Inbound and Outbound connector FAQ
Applies to: Exchange Online Protection, Exchange Online
Topic Last Modified: 2013-12-17
This topic provides answers to frequently asked questions about Inbound and Outbound connectors.
Q. What’s the difference between an Outbound connector and an Inbound connector?
A. The terms Outbound and Inbound refer to the direction mail is traveling to and from Exchange Online Protection (EOP). An Outbound connector sends email to a partner or to your on-premises environment. An Inbound connector receives mail from a partner or from your on-premises environment.
Q. What’s the difference between the On-Premises connector type and the Partner connector type?
A. An On-Premises connector is required for the cloud service to receive mail from or send mail to your on-premises environment. Without On-Premises connectors, you can’t route inbound and outbound mail through EOP for filtering. When you set up EOP standalone, where EOP protects your on-premises mailboxes, a portion of the configuration steps are devoted to creating On-Premises connectors. For more information, see Set up mail flow through Exchange Online Protection.
On-Premises connectors are also required for a hybrid deployment. However, when you set up hybrid, the connectors are typically created automatically with tools provided for hybrid setup. For more information about configuring a hybrid deployment, see Exchange Server 2013 Hybrid Deployments.
You can create a Partner connector to set up boundaries and restrictions for email sent to or received from your partners, including scoping the connector to receive email from specific IP addresses, or requiring Transport Layer Security (TLS) encryption. A Partner connector isn't required, but can be created by customers with cloud mailboxes or on-premises mailboxes. For more information about creating connectors to exchange secure email with a partner, see Scenario: Regulated partner with forced TLS.
Q. What can I do with each connector type?
A. The following table summarizes the purpose for each connector as email flows to and from your hosted mail service.
Mail flow direction
Inbound: email enters O365
Outbound: email leaves O365
Configure and enforce mail flow originating from on-premises servers
Configure and enforce outbound routing for email leaving O365 service (to internet or on-premises servers).
Smart host must be used for outbound connector of type OnPremises.
Configure and enforce mail flow incoming from 3rd party servers.
Configure and enforce outbound routing for email leaving O365 service to a regulated partner (such as a bank Fabrikam.com), or to a 3rd party vendor (such as MessageLabs.com).
Use MX based routing or smart host in the connector.
Q. When I choose the On-Premises connector type, “Retain service headers on transmission” is enabled. Do I need to select that option?
A. No. It should be selected only in the case where you have connectors configured in a hybrid deployment. In most cases, when you use the Hybrid Configuration Wizard to set up your hybrid deployment, you won’t need to make any manual configuration changes to connectors in the EAC. For more information about configuring a hybrid deployment, see Exchange Server 2013 Hybrid Deployments.
Q. When I create an Inbound connector, what do Domains and Accepted Domains refer to?
A. For an Inbound connector set to the Partner connector type, the domains you add to the Domains list in the Exchange admin center (EAC) are the sender's domains, and the domains you add to the Accepted Domains list are your recipient domains. To illustrate, if you want email sent from fabrikam.com to contoso.com to have the connector's settings applied, add fabrikam.com to the Domains list and contoso.com to the Accepted Domains list. If you want the connector to apply to all of your recipient domains, leave Accepted Domains blank.
For an Inbound connector set the to the On Premises connector type, Domains and Accepted Domains refer to your on-premises provisioned domains. In most cases, we recommend that you set Domains to * and leave Accepted Domains blank. This means that you want the connector applied to all of your domains.
|If you want to scope an On-premises connector so it routes mail for a particular domain, set Domains and Accepted Domains to the same value. For example, you can set Domains and Accepted Domains to contoso.com if you want the connector applied to contoso.com, but you have other on-premises domains that you don't want the connector applied to.|
For more information about setting up an Inbound connector to accept email from your on-premises environment in a standalone deployment, see Set up mail flow through Exchange Online Protection.
Q. If I create an On-premises Outbound connector in the EAC, and I select “Route all accepted domains through this connector” under “scope”, can I leave the Domains list blank?
A. Yes. Choosing this option is equivalent to adding all of your provisioned domains to the Domains list.
Q. If I create an Outbound connector in the EAC, what happens if I select “Use for Criteria Based Routing (CBR)”?
A. You can assign a transport rule to the connector. By doing this, you can use the connector to enforce a business rule or control mail routing. For instance, Scenario: Conditional mail routing shows how to choose a connector with a transport rule and route mail to a specific site.
Q. If I create an Outbound connector, and I add multiple smart-host entries, where is mail delivered?
A. The first smart-host to deliver messages to is chosen at random from the list. Following that, the connector uses round-robin load balancing to distribute messages among the smart-host entries.
Q. Can I configure an inbound connector to skip filtering on mail sent from IP addresses specified in a safe list?
A. You can't configure a connector to bypass filtering. Instead, we recommend that you use the connection filter's IP Allow list to bypass all filtering performed by the service. You can find instructions for this at Configure the Connection Filter Policy.
Q. When configuring an inbound connector, can I specify any domain restrictions on incoming messages?
A. Yes, for partner connectors only, you can set the Domain Restrictions option to None, Restrict domains by certificate (the service will accept messages only from the specified domains where the source matches the certificate), or Restrict domains by IP addresses (the service will accept messages only from the specified domains where the source IP addresses are represented in the specified IP addresses).