using Exchange Edge rewrite outbound email address from 365 domain 1 for domain 2

sffatcat · Posted on
  1. Install Exchange 2016 Edge, on a workgroup server with server name [email protected]
  2. create receiveconnector to receive email from EOP and network PORTS

New-ReceiveConnector -Name “From EOP 1 -RemoteIPRanges 40.92.0.0/15 -Usage custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, Partners -Bindings 0.0.0.0:25
New-ReceiveConnector -Name “From EOP 2 -RemoteIPRanges 40.107.0.0/16 -Usage custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, Partners -Bindings 0.0.0.0:25
New-ReceiveConnector -Name “From EOP 3 -RemoteIPRanges 52.100.0.0/14 -Usage custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, Partners -Bindings 0.0.0.0:25
New-ReceiveConnector -Name “From EOP 4 -RemoteIPRanges 104.47.0.0/17 -Usage custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, Partners -Bindings 0.0.0.0:25
New-ReceiveConnector -Name “From EOP 5 -RemoteIPRanges 2a01:111:f400::/48 -Usage custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, Partners -Bindings 0.0.0.0:25
New-ReceiveConnector -Name “From EOP 6 -RemoteIPRanges 2a01:111:f403::/48 -Usage custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, Partners -Bindings 0.0.0.0:25

Get-ReceiveConnector “From EOP 1” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Get-ReceiveConnector “From EOP 2” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Get-ReceiveConnector “From EOP 3” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Get-ReceiveConnector “From EOP 4” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Get-ReceiveConnector “From EOP 5” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Get-ReceiveConnector “From EOP 6” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient

3. adding public SSL cert for exchange smtp.

New-ExchangeCertificate -GenerateRequest -RequestFile “C:\temp\xyz.req” -SubjectName “c=US,o=xyz,cn=servername.xyz.com” -DomainName servername.xyz.com

Enable-ExchangeCertificate -Thumbprint F10585FA183874B35C5FC8D734462824ED4F9E8A -Services SMTP

4. Adding SSL on receiveconnectors

Get-ReceiveConnector “From EOP 1” | Set-ReceiveConnector -AuthMechanism ExternalAuthoritative, Tls -RequireTls:$true -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -TlsCertificateName $tlscertificatename -fqdn servername.xyz.com
Get-ReceiveConnector “From EOP 2” | Set-ReceiveConnector -AuthMechanism ExternalAuthoritative, Tls -RequireTls:$true -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -TlsCertificateName $tlscertificatename -fqdn servername.xyz.com
Get-ReceiveConnector “From EOP 3” | Set-ReceiveConnector -AuthMechanism ExternalAuthoritative, Tls -RequireTls:$true -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -TlsCertificateName $tlscertificatename -fqdn servername.xyz.com
Get-ReceiveConnector “From EOP 4” | Set-ReceiveConnector -AuthMechanism ExternalAuthoritative, Tls -RequireTls:$true -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -TlsCertificateName $tlscertificatename -fqdn servername.xyz.com
Get-ReceiveConnector “From EOP 5” | Set-ReceiveConnector -AuthMechanism ExternalAuthoritative, Tls -RequireTls:$true -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -TlsCertificateName $tlscertificatename -fqdn servername.xyz.com
Get-ReceiveConnector “From EOP 6” | Set-ReceiveConnector -AuthMechanism ExternalAuthoritative, Tls -RequireTls:$true -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -TlsCertificateName $tlscertificatename -fqdn servername.xyz.com

5. create sendconnector, and using smarthost to send back to EOP, in 365 create receive connector to accept in 2nd 365 domain

New-SendConnector -Internet -Name “To Internet” -AddressSpaces *

6. in 365, creates connector to send emails to exchange edge by DNS LB VIP or server public IP in 1st 365 domain

7. create rewriteaddress in edge

Enable-TransportAgent -Identity “Address Rewriting Inbound agent”
Enable-TransportAgent -Identity “Address Rewriting Outbound agent”

Get-TransportAgent “Address Rewriting *

New-AddressRewriteEntry -Name “Outbound” -InternalAddress xyz.com -ExternalAddress abc.com -OutboundOnly $true

New-AddressRewriteEntry -Name “123” -InternalAddress [email protected] -ExternalAddress [email protected]

useful reading:

https://mymicrosoftexchange.wordpress.com/tag/address-rewriting/

https://docs.microsoft.com/en-us/exchange/architecture/edge-transport-servers/address-rewriting-procedures?view=exchserver-2019