Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1397
Views
0
Helpful
2
Replies

How to pass DigiCert Certificate to Office 365 Smart Relay Host

csmith2017
Level 1
Level 1

‎04-18-2018 11:26 AM - edited ‎03-08-2019 07:36 PM

Hello Support,

 

We are using a SSL certificate issued through a valid CA authority to authenticate to our Exchange Online Tenant for Tenant Attribution.  As long as the certificate is issued through a valid CA and matches our connector settings and accepted domains, then we should pass authentication and messages should be attributed to our O365 tenant.

 

We are attempting to use a Digicert issued certificate (pfx) to pass authentication but we are getting attribution failure errors.  We need help in configuring the ESA to pass the Digicert certificate to the O365 smart host relay.

 

Thanks

Labels:
0 Helpful
2 Replies 2

Mathew Huynh
Cisco Employee
Cisco Employee

‎04-18-2018 03:32 PM

Hello csmith2017,

I am attaching an article on TLS on the ESA and using/deploying certificates for usage - essentially when deploying the cert for usage, the ESA sends this cert to the connecting/server host when the certificate exchange is done.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

Ensure that TLS is enabled on the settings where you would like to have the certificate exchange.
If this is not to your requirement - we would like to ask if you could share some more clarity into the current setup and errors noted.

Regards,
Matthew
0 Helpful

csmith2017
Level 1
Level 1
In response to Mathew Huynh

‎04-19-2018 02:44 PM

Hello,

 

I reviewed the guide you provided and made the necessary changes, however we are still having the same issue. This is the error message from one of the logs:

 

Message Details

(DCID 86309) Message 90 to cwhippa21@yahoo.com bounced by destination server. Reason: 5.3.0 - Other mail system problem ('550', ['5.7.64 Relay Access Denied ATTR36. For more details please refer to https://support.microsoft.com/kb/3169958 [SN6PR08MB4160.namprd08.prod.outlook.com] [MWHPR08CA0058.namprd08.prod.outlook.com] [BN3NAM04FT063.eop-NAM04.prod.protection.outlook.com]'])

A little more background on this situation:

Microsoft implemented a policy where you can no longer use tenant attribution to match against your O365 tenant and they require you pass a valid certificate when connecting. More on that here:

 

https://blogs.technet.microsoft.com/exchange/2016/03/29/important-notice-for-office-365-email-customers-who-have-configured-connectors/ 

 

As a result of that policy, we are using Postfix/Sendmail to send email through the O365 smart host relay.  In that configuration we are specifying a certificate to use when we connect to the smart host relay which allows us to authenticate against our Tenant and perform things like mailflow policies, message traces, etc.

 

In that, we are looking to replace our Postfix environment with the ESA and this was one of the requirements.  It seemed fairly straight forward to me that we could configure this by installing the certificate in the global settings, on the network listeners, and then defining how it should be used in the relay configuration of the mailflow policy.  That said, it hasn’t been as straight forward as we’d hoped.

 

I hope this additional information helps.

 

Thanks

 

 
0 Helpful
Customers Also Viewed These Support Documents