Exchange On-Premises
Mail server variant for a local Exchange server, version 2016 or later. Send/Receive Connector in the Exchange Admin Center.
Prerequisite: Step 1, Domain & DNS Setup is complete and all four DNS checks are green.
What happens here: A Send Connector and a Receive Connector are created in the local Exchange Admin Center. In the Setup Assistant, the Manual configuration mode is chosen.
Effort: 15 to 25 minutes.
Difference from Exchange Online: On-Premises does not need a transport rule for routing. The Send Connector with address space
*already routes outbound mail through the smart host to Conbool. Loops cannot occur because mail returning from Conbool arrives via the Receive Connector and is delivered directly to the mailbox, without re-triggering the Send Connector.
Step A. Send Connector
Navigation: Exchange Admin Center (On-Premises) → Mail flow → Send Connectors → new Send Connector
| Field | Value |
|---|---|
| Name | Conbool Outbound Connector |
| Type | Custom |
| Address space | * for all domains, or specific domains |
| Smart host | mail.conbool.com |
| Smart host authentication | None, authentication is handled via TLS certificate |
| Require TLS | Enabled, domain validation against mail.conbool.com |
| Use MX Record | No |
| Source server | Hub Transport server that should use the connector |
Create and enable the connector.
Step B. Receive Connector
Navigation: Exchange Admin Center (On-Premises) → Mail flow → Receive Connectors → new Receive Connector on the respective server
| Field | Value |
|---|---|
| Name | Conbool Inbound Connector |
| Type | Partner |
| Network adapter bindings | Leave default, all available IPs on port 25 |
| Remote IP ranges | Conbool IP addresses, provided by Conbool |
| Require TLS | Enabled |
| TLS Sender Certificate Name | mail.conbool.com |
| Restrict Domains to Certificate | Yes |
Create and enable the connector.
Firewall: Port 25 (SMTP) must be open from the Conbool IP addresses to the Exchange server.
Step C. Transport Rule "Classify Spam" (optional)
Navigation: Exchange Admin Center (On-Premises) → Mail flow → Rules → new rule
This rule sorts emails marked as spam by Conbool into the Spam folder. If Conbool's spam classification is not actively used, this step can be skipped.
- Name: Conbool Spam classification rule
- Apply this rule if: A message header matches → Header
X-Conbool-Flag→ PatternYES - Do the following: Modify the message properties → set SCL to
7 - Priority:
1 - Mode: Enforce
- Save and enable.
Step D. Release Bypass Rule (optional)
Ensures that mail released from the Conbool quarantine is delivered directly, without being marked as spam again. On release, Conbool sets the header X-Conbool-Released: yes; this rule detects the header and skips the spam filter. If spam classification (Step C) is not active either, this step can also be skipped.
Navigation: Exchange Admin Center (On-Premises) → Mail flow → Rules → new rule
- Name: Conbool Quarantine Release Bypass
- Apply this rule if (all three conditions, combined with AND):
- A message header matches → Header:
X-Conbool-Released→ Pattern:yes - The sender is located → Outside the organization
- The recipient is located → Inside the organization
- A message header matches → Header:
- Do the following:
- Modify the message properties → Set SCL to
-1
- Modify the message properties → Set SCL to
- Priority:
2 - Mode: Enforce
- Save and enable.
Why SCL −1: SCL −1 marks the mail as trusted so the spam filter does not re-sort it. A routing loop cannot occur on On-Premises because released mails return through the Receive Connector and go directly to the mailbox, without triggering the Send Connector.
Scope (optional)
The Send Connector from Step A can be limited to a subset of recipient domains, for example when only some tenants use Conbool or a migration runs in phases. Instead of *, list individual domains or domain wildcards as the address space.
Alternatively, an additional transport rule with "The sender is a member of … → Conbool group" and action "Route the message to the following connector → Conbool Outbound Connector". Mails outside the group continue along the old path. This variant is optional and only useful for a group-based rollout instead of a domain-based one.
Done When
Back in the Setup Assistant at the Mail Server step. Enter the relay host of the Exchange server, typically the FQDN of the Hub Transport server, for example mail.yourcompany.local, then click Test Connection. Status "SMTP reachable" means the connection is established.
Continue with the connection test and completion.