Why is Crossware moving to a unique certificate?
Microsoft is enhancing email routing and has introduced improvements to how mail flow is managed by their Exchange Online servers. For more details, please refer to the Microsoft article here. For Crossware, this specifically affects inbound connectors and their associated certificates. To comply with these changes Crossware is transitioning to unique certificates for its customers.
What does this mean for you?
Currently, Crossware users have a wildcard certificate (*.crossware.co.nz) set up for their inbound connector. Crossware has developed an automated process to update your connector with a unique TLS certificate (<unique certificate>.crosswaretls.com) and add it as an accepted domain within your Exchange environment. This update can be performed via the admin settings page under Admin Settings > Setup > Connector in the Crossware Portal.
Note that if your organisation does not want Crossware to complete these steps automatically, you can contact Crossware support to complete the required upgrade manually.
Will there be any downtime?
There will be no downtime for the Crossware service or your mail flow.
Crossware creates a new inbound connector while leaving the old one active, and has a 24hr grace period to ensure all the Microsoft changes have propagated before switching to the new connector.
What changes will occur in your Exchange environment?
Once you accept the permissions, Crossware will make the following changes in your environment:
- Rename the existing inbound connector to CrosswareInboundConnector-BACKUP.
- Create a new inbound connector named CrosswareInboundConnector. This connector will verify incoming messages by ensuring the subject name on the connecting TLS certificate matches your new unique certificate domain and that the sender’s email address is an accepted domain for your organization.
- Add the new certificate name as an accepted domain so that it uniquely identifies your organisation
This step ensures that Exchange Online can identify your organisation.
For more information, please see the following resources from Microsoft that reference the above architecture:
- Integrate Exchange Online with an email add-on service
- Configure a certificate-based connector to relay email messages through Microsoft 365Additional Information
Why does my domain say incomplete setup?
Note that the domain setup may appear as Incomplete in your admin centre setup. This is because it is not used for mail routing, but solely for securely identifying the organization. Please do not remove this domain and you can ignore any incomplete warnings.
Automatic Replies and Crossware email signatures
If your email does not have a return path (e.g., automatic replies or Out of Office emails), the previously accepted verification method is no longer allowed by Microsoft. The addition of the unique certificate as an accepted domain ensures these empty return path emails have the ability to be routed through Crossware successfully. For more information on setting up Automatic Replies with signatures see here