Initial situation:

SEPPmail Secure E-Mail Gateway is to be operated in conjunction with Microsoft M365 / Exchange Online environments with multi-tenant capability.

 

Solution:

For this, certificate-based connectors (CBC) must be used. This prevents email loops from occurring between the respective managed domains of different clients (customers). The Exchange Online Outbound Connectors must be uniquely identifiable in a multi-tenant scenario.

For this purpose, an individual SSL certificate must be configured for each managed domain. This SSL certificate is used for the configuration of the Exchange Online Outbound Connector.

 

The SSL certificate must be issued to the domain name of the respective managed domain in the CN attribute. The use of wildcard certificates is possible.

 

If several domains in the same Microsoft tenant are to share the SEPPmail Connector, the same SSL certificate must be imported in all managed domains.

 

Configuration changes in Exchange Online

 

Exchange Online >> Mail Flow >> Connectors >> [SEPPmail] Appliance -> ExchangeOnline] >> How to identify email sent from your email server >> Edit sent email identity

 

At the first entry "By verifying that the the subject name on the certificate..."  enter the *.domain.tld

 

Example with CN=securemail.domain.tld