This article describes the required network, DNS, and mail‑flow changes when migrating from Vade Cloud to the Hornetsecurity Control Panel.
Inbound Configuration
Allow Control Panel IP Addresses
To ensure proper inbound email delivery, customers must allow the Hornetsecurity Control Panel IP ranges in their firewall and/or email provider configuration.
Recommended IP ranges
94.100.128.0/20(General Hornetsecurity IP range, worldwide)185.140.204.0/22(United States - Atlanta)173.45.18.0/24(United States - Washington)83.246.65.0/24(Germany - Hannover)
Minimum required IP ranges
If you prefer to allow a smaller set of IP addresses, you may use the following minimum configuration:
94.100.128.0/24(Germany - Frankfurt)94.100.136.0/23(Germany - Hannover)94.100.138.0/23(France - Lille)83.246.65.0/24(Germany - Hannover)
⚠️ We strongly recommend allowing the full IP range when possible.
Firewall Requirements
If a firewall is in use, the following ports must be allowed:
| Port | Protocol |
|---|---|
| TCP/25 | SMTP |
| TCP/389 | LDAP (optional) |
| TCP/636 | LDAPS (recommended) |
Custom ports may be used if required to reach the customer’s inbound relay or LDAP server.
Outbound Consideration for Firewall Rules
If outbound email is enabled, ensure that your SMTP servers are allowed to send emails to the Hornetsecurity Control Panel IP ranges, not only to Vade Cloud.
Update MX Records (Inbound Mail Flow)
Recommended Preparation: Lower MX TTL
Before changing MX records, we strongly recommend reducing the TTL (Time To Live) value in advance to speed up propagation.
- Example:
- Current TTL:
86400(24 hours) - Recommended TTL before change:
300(5 minutes)
- Current TTL:
604800 = 7 days), you must wait the full original TTL period after changing the TTL value before modifying MX records.If TTL is not reduced, emails may be delivered to both Vade Cloud and the Control Panel during the transition.
New MX Records
Before initiating the MX migration, you must ensure that all settings have been fully migrated from Vade Cloud to the Control Panel.
This configuration step is mandatory and should be completed with the assistance of your Partner or a Hornetsecurity representative.
- Do NOT change your MX records until this step is fully completed and verified.
Failure to migrate and validate your settings in the Control Panel prior to updating MX records will result in email disruption and potential loss of incoming messages.
Proceed with the MX change only after confirmation that the Control Panel is fully configured and operational.
All customer domains must be updated to the following MX records:
| Priority | MX Record |
|---|---|
| 10 | vade-mx-fr01.hornetsecurity.com |
| 10 | vade-mx-fr02.hornetsecurity.com |
| 20 | vade-mx-eu-fallback01.hornetsecurity.com |
| 20 | vade-mx-eu-fallback02.hornetsecurity.com |
Data Location Transparency
-
Primary MX records (priority 10)
- Datacenter: France
-
Fallback MX records (priority 20)
- Datacenter: Germany
- Used only if primary MX records are unavailable
Email storage is always performed in France.
German datacenters are used exclusively for short‑term email transit in fallback scenarios.
Customers may choose not to configure fallback MX records; however, this increases risk during incidents.
After the MX Change
- The change becomes effective within a few minutes.
- During the transition, some emails may still be delivered to Vade Cloud.
- After 1–2 days, you may safely increase the TTL value back to its original value.
Outbound Configuration
Update SMTP Relays
You do not need to update SPF records before changing SMTP relays, provided your SPF already includes:
include:spf.cloud.vadesecure.com
or
include:_spf.cloud.vadesecure.com
If neither is present, update SPF first.
All SMTP servers previously using the following relays:
smtp.cloud.vadesecure.com smtp-fr.cloud.vadesecure.com
Must be updated to:
vade-relay-fr01.hornetsecurity.com vade-relay-fr02.hornetsecurity.com vade-relay-eu-fallback01.hornetsecurity.com vade-relay-eu-fallback02.hornetsecurity.com
After this change, all outbound emails are sent to the Hornetsecurity Control Panel.
This is effective immediately.
Technical configuration guides are available for Microsoft 365, Google Workspace, OVH at the bottom of this article.
Update SPF Record
After all SMTP servers have successfully switched to Control Panel relays, you may update the SPF record.
We recommend waiting 7 days to ensure that no emails remain queued on Vade Cloud.
Replace:
include:spf.cloud.vadesecure.com
or
include:_spf.cloud.vadesecure.com
With:
include:spf.hornetsecurity.com
Configure DKIM and DMARC (Highly Recommended)
Vade Cloud does not support DKIM or DMARC.
After migrating to the Hornetsecurity Control Panel, we strongly recommend configuring both for improved email security and deliverability.
Please refer to:
Technical Configuration Guides
Microsoft 365
Inbound flow
The purpose of this procedure is to prepare the inbound connector to be implemented prior to the switchover from Vade Cloud to Hornetsecurity.
This configuration is carried out in the administration section of your Microsoft 365 console: https://admin.exchange.microsoft.com/
Incoming mail connector
|
- Click on Add a connector
- Click on Partner Organization
- Then Next
- Add the name of the connector: "Inbound Connector".
- Then click on Next
- Click on "Checking that the IP address of the sending server matches...".
- Add the Hornetsecurity server IPs one by one in the field just below. Each addition is validated by clicking on the + icon:
- The Hornetsecurity server IPs to be added are as follows:
83.246.65.0/24 |
94.100.135.0/24 |
94.100.142.0/24 |
- Then click on Next
- Check that the "Reject mail if not sent using TLS" box is ticked.
- Then click on Next
- Check that all information is correct
- Then click on Create a connector
- The Microsoft 365 interface validates connector registration
- Then click on OK
- Check that the connector is active: the checkbox must be ticked; if not, it must be deselected.
Thank you, you have now completed the configuration of the incoming connector for migration to Hornetsecurity.
Outgoing flow (only for MailOut customers)
The purpose of this procedure is to prepare the connector and the usage rule prior to migration.
This configuration is carried out in the administration section of your Microsoft 365 console: https://admin.exchange.microsoft.com/
Creating the outbound connector
|
- Click on Add a connector
- Click on Office 365
- Click on Partner Organization
- Then click on Next
- Add the connector name "Relay"
- Then click on Next to arrive at Connector usage
- Check "Only when a transport rule is configured to redirect messages to this connector"
- Then click on Next to access the Routing section.
- Enter the name of the Hornetsecurity relays host at the beginning of the procedure in the box below, then click on the ➕ to validate the addition. You should add the followings relays one by one:
- vade-relay-fr01.hornetsecurity.com
- vade-relay-fr02.hornetsecurity.com
- vade-relay-eu-fallback01.hornetsecurity.com
- vade-relay-eu-fallback02.hornetsecurity.com
- Validate this page by clicking on Next to get to the Security restrictions section
- Then click on Next to go to the Validation mail section
- Enter an address like test@gmail.com outside your domain in the box below then click on the ➕ to validate the addition
- Click on "Validate"
- Wait for validation to complete
- The message "Validation successful" means that the test e-mail has been accepted by the test address you filled in earlier. If validation fails, continue to the end of the procedure.
- Check that all information is correct
- Then click on Create connector
- The Microsoft 365 interface validates the connector registration.
- Then click on OK
- Check that the connector created is active
Create the connector usage rule
|
- Click on Add a rule
- Then on "Create a rule”
- Add a name to the Relay rule, for example
- Then click on the drop-down list under "Apply this rule if".
- Select the sender
- Then in the drop-down list to the right, select is external/internal
- In the window that opens, select Inside the organization
- Then Save
- Click on the drop-down list under Perform the following operations
- Select Redirect message to
- In the drop-down list on the right, select the following connector
- In the window that opens, select the connector you've just created
- Then Save
- Click on Next on the next 2 screens
- Click on Finish on the next 2 screens
Thank you, you have now completed the creation of the outbound connector and the associated rule for migration to Hornetsecurity.
Google Workspace
The purpose of this procedure is to add the IP ranges (CIDR) of the Hornetsecurity solution to the inbound gateway already activated for the Vade Cloud solution.
You will have to add those IP ranges to your existing inbound gateway you used for Vade Cloud:
83.246.65.0/24 |
94.100.135.0/24 |
94.100.142.0/24 |
Adding Hornetsecurity IP ranges to the inbound gateway on your Google Workspace administration console
Go to your Google account administration page. Once logged in, go to the Gmail section (Applications > Google Workspace > Gmail).
Then scroll down to the "Spam, phishing and malware" section and click on it. Or to access it directly, click on this link: Spam management
Click on “Add” and add the IP range listed at the beginning of the procedure.
Finish the configuration by clicking on the "Save" button.
OVH
Inbound:
Please do not make any changes to your inbound settings
Outbound:
Please proceed as described in "If you are a 'MailOut' customer" and if you are on a private exchange plan additionally do as described here:
-
Create the connector
- Be careful to adapt the values entered in the form to your Mailout relay.
POST /email/exchange/{organizationName}/service/{exchangeService}/sendConnector
- Be careful to adapt the values entered in the form to your Mailout relay.
-
Obtain connector IDs
- GET /email/exchange/{organizationName}/service/{exchangeService}/sendConnector
- GET /email/exchange/{organizationName}/service/{exchangeService}/sendConnector
-
Identify the correct connector ID
- If you have several Ids in the previous result, you now need to test each number to find out which one corresponds to the connector. You'll be able to identify the correct connector when the displayNameis the one you entered previously (see 2-a) Create the connector) displayName "z0Xz0Y"
GET /email/exchange/{organizationName}/service/{exchangeService}/sendConnector
- If you have several Ids in the previous result, you now need to test each number to find out which one corresponds to the connector. You'll be able to identify the correct connector when the displayNameis the one you entered previously (see 2-a) Create the connector) displayName "z0Xz0Y"
-
Default connector
- If you want this connector to be used on all newly created mailboxes, you can configure it as the default send connector.
In thedomainNamesection, enter the domain name you wish to relay via this connector.
Please note that the connector will not be applied to existing mailboxes.
PUT /email/exchange/{organizationName}/service/{exchangeService}/domain/{domainName}/changeDefaultSBR
- If you want this connector to be used on all newly created mailboxes, you can configure it as the default send connector.
It's very important to keep the connector identifier "sendConnectorIdDefault" for commissioning on the day of migration.