I'm troubleshooting an issue with email delivery to Exchange Online.  I've setup an inbound connector in Exchange Online (Your org to O365) and set to verify the subject name on the certificate.  The email is getting delivered to Exchange Online but not using this inbound connector.  I have a valid certificate installed on the server with Xeams.  I can see the certificate is used when sending an email form a workstation to the server.  However, I can't validate the certificate used when the message is sent from Xeams to Exchange Online.  I could not find the certificate in the Wireshark capture from Xeams to Exchange Online.  Any suggestions?  

When two SMTP servers communicate, the certificate on the receiving end is used. Therefore, the certificate on Xeams does not play any role. It will be the certificate on O365 that is used. Therefore, the reason for getting an incorrect inbound connector used is unrelated to the certificate on Xeams.

Check SMTPOutboundConversation.log. For every email, you should see two connections. The first connection is before STARTTLS is issued. The second connection (after STARTTLS) should have the word "secure" in the connection line, confirming encryption was used.

Here is an example log snippet.

2024-03-20 13:04:49,137 - [   6996042] ************ New  connection to: 104.47.18.97
2024-03-20 13:04:49,253 - [   6996042] C --> 220 AM6EUR05FT037.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 20 Mar 2024 17:04:48 +0000
2024-03-20 13:04:49,253 - [   6996042] S <-- EHLO mail.synametrics.com
2024-03-20 13:04:49,368 - [   6996042] C --> 250-AM6EUR05FT037.mail.protection.outlook.com Hello [162.255.85.54]
2024-03-20 13:04:49,368 - [   6996042] C --> 250-SIZE 49283072
2024-03-20 13:04:49,368 - [   6996042] C --> 250-PIPELINING
2024-03-20 13:04:49,368 - [   6996042] C --> 250-DSN
2024-03-20 13:04:49,368 - [   6996042] C --> 250-ENHANCEDSTATUSCODES
2024-03-20 13:04:49,368 - [   6996042] C --> 250-STARTTLS
2024-03-20 13:04:49,368 - [   6996042] C --> 250-8BITMIME
2024-03-20 13:04:49,368 - [   6996042] C --> 250-BINARYMIME
2024-03-20 13:04:49,368 - [   6996042] C --> 250-CHUNKING
2024-03-20 13:04:49,368 - [   6996042] C --> 250 SMTPUTF8
2024-03-20 13:04:49,368 - [   6996042] S <-- STARTTLS
2024-03-20 13:04:49,482 - [   6996042] C --> 220 2.0.0 SMTP server ready
2024-03-20 13:04:49,482 - [   6996042] ************ New (secure) connection to: 104.47.18.97
2024-03-20 13:04:49,482 - [   6996042] S <-- EHLO mail.synametrics.com
2024-03-20 13:04:50,101 - [   6996042] C --> 250-AM6EUR05FT037.mail.protection.outlook.com Hello [162.255.85.54]
2024-03-20 13:04:50,101 - [   6996042] C --> 250-SIZE 49283072
2024-03-20 13:04:50,101 - [   6996042] C --> 250-PIPELINING
2024-03-20 13:04:50,101 - [   6996042] C --> 250-DSN
2024-03-20 13:04:50,101 - [   6996042] C --> 250-ENHANCEDSTATUSCODES
2024-03-20 13:04:50,101 - [   6996042] C --> 250-8BITMIME
2024-03-20 13:04:50,101 - [   6996042] C --> 250-BINARYMIME
2024-03-20 13:04:50,101 - [   6996042] C --> 250-CHUNKING
2024-03-20 13:04:50,101 - [   6996042] C --> 250 SMTPUTF8
2024-03-20 13:04:50,101 - [   6996042] S <-- MAIL FROM:<qh@xxxx.com>
2024-03-20 13:04:50,216 - [   6996042] C --> 250 2.1.0 Sender OK
2024-03-20 13:04:50,217 - [   6996042] S <-- RCPT TO:<xxxxx@hotmail.com>
2024-03-20 13:04:50,334 - [   6996042] C --> 250 2.1.5 Recipient OK
2024-03-20 13:04:50,335 - [   6996042] S <-- DATA
2024-03-20 13:04:50,449 - [   6996042] C --> 354 Start mail input; end with <CRLF>.<CRLF>
2024-03-20 13:04:51,817 - [   6996042] C --> 250 2.6.0 <020b01da7ae8$b7268fd0$2573af70$@angelstarventures.com> [InternalId=140793322933157, Hostname=BLAPR19MB4420.namprd19.prod.outlook.com] 35864 bytes in 0.299, 117.124 KB/sec Queued mail for delivery -> 250 2.1.5
2024-03-20 13:04:51,819 - [   6996042] S <-- QUIT
2024-03-20 13:04:51,932 - [   6996042] C --> 221 2.0.0 Service closing transmission channel
2024-03-20 13:04:51,933 - [   6996042] ~~~~~~~~~~~~ Connection Terminated ( 2451)

The green lines were sent after an encrypted channel was established.

Do you see one or two connections?

Another suggestion is to use the Email Sender (https://www.xeams.com/Email-Sender.htm), which can display SSL certificate information. Run it on the same machine where Xeams is installed.

Your comment about only the receiving server certificate being used is interesting.  We're following the Microsoft article linked below for setting up a certificate-based connector.  To answer your question, I do see to connections in the log.  The message is absolutely using TLS 1.2 (verified in message headers and from Exchange Online message trace).  The Email Sender App shows the third party certificate is being used when relaying to the Xeams server.  

Configure a certificate-based connector to relay email messages through Microsoft 365 - Exchange | Microsoft Learn

Thank you.

Schaf,

The article you linked talks about Two-way SSL authentication. Check https://cheapsslsecurity.com/p/what-is-2-way-ssl-and-how-does-it-work/ for details.

Xeams currently does not support two-way SSL. Therefore, the only way to accomplish this is by specifying Xeams's public IP address in O365.

Synametrics Support - thank you for the feedback on the Microsoft Article.  I'm confirming with Microsoft Support and will post an update (if they can answer the question, 'nuf said).  Thanks for the link to the 2 Way SSL’/TLS article.  Very Helpful.