Pages

Friday, February 11, 2022

Using PowerShell to configure Exchange Online Inbound and Outbound Connectors to force TLS

As stated in the following Microsoft documentation:

How Exchange Online uses TLS to secure email connections
https://docs.microsoft.com/en-us/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections?view=o365-worldwide

By default, Exchange Online always uses opportunistic TLS. Opportunistic TLS means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. Unless you have configured Exchange Online to ensure that messages to that recipient must use secure connections, then by default the message will be sent without encryption if the recipient organization doesn't support TLS encryption. Opportunistic TLS is sufficient for most businesses. However, for businesses that have compliance requirements such as medical, banking, or government organizations, you can configure Exchange Online to require, or force, TLS.

I have worked with organizations in the past which have had extremely strict requirements for messaging delivery and have asked for connectors to be configured to force inbound and output TLS connections. For inbound connections, it could be a bit labour intensive if there is a long list of domains to be configured. For outbound connections, it can also be laborious to configure multiple domains with corresponding smarthosts to for where to establish a TLS connection and send the email (this covers organizations that do not have SPF records configured).

Manually configuring inbound and outbound connectors with the GUI may not be the best for an abundance of domains so I’ve created the following two scripts that uses an Excel file to import the configuration settings.

Inbound Connector

The purpose of this script is to create an inbound connector for Exchange Online that forces the defined incoming domains to require TLS.

This script will import a list of domains from an Excel spreadsheet with a column named domains.

https://github.com/terenceluk/Microsoft-365/blob/main/Exchange-Online/Create-Inbound-Connector-For-TLS.ps1

The used for the spreadsheet should look as such:

image

Note that there is a limit on the length of sender domains passed so if there are too many domains then you’ll need to split them out:

Exception: Cannot bind parameter 'SenderDomains' to the target. Exception setting "SenderDomains": "SenderDomainString: The length of the

property is too long. The maximum length is 2243 and the length of the value provided is 5666."

image

Outbound Connector

The purpose of this script is to create an outbound connector for Exchange Online that forces the defined destination domains to require TLS and use a defined smarthost.

This script will import a list of domains from an Excel spreadsheet with a column named domains.

https://github.com/terenceluk/Microsoft-365/blob/main/Exchange-Online/Create-Outbound-Connector-For-TLS.ps1

The used for the spreadsheet should look as such:

image

No comments: