Setup SEPPmail.cloud in 3 easy steps:
1-Install PowerShell CORE | 2-Install module | 3-Run the Setup Command |
---|---|---|
Microsoft PS-Core install docs | Install-Module seppmail365cloud |
New-SC365Setup -force |
If you are a new customer and just got the deployment e-Mail from SEPPmail.cloud all you have to do is to run:
New-SC365Setup
This will setup all necessary connectors and rules for your Microsoft tenant.
If you are an existing customer and just and just updated the PowerShell Module, do is to to update:
New-SC365Setup -force
This will recreate all necessary connectors and rules for your Microsoft tenant.
If you want to know what setup has been implemented in your tenant, run Get-SC365Setup
Get-SC365Setup
This will list Connectors and Transport Rules of your tenant.
To remove all SEPPmail.cloud connectors and rules, run:
Remove-SC365Setup
- The SEPPmail365cloud PowerShell Module README.MD
- Introduction
- Latest Changes
- Prerequisites
- Operating Systems
- Security
- Module Installation
- Things to know before you start changing your E-Mail-routing
- Using the SEPPmail365cloud PowerShell module
- Setup the integration for BASIC environments
- Setup the integration for ADVANCED environments
- Review the changes
- Test your mailflow
- Advanced Setup Options
- Issues and solutions
The SEPPmail365cloud PowerShell Core module has been built to integrate Exchange Online instances into the SEPPmail.cloud (SMC). The module requires you to connect to your Exchange Online environment as administrator (or at least with Exchange Online administrative rights) via PowerShell Core and creates all necessary connectors and rules, based on the e-mail-routing type and region for you with a few commands.
Changes in the module versions are documented in the
Note: Windows PowerShell (5.1 and earlier versions) is not supported! To run the module from Windows, install PowerShell Core on your Windows machine, using the Microsoft Store or go to Github for other installation options.
The module requires:
- PowerShell Core (minimum version 7.2.1)
The module requires and automatically installs:
- Exchange Online Module version minimum 3.0.0+
- DNSClient-PS 1.0+
If you want to know how to connect to Exchange Online via Powershell read https://learn.microsoft.com.
The code and was tested on Windows and macOS. PowerShell Core on Linux should work as well, but has not been intensively tested so far.
When connecting to Exchange Online, we recommend using the -Device or -Credential based login option. If you want to use credential-based login, we recommend using the Microsoft Secrets Management module to store your username/passwords in a secure place on your disk.
IMPORTANT! Do not use the PowerShell Module SEPPmail365 (without cloud at the end) we have also on the PowerShell Gallery. This module will create NON-WORKING setups as it is intended to be used with self-hosted, customer owned or MSP-operated SEPPmail Appliances.
To install the SEPPmail365Cloud module, open Powershell Core (pwsh.exe) and execute:
cd ~ # moves into the Home-Directory
Install-Module "SEPPmail365cloud" # installs the SEPPmail365cloud module
In addition to the main module you need to add PSWSMan which adds WSMan client libraries to Linux and macOS for remote connectivity to Exchange Online.
Note: Do this OUTSIDE Powershell in the appropriate shell (bash, or similar)!
sudo pwsh -command 'Install-Module PSWSMan' #Read more on this here https://github.com/jborean93/omi
sudo pwsh -Command 'Install-WSMan'
Further information and detailed steps for the module setup can be found on our GitHub repository for out other PowerShell Module SEPPmail365 module documentation.
When integrating your Exchange online environment with SEPPmail.cloud, you have to decide between two e-mail routing modes to Microsoft. We either set the mx-record to SEPPmail.cloud (inline) or leave it at Microsoft (parallel). Customers routing e-Mails via SEPPmail.cloud benefit from our outstanding e-mail filter which prevents spam and unwanted software flowing into your network via e-mail.
Note: If you leave the mx-record at microsoft you CANNOT use the SEPPmail.cloud e-mail filter, but for sure our encryption processing possibilities.
Now lets look into the 2 different modes.
Routing mode "inline" allows you to use the full power of the SEPPmail.cloud! In this scenario, the mx-record of the e-mail domain is set to the SEPPmail cloud hosts. Inbound e-mails flow to the SEPPmail.cloud, are scanned, treated cryptographically and then flow to Microsoft via connectors. Same is outbound, the mails simply pass the SEPPmail.cloud before leaving to the internet.
This routing mode is similar to the way you would integrate any SEPPmail Appliance (self hosted or MSP) with ExchangeOnline. E-mails flow to Microsoft, and are looped through SEPPmail.cloud, based on the need for cryptographic treatment. Unfortunately, no SEPPmail Virus or SPAM filter is possible in this configuration.
SEPPmail.cloud is operated in different cloud-regions (datacenters). Based on what you ordered, your tenant may be provisioned in one or the other cloud-region.
Deploying to the wrong region will lead to a non-working environment. Your onboarding E-Mail should contain all information for your region.
After the module setup is completed as described above and you have connected to your Exchange Online environment, create an environment report.
# The easiest way is to run the command without any parameter
New-SC365ExOReport # Will generate a report with an autogenerated name in the current folder. Search for *.HTML files.
# Also simpler with automatic creation of filename with timestamp
New-SC365ExOReport -FilePath ~/Desktop
# Of define the filename manually
New-SC365ExoReport -FilePath /Users/you/Desktop/MyExoReport.html
# If you want to specify a literal path use:
New-SC365ExOReport -Literalpath c:\temp\myexoreport.html
The report will give you valued information about existing connectors, rules and other mailflow-related information. Keep this report stored for later investigation by support or as a documentation of a certain state.
If your Exchange Online environment was originally integrated with a SEPPmail Appliance, you need to remove the existing SEPPmail365 connectors and rules before integrating into SEPPmail.cloud. To do this use our OTHER PS-Module SEPPmail365 or the Office admin Portal. Find info on Remove SEPPmail connectors and rules here.
Note: If you do not remove existing [SEPPmail] rules and connectors, the mailflow will be a mess and the integration will not work.
A basic environment has the following characteristics.
- All customer mailboxes are hosted in Exchange Online.
- The customer uses one e-mail domain for all users.
- This one e-mail domain is the tenant-default domain.
- This e-mail has been used to book SEPPmail.cloud.
- There are no hybrid connectors.
- There are no other external connectors.
- There are no cross-tenant connectors.
- There are no other 3rd party connectors.
- There are no transport-rules implemented which may affect mailrouting to SEPPmail.cloud
If all those requirements are met the 3 commandlets below are your friends and will do the setup job for you.
- Get-SC365Setup ==> Read the existing setup
- New-SC365Setup ==> create a new setup
- Remove-SC365Setup ==> remove an existing setup
Advanced Setups require a deeper understanding of the impact of the SEPPmail.cloud integration, and allow more flexibility.
After you have received a welcome e-mail from SEPPmail, and followed all instructions in the e-mail, you can start with the integration.
You need to know 3 input values to run the CmdLets.
- SEPPMailCloudDomain (the e-mail domain of your Exchange Online environnement that has been configured in the SEPPmail.cloud. Most of the time this is the default-domain in your Exchange Online Tenant.)
- routing (either "inline" or "parallel", read above for details)
- region ("de" or "ch", the geographical region of the SEPPmail.cloud infrastructure)
- inBoundOnly (a parameter you may set or not set in INLINE Mode only, which is for customers which use our INBOUND filter only)
Note: All 4 parameters are automatically populating valid options if you press TAB after the parameter. This reduces typo errors.
You need to setup inbound and outbound-connectors and transport rules, so run the two commands as explained below.
New-SC365Connectors -SEPPmailCloudDomain 'contoso.ch' -routing 'inline' -region 'ch'
New-SC365Rules -routing 'inline' -SEPPmailCloudDomain 'contoso.eu'
New-SC365Connectors -SEPPmailCloudDomain 'contoso.ch' -routing 'inline' -region 'ch' -inboundonly
# No rules required for inbound only setups
New-SC365Connectors -SEPPmailCloudDomain 'contoso.eu' -routing 'parallel' -region 'de'
# Important: Rules can only be created if the connectors are enabled. They are enabled by default, so if you use the example above it will work.
New-SC365Rules -routing parallel -SEPPmailCloudDomain 'contoso.eu'
Get-SC365Connectors -routing parallel
Get-SC365Rules -routing parallel
# Important: Those 2 commands will show the current connectors and rules.
You can use also the native Exchange Online Commandlets.
Get-Inboundconnector
and Get-OutboundConnector
will show the installed connectors, and Get-Transportrule
CmdLet will give you all information about transport rules.
Send an e-mail from inside-out and outside-in to see if the mailflow is working.
The module allows some extra-tweaks for advanced configurations
For sensitive environments, where mailflow may only be changed in specific time frames, it is possible to create rules and connectors "disabled". Both CmdLets New-SC365Connectors and New-SC365Rules have a -disabled switch. See examples below:
New-SC365Connectors -SEPPmailCloudDomain 'contoso.eu' -routing 'parallel' -region 'de'
New-SC365Rules -disabled
To enable the disabled transport rules in ExchangeOnline so that e-mails can flow through the SEPPmail.cloud, use the Exchange Online admin-website or the PowerShell Commands Enable/Disable-TransportRule.
# Enable SEPPmail.cloud TransportRules
Get-TransportRule -Identity '[SEPPmail.cloud]*'|Enable-TransportRule
# Disable SEPPmail.cloud TransportRules
Get-TransportRule -Identity '[SEPPmail.cloud]*'|Disable-TransportRule
# To avoid getting asked for every rule to confirm the change and run the command in "silent" mode use
Get-TransportRule -Identity '[SEPPmail.cloud]*'|Disable-TransportRule -Confirm:$false -Verbose
By default out transport rules will be placed at the bottom of all other transport rules. If you want to change this use:
New-SC365Rules -PlacementPriority Top
We saw situations where the EnhancedFiltering Allowlist needed to be filled with SEPPmail.cloud IP addresses. Use the example below to deploy those IP addresses properly.
New-SC365Connectors -SEPPmailCloudDomain 'contoso.eu' -routing 'inline' -region 'de' -inboundEFSkipIPs
Allowlisting SEPPmail.cloud in the Anti-SPAM filter list, aka HostedConnectionFilterPolicy (Parallel Mode)
We saw situations where the Hosted Connection Filter Policy needed to be filled with SEPPmail.cloud IP addresses. Use the example below to deploy those IP addresses properly.
New-SC365Connectors -SEPPmailCloudDomain 'contoso.eu' -routing 'inline' -region 'de' -option AntiSpamAllowListing
If your computer has the users directory on a fileshare, Powershell still installs the Module in the $currentuser scope in your homedirectory. This sill raise issues with execution policy settings. To avoid this you can.
1.) Start PowerShell with no execution policy, by opening a terminal (cmd.exe) and run pwsh -executionpolicy unrestricted.
2.) Install the module to a local drive by:
Save-module seppmail365cloud -Path c:\temp
import-modue c:\temp\seppmail365cloud
We had a version of the SEPPmail.cloud connectors in place which used slashes in the name. Microsoft somehow stopped to accept this. If you find such a connector do this:
- Rename connectors in the admin.microsoft.com portal
- Delete them after renaming in the admin portal.
If you set up everything according to the description above, and still have mail-loops, check if the recipient is also in the SEPPmail.cloud, the recipient tenant MUST also use the newest connectors (CBC). Reach out to he recipients admin and force them to update their setup.
We saw this on several windows machines, but could not trace it down so far. If you get this error send us an e-Mail to support.
--- End of document ---