# Configure a certificate-based connector to relay email from Exim to Office 365

In this blog post I will show you how you can send your emails from Exim to Office 365 via a TLS connector.

I will discuss the steps that I took to configure this in our environment so that you may have an easier time if you decide to go down the same route aswell.

### Prerequisites

In the Exchange admin center, you will need to have your TLS certificate domain configured as an accepted domain in your Office 365 organisation.

To configure an accepted domain, you need to go to the Microsoft 365 admin center, click **Settings > Domains** and add your domain from there.

And of course you need your TLS certificate to use with the connector.

### Exchange setup

To start, create your connector in the Exchange admin center

On the left sidebar click **Mail flow > Connectors > Add a connector**

![resized-add-connector.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1636661146675/t0I8iRtvW.png)

On the New Connector page, click Your organization's email server for the Connection from, then click Next

![resized-new-connector.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1636661293460/qVozMixHT.png)

Specify a name for your connector and description on the Connector name page

On the Authenticating sent email page, enter the domain name for your certificate

![resized-certificate-connector.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1636661368033/LQR9C7T1Y.png)

Once done, review the details and if it's all good, click Create connector. You should then see it on the Connectors page.
<br />

### Exim setup

As per [Microsoft documentation](https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment), you need to enable TLS on Exim.

To do this, on your `exim.conf` file set the TLS certificate and key like so

```makefile
tls_certificate = /etc/ssl/my-cert.crt
tls_privatekey = /etc/ssl/my-key.key
```

However, we are not done yet. While this will enable TLS on Exim, it is only good for when Exim is acting as a **server**. In our case we want Exim to act as a **client**.

If we look at the [Exim docs](https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html) part 9

> The `tls_certificate` and `tls_privatekey` options of the smtp transport provide the client with a certificate, which is passed to the server if it requests it.

Essentially the global option we specified above is not automatically passed on to the smtp transport.

In `exim.conf`, set the certificate in the smtp transport as such

```makefile
remote_smtp:
  driver = smtp
  .
  .
  .
  hosts_require_tls = *
  tls_certificate = /etc/ssl/my-cert.crt
  tls_privatekey = /etc/ssl/my-key.key
```

I also set `hosts_require_tls` to force TLS for all outbound mail. 


All good now! If you send some test emails from Exim, you can check they were sent via our connector by the Exchange admin center.

On the admin page, left sidebar, click **Reports > Mail flow > Inbound messages** report

Here you can verify that the TLS connector was used, as well as some other stats.










