This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 73%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
I am configuring an exchange Hybrid environment and noted that the certificate for TLS requires that an accepted domain within Exchange Online needs to be on the certificate used to secure mail transport (subject or subject alternative name).
I am wondering if there is any way around this requirement? The business does not want their root domain on the SSL certificate as they are concerned about the security aspect. What will not work without this root domain on the cert, assuming the SSL certificate has no domains on it that match an accepted domain in Exchange Online.
Mike.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Any update, do suggestions below help?
If the response is helpful, please click "Accept Answer" and upvote it.
Hi @Mike00
If the certificate does not have an accepted domain as a subject or in the CN, it will be rejected:
https://learn.microsoft.com/en-us/exchange/troubleshoot/connectors/office-365-notice
Beginning July 5, 2017, Office 365 no longer supports relaying email messages if a hybrid environment customer has not configured their environment for either of the step 3 conditions. Such messages are rejected and trigger the following error message:
550 5.7.64 Relay Access Denied ATTR36. For more details please refer to KB 3169958.
Additionally, you must meet the second condition ("certificate-based connector configuration") in step 3 in the "Introduction" section if your organization requires that any of the following scenarios continue to work after July 5, 2017.
Hi @Mike00 ,
Its all about that attribution - and here I am referring to SMTP exclusively. Somewhere in that cert has to be a subject name or CN that matches up with an accepted domain in 365.
It doesn't have to contain all the domains in teh cert subject names, just at least one it can match up. So if you have 3 domains, domaina.com, domainb.com, domainc.com and you have a subject of domainc.com in the cert, you can send from domaina and domainb through the same SMTP connector even though those domain subject names are not on the cert, because 365 can match domainc.com to an accepted domain, see its and that the others are registered to your tenant as well.
More on that:
https://techcommunity.microsoft.com/t5/exchange-team-blog/office-365-message-attribution/ba-p/749143
The subject in the certificate with a wildcard will usually be *.domain.com or with a SAN (UC) mail.domain.com and autodiscover.com. Is this considered to be their root domain?
Hi, thanks for the reply.
the root email domain will not be covered by a wildcard *.domain.com or the SAN with mail.domain.com. Those are subdomains of the root email domain. The documentation seems to state that it needs to be the actual root domain on the cert not child domains of the root.
Mike.
Hi AD-7937,
Thanks for the reply. I understand now that i need a domain that is verified in O365 on the certificate. What I am confused about is if this domain needs to the Subject Name (can it be SAN instead?) and does it need to be the primary or default SMTP domain in Exchange Online?
I see some contradictory statements in the Hybrid Certificate Requirements link (https://learn.microsoft.com/en-us/exchange/certificate-requirements) from Microsoft stating:
"The subject name is the FQDN that the certificate is issued to and should use the primary SMTP domain that is shared between the on-premises and Exchange Online organizations."
The link you provided states:
"Your on-premises email server is configured to use a certificate to send email to Office 365, and the Common-Name (CN) or Subject Alternate Name (SAN ) in the certificate contains a domain name that you have registered in Office 365, and you have created a certificate-based connector in Office 365 that has that domain."
Unsure which of these statements is correct?
Mike.
You do not need to change the domain to default SMTP domain, and you just need to add the domain to SAN.
Hi, I actually tested this in my LAB enviroment and it works without an accepted domain on the certificate at all.
My SSL cert has the domains hybrid.domain.com and autodiscover.domain.com and I only have domain.com as an accepted domain. It seems to work with this configuraiton.
Mike.
Right. domain.com is all that is required. The rest are subdomains or host names in that root domain.