SMTP Server As a Relay to Exchange Online [EN]

wroot Technology

With Microsoft hammering down on Basic Auth support in Exchange Online many systems admins are wondering what to do about email function in multi function printers and scanners and other internal systems that have to send emails (SharePoint and similar). Although it seems that SMTP Auth might stay available a bit longer even after the final date in October of 2022. Still, there could be better options to avoid problems when Basic Auth is gone and MFPs cannot send emails directly to Exchange Online using just email and password. I am not 100% sure below provided setup will work all the time, but it was recommended by our MS partners and listed on Microsoft support page.

On my previous job, when we were just migrating to Office 365 and getting rid of internal Exchange server, there was an important question what to do with all the MFPs and other internal systems (on-prem SharePoint being one of them), which were setup to send emails directly through Exchange by setting up a connector based on IP of a system/device. This would not work with Exchange Online as it operates with users and we didn’t want and couldn’t setup users for every device and system. So, based on this article from Microsoft we picked the SMTP relay option. Actually, this article first lists SMTP Auth and direct send options. First one as i mentioned might still work for some time, but not sure for how long. Also not clear, if direct send will work, especially with older devices. We picked SMTP relay also because that would be a system in our environment and fully in our control and a single point of access, so you can just point every system that needs to send email directly to that relay and not try to setup a connection directly with Exchange. Setup looks like that:

  • Windows Server 2012 VM
  • On the same server SSL certificate of our domain was installed as a local machine certificate (same certificate was used for Hybrid setup between local Exchange and Exchange Online).
  • Installed STMP server feature (which installs Web Server (IIS) role). Must select IIS 6.0 Management Console. It will allow management of local SMTP server.
  • Started SMTP service in Services.

Then had to configure SMTP server via IIS Console:

  • Open console and expand server.
  • Right click SMTP Virtual Server #1, go to Properties
  • In Access tab:
    • Authentication – leave only Anonymous selected
    • Connection – change to Only the list below and enter IP addresses of devices and systems that should be allowed to send emails (a precaution, so that any other device infected by some malware won’t be sending spam through this relay)
  • Messages:
    • Set this accordingly to your needs. We had to allow sending of scanned PDFs, so eventually have set it to 25600 KB (25 MB). Session size limit must be bigger than that, so have set it to 51200. This allowed sending files of ~20 MB size, because encoding and headers add 30% overhead.
    • Limit number of recipients per message. Again, based on needs. We have set it to 200 so our systems could send automated notification to all employees, if needed.
  • Delivery:
    • Outbound Connections: Port 25
    • Advanced:
      • Fully-qualified domain name: domain.tld (do test with Check DNS)
      • Smart host should be left empty
  • Right click SMTP Virtual Server and go to Domains
  • Add new Remote with domain.tld name
  • Right click domain.tld remote:
    • Check Allow incoming mail to be relayed to this domain;
    • Outbound Security button – check Anonymous access and TLS encryption
    • In the field Forward all mail to smart host add domain-tld.mail.protection.outlook.com
  • Restart IIS server and make sure SMTP service is also started

You also might need to open outbound connection from internal server IP on port 25 to Office 365 in your firewall. Can use telnet domain-tld.mail.protection.outlook.com SMTP command on the server as a test (if it shows that server is waiting, then connection works).

To test email sending can use PowerShell on the server: Send-MailMessage -SmtpServer server.domain.tld -To name@domain.tld -From test@domain.tld -Subject “Test”

In systems can use server’s IP or name or create an alias to point to as an SMTP server.

On Exchange Online side you need to create a connector in Mail Flow > Connectors menu (again, if you had a Hybrid setup, you already have one). Connector is From your organization’s mail server to Office 365 (inbound). In this connector in By verifying that the subject name.. field put the subject name of your certificate (e.g. domain.tld, or *.domain.tld for a wildcard certificate). Save the connector.

The last part is a bit murky as Microsoft 365 changes a lot, hybrid setup was done by MSP and it was 6 years ago or so. Currently i don’t have an access to Exchange console to check how it looks now. But in general it should be similar. You need a certificate of your external domain to setup a hybrid connector to Exchange Online. And as said in the beginning you install the same certificate on the server used as STMP relay. When certificate expires and new one is issued you don’t have to do anything on Exchange Online side (unless subject name changes). But you need to replace old with new one on STMP server using Certificates snap-in in MMC. It might take a few minutes before it allows to send emails again.

Leave a Reply

Your email address will not be published. Required fields are marked *