# Empfangsweg - IP-Whitelist
# Generiert aus: empfangsweg-ip-whitelist.txt
# Quelle: SecuMail® Microsoft 365-Integration FAQ
#
# WICHTIG: Vor Ausfuehrung in Produktivumgebung
# bitte in einer Testumgebung validieren.
#
# Voraussetzung: Connect-ExchangeOnline

#==========================================================
# KONFIGURATION
#==========================================================

# --- Schritt 1: Inbound Connector anlegen ---
New-InboundConnector `
-Name "SecuMail Inbound" `
-ConnectorType Partner `
-SenderIPAddresses "212.11.224.0/24","212.11.225.0/24","212.11.240.64/27" `
-RequireTls $true `
-RestrictDomainsToIPAddresses $true `
-EFSkipIPs "212.11.224.0/24","212.11.225.0/24","212.11.240.64/27" `
-EFSkipLastIP $false `
-Enabled $true

Set-InboundConnector `
-Identity "SecuMail Inbound" `
-SenderIPAddresses "212.11.224.0/24","212.11.225.0/24","212.11.240.64/27" `
-EFSkipIPs "212.11.224.0/24","212.11.225.0/24","212.11.240.64/27"

# --- Connector per Client-Zertifikat absichern [ALTERNATIV= ---
Set-InboundConnector `
-Identity "SecuMail Inbound" `
-RestrictDomainsToCertificate $true `
-TlsSenderCertificateName "*.secumail.de"

# --- Schritt 3: TLS für den Empfangsweg prüfen ---
Set-InboundConnector `
-Identity "SecuMail Inbound" `
-RequireTls $true

#==========================================================
# PRUEFUNG
#==========================================================

# --- Schritt 1: Inbound Connector anlegen ---
Get-InboundConnector -Identity "SecuMail Inbound" | Format-List Name, ConnectorType, SenderIPAddresses, RequireTls, EFSkipIPs, EFSkipLastIP, Enabled

# --- Connector per Client-Zertifikat absichern [ALTERNATIV= ---
Get-InboundConnector -Identity "SecuMail Inbound" | Format-List Name, RestrictDomainsToCertificate, TlsSenderCertificateName, RequireTls

# --- Schritt 3: TLS für den Empfangsweg prüfen ---
Get-InboundConnector -Identity "SecuMail Inbound" | Format-List Name, RequireTls