Microsoft Exchange Edge Address Rewrite with Exchange Online

I’ve not used the address rewrite functionality with Microsoft Exchange Edge servers before but had the requirement from a customer to perform a rewrite for email to specific domains when their mailboxes are hosted in Exchange Online. To do this, we require email to be routed back on-premises to a Microsoft Exchange Edge server, which will then send mail out to the designated recipient. I configured a transport rule that sent email for specific domains through a connector to my on-premises Exchange Edge server and configured the address rewrite rules. However, although mail was routing correctly, it did not configure the rewrite.

I found a good post linked below that helped explain how address rewriting works:

Why is my Address Rewriting not working as expected?

After reading the article I determined that mail routing from Exchange Online was not authoritative and this was why the rewrite was not happening. I configured a new receive connector on the Edge server that set Exchange Online Protection IP addresses as authoritative and this enabled the rewrite to work as expected. The below command is an example of what I ran:

New-ReceiveConnector -Name “Exchange Online Protection” -RemoteIPRanges 23.103.132.1-23.103.159.254,23.103.198.1-23.103.203.254,23.103.212.1-23.103.215.254,40.92.0.1-40.95.255.254,40.107.0.1-40.107.191.254,52.100.0.1-52.103.255.24,65.55.88.1-65.55.88.254,65.55.169.1-65.55.169.254,94.245.120.65-94.245.120.126,104.47.0.1-104.47.127.254,134.170.132.1-134.170.132.254,134.170.140.1-134.170.140.254,157.55.234.1-157.55.234.254,157.56.110.1-157.56.112.254,207.46.51.65-207.46.51.126,207.46.100.1-207.46.100.254,207.46.163.1-207.46.163.254,213.199.154.1-213.199.154.254,213.199.180.129-213.199.180.190,216.32.180.1-216.32.181.254 -Usage Custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeServers, Partners -Bindings 0.0.0.0:25

 

Get-ReceiveConnector *Exchange* | Set-ReceiveConnector -AuthMechanism ExternalAuthoritative, Tls -RequireTls:$true -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -Fqdn “mail.domain.co.uk” -TlsCertificateName “<I>CN=GlobalSign Organization Validation CA – SHA256 – G2, O=GlobalSign nv-sa, C=BE<S>CN=hybrid.domain.co.uk, O=Company L=Town, S=County, C=GB”

 

Note I have changed the FQDN and TlsCertificateName parameters to exclude the company I was working for, but this should help anyone else in a similar situation I was in. There is also the risk with this method that EOP IP addresses may change, I would recommend adding yourself to the RSS feed that can be found on the Office 365 IP addresses page.

Post to Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *