Setting up forced TLS in Exchange online
Introduction to TLS
TLS is a protocol to ensure privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party can tamper with message. Setting up forced TLS in Exchange Online requires setting up mail flow connectors. By default, all emails in Office 365 are sent using Opportunistic TLS.
When sending using Opportunistic TLS, if a TLS connection cannot be established, it will fall back to a basic connection and send the message in plain text using Simple Mail Transfer Protocol (SMTP). When a message is sent using a Forced TLS connection, if the TLS handshake is not established, the message will not be delivered and the sender will receive NDR message.
By default, Office 365 is configured to use Opportunistic TLS for all email flow in Exchange Online. Exchange Online servers always encrypt connections to other Exchange Online servers in Microsoft data centers with TLS 1.2.
Setting up Forced TLS
Setting up forced TLS in Exchange online requires you to setup send and receive connector following steps to be performed.
- Login to Office 365 admin center.
- Navigate to Admin, then click Exchange under Admin Centers to go to the Exchange Admin Center.
- Navigate to Mail Flow and Click on Connectors.
- Click on + icon to start Connector wizard.
- On first page to specify your scenario, select “Office 365” as source and “Partner Organization” as target.
- Name your connector and add description and click on Next.
- Specify the domain names to force the TLS with and click on Next
You need to specify all partner domains with whom you would like to setup force tls mail flow.
- Specify how Office 365 will deliver the emails to partner organization and click Next.
- Select the checkbox “Always use Transport Layer Security (TLS) to secure the connection (Recommended)” to ensure all emails are sent on TLS.
- Review the configurations and click on Next.
- Specify an email address of partner domain to validate the connector. You can add multiple addresses. Click on + icon to add an email address and click Validate.
- Validation wizard will perform 3 step validation.
- Click Close to complete the validation wizard.
- Once the validation is successfully done, click on Save to save the configurations.
- Once the wizard Save the configurations, you will have force tls configured in Exchange online with partner organization.
With force tls, you need to work closely with your partner organization to ensure both organizations setup force tls at the same time. If partner organization is not setup with force tls and trying to communicate with SMTP protocol then the email messages will be rejected.
Also published on Medium.