Connection of NoSpamProxy in Office 365

Since version 10 the full integration of NoSpamProxy in Office 365 is possible. This article describes the configuration steps required in both NoSpamProxy configuration and Office 365.

An article at Microsoft is worth mentioning in this context that no other SMTP hosts are allowed between an on-premises Exchange CAS or Exchange Edge Transport Server and Exchange Online Protection (EOP). Since NoSpamProxy always works before the complete Exchange infrastructure, this hint can be ignored.

Enabling Office 365 as a relay host

First, Office 365 must be allowed as relay host in the NoSpamProxy configuration. This step is necessary so that e-mails can be sent from Office 365 to external communication partners through NoSpamProxy. Otherwise NoSpamProxy would recognize and reject the email as a relay abuse attempt.

To allow Office 365 as relay host, switch to the “Configuration / E-mail routing” menu in the NoSpamProxy MMC. In the upper section, the “Corporate email servers” are specified.

Click Add. The dialog “Manage corporate email server” opens.

Select the item “As Office 365 Tenant” and click Next.

Now enter your tenant ID. Please make sure to enter the name of your ID, not the ID in hexadecimal notation. Click Next.

Now select the domains that you have configured in Office 365 and that will appear in the sender address for outgoing Emails. If you do not find all domains here, you must add the missing domains in the menu “People and identities / Domains and users” and there in the section “Owned domains”. You are also welcome to do this at a later date. Click on Next.

Finally, you can enter a comment and then click Finish. The email server is now created.

Forwarding to Office 365

Next, NoSpamProxy is configured to forward all incoming emails to Office 365. To do this, you must edit the inbound send connectors in the “Configuration / E-mail routing” menu. If inbound emails are to be sent to Office 365, it is absolutely necessary to switch NoSpamProxy to the so-called queue mode. To do this, click on “Switch to queued delivery” in the “Inbound send connectors” section. The “Change delivery” dialog opens.


Click here on Replace delivery.

Incoming_Send Connectors-2-Processed
Select “Office 365” and click Next.

Incoming_Send Connectors-3
Now you can assign any name for the inbound send connector and select the gateway role(s) to process emails to Office 365. Then click Next.

Incoming_Send Connectors-4-Processed
Next, you must enter a certificate for the “client identity”. This will authenticate NoSpamProxy to the Office 365 server. To do this, click Select certificate. The dialog for selecting the certificate opens.

Incoming_Send Connectors-5-Processed
Now select the certificate created by NoSpamProxy during setup. ou can recognize it by the fact that it contains the host name and has a validity of about 50 years. Alternatively, you can select a TLS certificate that you have purchased in advance from a trusted certification authority such as D-Trust, SwissSign or GlobalSign. The advantage is that you can select this certificate in the Office 365 environment to prevent man-in-the-middle attacks.

Select the certificate and click Select and close.

Incoming_Send Connectors-6
To complete the wizard, click Finish.

The configuration for NoSpamProxy is now complete.

Office 365 Configuration

Finally, the Office 365 Tenant is configured so that outbound emails are not delivered directly to the recipient server, but first to NoSpamProxy.
Log in to your Office 365 Tenant using the following link:

Use a user with administration rights. This is the only way to select the “Message flow” menu item in the Exchange interface.


In the “Message flow” menu in the upper menu bar, first click on Connectors and then on the small plus sign (see screenshot). The wizard for creating a new connector opens.

On the first page, select Office 365 in the “From” field and e-mail server of your organization in the “To” field. This setting sends outgoing emails from the Office 365 Tenant to NoSpamProxy. Click on Next.

Next, enter any name for the connector and uncheck the box “Keep internal Exchange email header (recommended)”. You are free to fill the description field with an explanatory text. Click on Next.

Select the item “Only if I have set up a transport rule that redirects messages to this computer” and click Next.

The next step is to specify the smart host to which Office 365 should send the emails. Enter the name or IP address of the server on which the gateway role is installed. Click on Save.

In this dialog you configure the connection encryption. Always activate the option “Always use TLS to secure the connection”. Select the item “All digital certificates, including self-signed certificates” in the selection dialog below and click Next.

You will now receive a summary of the information you have entered so far.

Check that the information is correct and then click Next.

In the next step, the wizard wants to check the connector settings.

To do this, enter at least one email address so that a test message can be sent. Click Check to start the check.

Message_flow_Connector9 Message_flow_Connector10
Upon completion of the examination, you will receive a result of the examination.

The test email usually fails. You can ignore this at first. Close the dialog by clicking on Save.

Next, a transport rule must be created. To do this, click on Rules in the “Message Flow” menu at the top of the Office 365 administration interface.

Click on the plus symbol in the upper area and select Create new rule. The wizard for creating a new transport rule opens.

First enter any name for the connector. In the field “Apply this rule if” set: “The recipient is” and “Outside the organization”. You can make this setting using the Add condition button.

In the “Proceed as follows” field, set “Use the following connector” and then specify the previously created connector. This setting can be made using the Add Action button. If you can only select “People” at this point, please click on Advanced options in the lower section. Now you can select the “Use the following connector…” under “Forward the message to” and then use the previously created connector.

Please apply the remaining settings as described above and click on Save.

All necessary settings have been made and the test can begin.