EDCA

1.0.0.0

Controls/EDCA-TLS-029.json

                                {

  "id": "EDCA-TLS-029",

  "title": "Hybrid receive connector TLS integrity",

  "description": "At least one frontend transport receive connector MUST have TlsDomainCapabilities set to include mail.protection.outlook.com:AcceptCloudServicesMail (set by the Hybrid Configuration Wizard on Exchange 2016 CU3+ and Exchange 2019) or mail.protection.outlook.com:AcceptOorgProtocol (older hybrid deployments), MUST be enabled, and MUST include Tls in AuthMechanism. The TlsDomainCapabilities setting grants inbound connections from Exchange Online an elevated trust level, causing Exchange Server to treat mail arriving from Exchange Online as internal rather than anonymous. Without this setting, hybrid mail flow is classified as external, breaking features that depend on internal mail trust such as transport rules, moderation bypass, and public folder coexistence. Only connectors with TransportRole=FrontendTransport are relevant for inbound SMTP from Exchange Online.",

  "verify": false,

  "subject": "Organization",

  "category": "Transport Security",

  "severity": "High",

  "severityWeight": 8,

  "frameworks": [

    "Best Practice"

  ],

  "references": [

    {

      "name": "CSS CloudConnectorCheck - Hybrid Receive Connector",

      "url": "https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/CloudConnectorCheck/"

    },

    {

      "name": "Microsoft - Demystifying and troubleshooting hybrid mail flow",

      "url": "https://techcommunity.microsoft.com/blog/exchange/demystifying-and-troubleshooting-hybrid-mail-flow-when-does-a-message-skip-clutter/613125"

    }

  ],

  "remediation": {

    "automatable": true,

    "description": "Identify the frontend receive connector used for inbound mail from Exchange Online and set TlsDomainCapabilities to mail.protection.outlook.com:AcceptCloudServicesMail (Exchange 2016 CU3+/Exchange 2019/SE) or mail.protection.outlook.com:AcceptOorgProtocol (older deployments), ensure it is enabled, and ensure Tls is listed in AuthMechanism. The Hybrid Configuration Wizard configures this automatically; if it is missing, re-run the wizard or set the property manually.",

    "scriptTemplate": "# Diagnose: Check hybrid receive connectors across all Exchange servers\n$servers = Get-ExchangeServer | Where-Object { $_.ServerRole -match 'Mailbox' }\nforeach ($server in $servers) {\n    $connectors = Get-ReceiveConnector -Server $server.Name | Where-Object {\n        $_.TransportRole -eq 'FrontendTransport' -and\n        -not [string]::IsNullOrWhiteSpace([string]$_.TlsDomainCapabilities)\n    }\n    foreach ($c in $connectors) {\n        Write-Host \"$($c.Identity)\"\n        Write-Host \"  Enabled: $($c.Enabled)\"\n        Write-Host \"  AuthMechanism: $($c.AuthMechanism)\"\n        Write-Host \"  TlsDomainCapabilities: $($c.TlsDomainCapabilities)\"\n    }\n}\n\n# Remediate: Set required properties on the hybrid receive connector\n# $connector = Get-ReceiveConnector '<ServerName>\\<ConnectorName>'\n# Set-ReceiveConnector $connector.Identity -TlsDomainCapabilities 'mail.protection.outlook.com:AcceptCloudServicesMail' -AuthMechanism 'Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer'\n# NOTE: Use AcceptCloudServicesMail for Exchange 2016 CU3+/Exchange 2019/SE (HCW default). Use AcceptOorgProtocol for older hybrid deployments."

  },

  "considerations": "The Hybrid Configuration Wizard (HCW) creates and configures the hybrid receive connector automatically. If the environment was configured manually or the HCW was run partially, the connector may be missing or misconfigured. The exact AuthMechanism value depends on the connector type; the requirement is that Tls is included. In Exchange 2019 CU12+ and Exchange 2016 CU23+ environments using Modern Hybrid (connector-less), inbound mail from Exchange Online may not use a dedicated receive connector at all — verify the deployment model before applying this control.",

  "roles": [

    "Mailbox"

  ]

}