Go to the Barracuda Email Security Service, and click the Domains tab. Copy your outbound hostname from the MX records, and enter it in the add smart host page:


    3. Click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issues by Trusted certificate authority (CA):


    4. Click Next.

    5. Validate the email - enter a test email address and click Validate. Once the verification is complete, click Next.

    6. Review the connector settings and click Create connector.
Step 2: Add a new mail flow rule
  1. In the admin center, under mail flow, select rules.

  2. Click the (plus) button to add a new rule.
    Example:


  3. Give the rule a name; example: Send to Mimecast.
    Example:
Step 3: Configure the new mail flow rule
  1. From the Apply this rule if drop-down list, select The sender. From the adjacent drop-down list, select is external/internal.

    Example:


  2. From the select sender location drop-down list, select Inside the organization. This will ensure that all emails sent from your Microsoft 365 tenancy are routed through the connector.

    Example:


  3. Click Save to save the changes made.

    The changes are reflected in the Set rule conditions window.


  4. Click + (Add condition) to add another condition. 



  5. From the And drop-down list, select The recipient. From the adjacent drop-down list, select is external/internal. From the select recipient location drop-down list, select Outside the organization

    This will ensure that your internal emails sent from your Microsoft 365 tenancy are not routed through the connector and prevent mail loops.

  6. Click Save to save the changes made. 
    The changes are reflected in the Set rule conditions window.



  7. Now, from the Do the following drop-down list, select an action that states Redirect the message to.

  8. From the adjacent drop-down list, select and select the following connector.



  9. From the select connector drop-down list, select your third-party Security connector.
  10. Click Next.

  11. The next step, Set rule settings is enabled.

  12. Tick the Activate this rule on option and select a suitable time to activate the rule.

    Example:


  13. Click Next

  14. Click Finish. The new mail flow rule will be displayed in the rules list with the lowest priority (the greater the number the lower the priority).

    You will also see an Exclaimer rule called Identify messages to send to Exclaimer Cloud - this rule usually has a priority of 1.

    Example:
Step 4: Amend the Exclaimer mail flow rule
  1. In the rules list, please ensure there is a tick against the Identify messages to send to Exclaimer Cloud rule for Stop processing rules.

    Example:


    If it is not ticked,
    - Select the Identify messages to send to Exclaimer Cloud rule. 

    The Identify messages to send to Exclaimer Cloud rule is displayed on the right-hand pane.

    - Click Edit Rule conditions.

    - Click Settings.

    - Tick the Stop processing more rules option.

    - Click Save

    Example:
Step 5: Add your .onmicrosoft address to the Exclaimer portal

The final step of this process is to return to the Exclaimer Cloud portal to ensure emails are routed to Microsoft 365 once the signature has been applied: 

  1. Log into the Exclaimer portal (portal.exclaimer.com) and Launch your subscription.

  2. From the left-hand pane, click Configuration, then select Manage Mail Flow.

  3. In the right-hand pane, under Mail Routing Domain, are the relevant options.

  4. In Domain Name, enter the .omnicrosoft.com domain name - this can be located in the Domain list in the Microsoft 365 Admin Center. This setting is important, and an incorrect domain can result in mail flow issues.

    Example: 
  5. Click SAVE to save the changes made. 

    Your setup is now complete.
    NOTES: The MX record for the Domain name (in the Mail Routing settings) should specify a single Exchange Online Server for your Microsoft 365 tenancy. 

    - To check the MX record for your own Domain name, use a DNS lookup tool, such as MXToolbox. 

    Example showing Exclaimer's domain:
    Your setup is now complete. When you send a test email, you will be able to see (from the message headers) that the email routes from Microsoft 365 to Exclaimer Cloud, then from Exclaimer Cloud back to Microsoft 365 and from Microsoft 365 to Mimecast - as expected.
NOTE: If you experience any problems or would like to have someone from Exclaimer on the telephone or via a remote session during the setup process, please let us know or raise a support ticket.