In an Exch 2016/EXO hybrid deployment, should a telnet message test on prem be considered internal

Question

I have inherited a hybrid deployment between Exchange 2016 on prem and Exchange online. One of the first things I had to do was turn of centralized message transport, as it was adding two unnecessary hops to the mail flow and 100% reliance on the on prem server.

One that thing that has come to light due to a transport rule that prepends a message to any message originating outside of the organization, is that any message submitted to the on prem server from our MFDs or legacy apps, is being considered as an external message.

I have been making changes to remote domains, inbound connectors, and outbound connectors in accordance with all hybrid guidance online, but all of my tests are still appearing as external messages.

As my test is to simply telnet to the on prem server and send a message from myself to myself, would this be a valid way to test the changes to our environment? I am wondering if because I am connecting to the server anonymously, this might mean the message is marked as external regardless of my changes to the connectors etc?

Answer 1

Did you want to set the SMTP relay message as internal? You could set the receive connector you just created as “Externally Secure”.

The receive connector auth and permissions will now look like this:

AuthMechanism : Tls, ExternalAuthoritative

PermissionGroups : AnonymousUsers, ExchangeServers

What you see in the headers of a received message:

X-MS-Exchange-Organization-AuthAs: Internal

X-MS-Exchange-Organization-AuthMechanism: 10

In the end, all messages that pass through this connector ( and eventually through the hybrid connector to Office 365) will be considered authenticated.