How to configure smart host (mail relay) services to work with CodeTwo software
You use smart host (mail relay) services (e.g. for security, anti-virus/anti-spam protection) and you would like to configure them to work with CodeTwo cloud services.
If you use one of the following smart hosts:
- and similar solutions
then this article is for you.
To ensure correct mail flow in your organization (see examples in Fig. 1.), double-check that after you send a message and it goes through EOP servers, it is routed directly to CodeTwo Email Azure Service before it is passed to any other smart host services. This is essential to ensure proper processing of your messages by our services. If messages are routed to other smart hosts before they are processed by CodeTwo Email Signatures for Office 365, you might experience the following issues:
- your signatures are missing because messages are never received by our service, or they are received in an encrypted format that we cannot process;
- your messages cannot be delivered due to a routing loop, and you receive non-delivery reports (NDRs) with the following error code: ATTR1;
- signatures are added in a wrong place in messages because the message body is modified by your smart host(s). As a result, our service is not able to find the correct reply separators;
- your message is corrupted.
Fig. 1. The correct mail flow for smart hosts and CodeTwo services: (a) - when a smart host delivers emails to recipients; (b) - when a smart host returns emails to Office 365 (EOP) for final delivery.
- Make sure your messages are always routed to the CodeTwo Email Azure Service first.
- If this is not true, you need to reconfigure your smart host's outbound connector so that it's controlled by a transport rule. After that, you need to ensure correct email routing by modifying the CodeTwo transport rule.
After our services are deployed and fully configured in your Office 365 tenant, an additional Exchange Online outbound connector, controlled by a dedicated transport rule, is created. Such a setup is responsible for routing your mail flow through the CodeTwo services. This approach is recommended by Microsoft and guarantees that our software can intercept all your messages before they are processed by other smart hosts.
According to Microsoft's recommendations, if emails are redirected to a connector via a transport rule (such as the CodeTwo Exchange transport rule), then all subsequent redirections to other connectors (e.g. your smart hosts) should also be triggered by transport rules.
In certain cases, other smart hosts may still intercept your messages before they reach CodeTwo services. To check if your environment is configured correctly, follow these steps:
- Check if the transport rule (CodeTwo Exchange transport rule) created by our software has the highest priority: open Exchange admin center, go to mail flow > rules, and make sure that the rule is at the top of the rules’ list.
- If you are running a hybrid environment, check if your on-premises Exchange server routes any messages to smart hosts. If the on-premises server is configured to relay your mail through smart hosts, consider moving this responsibility to your Office 365 tenant. Otherwise, you might not be able to control the mail flow priority correctly.
If your environment meets the above requirements, but you still experience any issues caused by incorrect mail flow, you can analyze the headers of your messages to make sure that your emails are routed to the CodeTwo services first (before they are passed to other smart host services). To examine message headers, you can use tools such as:
If the analysis of message headers confirms that any of the following cases is true:
- directly after leaving EOP servers, your messages are not relayed to the CodeTwo Email Signatures for Office 365 services,
- your messages reach your smart host(s) several times (e.g. you are getting duplicated messages),
- your messages are not delivered because of a routing loop,
then you are probably experiencing a routing glitch in Office 365. To solve the problem, you need to reconfigure all outbound connectors created by third-party smart host services (like the ones from Mimecast, Symantec, etc.) so that these connectors are controlled via transport rules instead of being controlled automatically (autonomously). Then, you need to make a slight modification to the CodeTwo transport rule, to ensure correct message routing. Read on for guidelines.
To reconfigure the outbound connector of your smart host service so that this connector is controlled by an Exchange transport rule, you need to:
- Log in to your Microsoft 365 admin center (Office 365 admin center).
- Go to Admin centers > Exchange to access your Exchange admin center.
- Select mail flow from the navigation menu, and open the connectors tab.
- Find and select the outbound connector of your smart host, as shown in Fig. 2. Click the Edit (pencil icon) button.
- The Edit Connector wizard opens (Fig. 3.). Click Next.
- If there are any domains listed under Only when email messages are sent to these domains, write them down. You will need to reproduce these settings when you create a new transport rule that will be controlling this connector, as described in the next section.
- Select the first option (Only when I have a transport rule...), as shown in Fig. 4., and click Next. Leave the other settings unchanged and complete the wizard.
If you have more outbound connectors for custom services (smart hosts), you need to repeat the whole procedure (including the creation of the transport rule, as described further) for each connector.
From now on, your connector can be controlled only by transport rules. Therefore, you need to create a new transport rule for each of the reconfigured connectors.
To route messages through your smart host, you need to create a new transport rule. This transport rule will forward messages to your smart host if they meet the conditions you specify. Additionally, the rule prevents messages from looping. To create a transport rule, you need to:
- In the Exchange admin center, switch to the rules tab, click the New (+) button (Fig. 5.) and choose Create a new rule... from the drop-down menu.
- A new window opens. Name your rule and click More options... to configure additional options:
- The conditions (the Apply this rule if section) need to reflect the configuration of your smart host’s connector:
- In the Apply this rule if section, select The sender... > is external/internal and select Inside the organization. This condition is necessary because all outbound connectors should be active only for emails originating from your organization.
- Add another condition to make sure the rule is active only for recipients outside of your organization: select The recipient... > is external/internal and select Outside the organization. This condition is necessary because all outbound connectors should be active only for emails sent outside of your organization.
- If your connector was configured to work only when emails are sent to specific domains (see step 6 in the previous section), you need to reproduce this behavior here, by using the available conditions (such as The recipient... > address matches any of these text patterns [domain]).
- Add a new action: Modify the message properties -> set a message header. Type any name (e.g. X-AntiLoop-Smarthost) for a header and set the value to true.
- Add a new action: choose Redirect the message to... > the following connector and select your smart host's outbound connector.
- Add a new exception in the Except if section: a message header -> includes any of these words. Set the same name of your header as in the first action (e.g. X-AntiLoop-Smarthost) and set the value to true.
- Scroll down and enable (select) the Defer the message if rule processing doesn't complete option. With this feature, your message keeps trying to use your smart host if the previous attempt failed.
The rule's configuration should look as shown in Fig. 6. or similar. Click Save to create the rule.
Thanks to such a configuration of the transport rule, your messages will not get looped even if your smart host returns the message back to EOP. The created transport rule is configured to send a message to your smart host service only once.
- The rule will be saved at the bottom of the list, with the lowest priority. Move it up using the arrow button, so it is directly below the CodeTwo transport rule (by default, the CodeTwo rule has priority 0 - in this case, your smart host rule should have priority 1, as shown in Fig. 7.). You can also edit the rule and change the priority manually.
Finally, you need to modify CodeTwo Exchange transport rule to ensure correct message routing. To do so:
- Double-click the CodeTwo rule on the list (the rule should be above your smart host's rule - see Fig. 7.) or use the Edit (pencil icon) button.
- Find the option to stop processing more rules, and select (enable) it, as shown in Fig. 8.
Each email to receive a signature is processed by Exchange Online twice. First, immediately after being sent, the message should reach the CodeTwo Email Azure Service before it is processed in accordance to any other rule. Selecting the stop processing more rules option helps achieve this as it forces the CodeTwo Exchange transport rule to be the only one to be applied, provided it has the top priority (0).
Once the signature is added, the message returns from the CodeTwo Email Azure Service to Exchange Online. Since the CodeTwo Exchange transport rule is not executed again, the stop processing more rules option is not taken into consideration. This means that any other transport rule configured on your tenant will still be executed.
- Save the changes.
Your mail flow is now configured, and emails will be routed through our cloud services and your smart host service before they reach their recipients.
If you experience any mail flow problems when sending emails via SMTP clients (e.g. Mozilla Thunderbird), see this article.