Setting up Encrypted email in Office 365 in 5 Steps

1. Ensure you have assigned an Azure right Management license to the user in Office 365.

2. Run the following from a an Elevate PowerShell instance.

If you have never installed Encrypted email before, you may need to install AzureRM and AADRM.

Install-Module -Name AzureRM -AllowClobber
Install-Module -Name AADRM

3. Next run this script (you will need the tenant office 365 credentials):

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
$cred = Get-Credential
Get-Command -Module aadrm
Connect-AadrmService -Credential $cred
$rmsConfig = Get-AadrmConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
Set-IRMConfiguration -ClientAccessServerEnabled $true

4. To test it is working run:

Test-IRMConfiguration -Sender [email protected]

5. Next, in the Office 365 Exchange Admin centre, set up a mail flow rule like this:

Read Receipts showing wrong time or time zone for Office 365 mailbox

If you get read receipts that state the time it was read was the previous day, or the time is just wrong this could be to do with the time settings on the mailbox.

Microsoft have a poor guide on this explaining WHY it happens, but does not say how to resolve it.

Here is the solution:

We can check this by first connecting to Office 365 via Azure PowerShell, and then running the follwing command. 

Get-MailboxRegionalConfiguration -Identity [email protected] | fl

If the TimeZone is wrong, it will be obvious. You will need to change it to your users local time zone. To see a list of time zones run this command in PowerShell.

$TimeZone = Get-ChildItem "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Time zones" | foreach {Get-ItemProperty $_.PSPath}; $TimeZone | sort Display | Format-Table -Auto PSChildname,Display

Once you know your time zone, run the following (replacing your correct time zone). 

Set-MailboxRegionalConfiguration -Identity [email protected] -TimeZone "GMT Standard Time"


How to make sent items go into a secondary (shared mailbox) instead of your own

Note If you're running Outlook 2013 or a later version, you don't have to install any hotfix.

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

Note The x.0 placeholder represents your version of Office (16.0 = Office 2016, 15.0 = Office 2013, 14.0 = Office 2010).

  1. On the Editmenu, point to New, and then click DWORD Value.
  2. Type DelegateSentItemsStyle, and then press Enter.
  3. Right-click DelegateSentItemsStyle, and then click Modify.
  4. In the Value databox, type 1, and then click OK.
  5. Exit Registry Editor.

Setting up SSL on hMailServer

1. Download and install OpenSSL. Download Here

2. Create a Key - Open an elevated CMD prompt and change directory to where you installed OpenSSL. Once here execute the OpenSSL.exe

Run: >openssl genrsa -out <host>.key 1024

Where <host> is your mail servers name.

3. Certificate Request - Next we need to create the certificate request:

>openssl req -new -nodes -key <host>.key -out <host>.csr

Where <host> is your mail servers name.

If this fails, try this. My OpenSSL was installed in C:\OpenSSL\OpenSSL-Win64

SET OPENSSL_CONF=c:OpenSSLOpenSSL-Win64binopenssl.cfg

4. Create a self signed certificate:

>openssl x509 -req -days 1024 -in <host>.csr -signkey <host>.key -out <host>.cert

Where <host> is your mail servers name.


5. Configuring hMailServer With Your New SSL Certificate

 Bring up your hMailServer administrator UI and add a SSL certificate. You'll find the files we use here in the same folder where the OpenSSL.exe file was executed from.

 Add a SSL certificate

 Next create new TCP/IP ports which use SSL for each protocol you are interested in testing.

 Add TCP/IP ports and protocols

The port numbers for IMAP (993) POP3 (995) are the default secure ports for these two protocols. I will be disabling 110 and 143 and 25 to allow only encrypted mail. Each change will restart hMailServer.

When configuring the email account on the clients, you will get a certificate warning as the certificate is self signed. You know you can trust this because you created it. You can verify the certificate by viewing it's details. You will see all of the information you populated when creating theecertificate in OpenSSL.

To prevent this from popping up every-time your client connects, INSTALL the certificate on your client machines.