Some organisations, in particular German ones, require encryption between your Exchange Online mail servers and their mail servers. This can be enforced by adding their domains to an outbound TLS connector in Office 365.
In my case, this had to be enforced (the default is oppertunistic). If you get a long list, you’ll want to script this with the following snippet. Remember to make sure the first line of your CSV has the header/colum name ‘domain’ 🙂
#Author: Jos Lieben
#Help: www.lieben.nu
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber -DisableNameChecking
$connector = Read-Host "Type the name you wish to give this connector"
$csv = Read-Host "Type the path to the file with TLS domains"
$domains = Import-CSV -LiteralPath $csv
$newDomains = @()
foreach($domain in $domains){
$ND = [String]$domain.domain
$ND = $ND.Trim()
$newDomains += $ND
}
try{
New-OutboundConnector -Name $connector -recipientdomains $newDomains -ConnectorType "Partner" -TlsSettings "CertificateValidation" -ErrorAction Stop
}catch{
Write-Error "Failed to modify outbound connector $connector $($Error[0])"
}
So I went about and set my SMTP relay in IIS to use a certificate instead, as the article explains. Â This resulted in a flood of bad mail drops with the following error:
Action: failed Status: 5.7.57 Diagnostic-Code: smtp;530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM
After messing around with this for a while, I discovered the outbound port you have to use when connecting to smtp.office365.com to relay a message using anonymous TLS is port 25, NOT port 587 as we were using before to submit mail using a user account + password.
When you want to use Skype for Business Online, but are using an on premises ADFS implementation and require MFA for all logins, Skype for Business will fail to authenticate. It cannot handle the ADFS Multi-Factor challenge because MFAÂ is not yet supported for Office 365 Online Skype for Business tenants.
To exempt Skype for Business from your ADFS RPT, use the following claims rule
$rp = Get-AdfsRelyingPartyTrust -name "Microsoft Office 365 Identity Platform"
Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)skype"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)ACOMO"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)lync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'