SMTP Relay in Office 365 environment

SMTP Relay in Office 365 environment

SMTP Relay in Office 365 environment

After the migration to Office 365 (Exchange Online) users complain that they stop to get a mail message from a Fax device located within the organization Office. You start to investigate this issue, check the Fax device settings.
Everything looks O.K and still, email messages that send by the Fax device don’t reach their destination. mmmm …., what happened? The little thing that we forgot is that, until now, Mail enabled Devices\Application was configured to connect the on premises Exchange server.
Before we can restore the ability of the Mail enabled Devices\Application to send mail to the organization recipient (that located in the cloud) we will need to face a number of “obstacles.” Fear not, there is a solution!

In this article, we will discuss the reason for using IIS SMTP relay configuration when using Office 365 subscriptions, the required configuration and in the last part we will demonstrate how to troubleshoot common mail flow scenarios.


Expand All Headers Collapse All Headers



Part 1: Basic introduction to Mail relay scenarios.

LAN Mail enabled devices\application and Exchange on Premises configuration

When using Exchange on Premises as an SMTP server (Mail relay) for: Mail enabled Devices\Applications, The basic assumption is that: LAN environment considered as a “safe” (isolated from the external network). For this reason, the common characters of the communication between the Mail enabled Devices\Applications and the on premises Exchange server are:

  1. Communication channel
    The Mail enabled Devices\Applications communicate with the premises Exchange server using the SMTP protocol (non-encrypted communication).
  2. Authentication
    Most of the time, the Mail enabled Devices\Applications doesn’t use or authentication mechanism (Anonymous authentication).
  3. IP Address restriction
    In some cases, if the administrator wants to implement a basic security mechanism, the on premises Exchange server is configured to accept anonymous SMTP connection only from a specific predefined IP address.

Mail services for Mail enabled devices-application using Exchange on premises

LAN Mail enabled devices\applications and Exchange Online

When dealing with a public network such as the cloud (Exchange Online), the characters of the communication channel are based on different requirements:

  1. Mail server Verse the Exchange on Premises
    When using the Exchange Online infrastructure, we cannot use a custom setting such as a receive connector that enables to configure the communication channel between the LAN Mail enabled Devices\Applications and the Exchange Online. An additional factor is, that we don’t know what the Exchange Online server IP is.
  2. Communication channel
    The communication channel between the Mail enabled Devices\Applications and the Exchange Online is created using a public network infrastructure (non-trusted environment). In Exchange Online environment, there is a mandatory requirement for a secure communication channel (encryption) between the two end points (Hosts who need to relay mail messages to Exchange Online recipients).
  3. Authentication
    In the Exchange Online environment, there is no option for relaying mail to the Office 365 recipients without an authentication. In other words, anonymous authentication is not supported.

Relaying mail to Exchange Online

When we want to enable mail enabled Devices\Applications to relay mail to: Exchange Online, we will need to implement the following requirements:

  1. Secure communication channel
    The secure (encrypted) communication channel is created using the TLS Protocol (port 587 or Port 25).
  2. Authentication
    The “Host” that wants to relay mail to the Exchange Online will need to provide credentials (user name + password) using the basic authentication protocol.
  3. Mail server IP address\Host name
    The “Host” that wants to relay mail to the Exchange Online, will need to know what is the IP address\host name, of the Exchange Online server.

To implement these requirements, we can use one of the following scenarios:

Scenario 1: Mail enabled devices\application connect directly with the Exchange Online

In case that the Mail enabled Devices\Applications support the use of authentication and TLS communication, we can configure this Hosts to communicate directly with the Exchange Online server. The less good news is that: most of the time, Mail enabled Devices\Applications doesn’t support these requirements.

Mail enabled devices-application connect directly with the Exchange online

Scenario 2: using the IIS SMTP relay server

In case that the Mail enabled Devices\Applications doesn’t support the mandatory requirement (TLS & Authentication) or in case that we want to use centralized\managed solution, we can use the scenario of SMTP relay server.
The IIS SMTP Server is a built-in component in each of the Windows based OS such as Windows 7, Windows server 2008, 2012).

Note – The option of installing IIS server as a mail relay on a Windows 2003 server is not supported because the Windows 2003 server cannot support encryption of 256 bit

The IIS SMTP server can use as a mail relay or “Intermediary” between the LAN Mail enabled Devices\Applications and the Exchange Online server.

Using relay SMTP Server

The IIS SMTP server, can answer the need for the mandatory requirements of Exchange Online for: TLS & Authentication. In the scenario, the IIS SMTP server will be configured with two “interfaces”:

  1. The interface that accepts requests from LAN Mail enabled Devices\Applications This “interface,” will allow\accept the mail relay requests from LAN Mail enabled Devices\Applications, without the need for authentication ( anonymous) and the communication channel that we use for communicating with the LAN Mail enabled Devices\Applications is based upon the SMTP protocol ( no need for encryption).
  2. The interface that communicates with the Exchange Online - The other “leg” or interface will be used by the IIS SMTP server for the communication with the Exchange Online using: TLS and implement the requirements for authentication.

IIS SMTP Relay-  the two interfaces



Part 2: implementing IIS SMTP relay

In the following section, we will review all the settings and pre requirements that we need to implement for using IIS SMTP as a mail relay server.

SMTP Relay pre requirements

1. IIS SMTP User credentials

The credentials that the IIS SMTP use for communication with the Exchange Online, could be any Office 365 user credentials that have to license for Exchange Online Mailbox. There is no need for purchasing a “detected” license for this purpose. The only “issue” that we should consider regarding the recipient name (the Office 365 users that we use for authenticate to the Exchange Online server) is that: by default, each of the messages that will be relayed to the Exchange Online server will include this recipient name in the form field.

For example: in case that we use to configure the IIS SMTP server to use the credentials of an Office 365 users named: John, each of the messages that will be sent from an LAN Mail enabled Devices\Applications to: other Office 365 recipients, will be displayed at the destination recipient as a mail message that sent by “John.”

Later on, we will review the scenario in which the LAN Mail enabled Devices\Applications use different mail address and how to enable the IIS SMTP to send email “on behalf” this Hosts.

2. Firewall settings

To enable the IIS SMTP server to create a communication channel to the Exchange Online, we need to create in the organization Firewall, outbound rule which allow the IIS SMTP to use TLS (port 587 or Port 25).

Note – you can read additional information about: how to check if the IIS SMTP can use port 587 in the section: 1. Troubleshooting communication port

3. Exchange Online server Host name

To be able to refer the Exchange Online server, Office 365 use a general Host name: smtp.office365.com

in case that you want to find the information about the Exchange Online server name, use the following instructions

  1. Logon to Office 365 portal
  2. In the top menu choose – Outlook
  3. Click on the Settings icon
  4. Choose the Options menu
    Find Exchange Online server name- Step -01
  5. on the left side menu bar choose the account menu
  6. in the bottom on the page, click on the Settings for POP or IMAP
    Find Exchange Online server name- Step -02

In the windows that appear, look for the section: SMTP Settings.
Here you can find the Exchange Online server name (smtp.office365.com) and additionally, we can see that there is a mandatory requirement for using TLS protocol ( port 587 or port 25).

Find Exchange Online server name- Step -03

Installing and configuring the IIS SMTP server

In the following section we will demonstrate how to install IIS SMTP server on a windows 2008 server.

Step 1: install IIS Server

  1. Open Server Manager Console and under Features select Add Features
  2. Select the option of: SMTP Server
    (The reset of the installation process is just next, next etc.)
    Installing IIS SMTP windows 2008 server -01

Step 2: IIS SMTP Service

By default the IIS SMTP service, is not started and the startup type is: manual

Installing IIS SMTP windows 2008 server - Change service statous -02

  1. We will need to change the default setting to: Automatic.
    Double click on the SMTP Service:  Simple Mail Transfer Protocol (SMTP) and, change the Startup type to:  Automatic
  2. Start the IIS SMTP service (SMTPSVC)
    Installing IIS SMTP windows 2008 server - Change service statous -03

Step 3: IIS SMTP Server MMC

The management console for the IIS SMTP is Internet Information Services 6.0.
( There is no option of managing the IIS SMTP using the “standard” IIS 7  management console). we can find the IIS 6.0 Manager under Administrative Tools -> Internet Information Services 6.0

Installing IIS SMTP windows 2008 server -IIS 6 Icon -04

IIS SMTP relay Configurations

In the following section we will review all of the required settings for configuring the IIS SMTP server as an “SMTP Relay”.

1. IIS SMTP relay “LAN interface

The first part relates to the: settings for the interface or the “IIS Leg” that serves the LAN Hosts (Mail enabled Devices\Applications).

Open the IIS SMTP management console, right click on the
[SMTP Virtual server #1] and choose: Properties

SMTP Relay properties- step 00

Access tab

Access tab – Authentication

Select the Access tab -> Authentication

In the Authentication windows select the option: Anonymous access ( Mail enabled Devices\Applications doesn’t need to use authentication).

SMTP Relay Authentication - step 01

Access tab – Relay

The “relay” settings use for configuring the IP address of the: Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.
In our example, we have two hosts who need to send mail to the IIS SMTP server:

Help Desk application that installed on a workstation with the IP address 10.100.102.2 and, FAX device that uses the IP address: 10.100.102.3
To enable this Hosts to send (Relay) mail to the IIS SMTP server, we will need to add this IP address to the “allowed list.”

SMTP Relay IP Address - step 000

Select the Relay tab -> Relay option.

In the Relay restriction window, add the IP address of the Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.

SMTP Relay IP Address - step 00

Note – Make sure that you enter only the IP addresses of the Mail enabled Devices\Applications that you trust. This setting let’s mail that’s coming from these sources be relayed to any destination. In effect, this makes the on-premises server who is running IIS an open relay.
Note – you can read additional information about the relay settings in the section:
2. Troubleshooting Really permissions

2. IIS SMTP relay “Exchange Online interface”

In this section, we will create the required settings that enable the IIS SMTP server to relay mail messages to the Exchange Online server.

Delivery Tab

The Delivery tab use for: configure the IIS SMTP “interface” that communicate with the Exchange Online server.

The interface to Exchange online – Delivery -step 03

Delivery Tab – Outbound security

Select the Delivery tab -> Outbound Security option.

In the Outbound Security window select the option: Basic Authentication

We will need to provide the Office 365 user credentials which have Exchange Online Mailbox.
In our example, we will use the credentials of a user named: [email protected]

Select the Delivery tab -> Outbound Security option.
In the Outbound Security window select the option: TLS encryption  (For creating a secure communication channel to Exchange Online).

The interface to Exchange online – Delivery – outbound security step 04

Delivery Tab – TCP port

Select the Delivery tab -> Outbound connection option.

The TLS port number that we use for communicating with the Exchange Online is:25 (or Port 587)
(Please verify that the organization Firewall will have the required outbound rule that will enable the IIS SMTP Server to use this port ).

The interface to Exchange online – Delivery – outbound connection step 05

Delivery Tab – Advanced

Select the Delivery tab -> Advanced option

In the Smart host text box we need to provide the Exchange Online server name .

Note – in case you need a reminder about how to find the Exchange Online server name, read the section: 3. Exchange Online server Host name

The section of: Fully qualified domain name is not a mandatory requirement. You can add the FQDN of the IIS SMTP server.

The interface to Exchange online – Delivery – smart host step 06



Part 3: Enable the IIS SMTP relay to send mail on behalf other Email address

After creating the required setting for the IIS SMTP relay, we will need to solve additional issue that can be described as: Enable the IIS SMTP relay to send mail on behalf another Email address.

For the demonstration purpose, let’s use the following scenario:
We want to enable two internal Hosts, to send email using the IIS SMTP server.

One Host is a Help desk application that uses the Email address: [email protected], and the other host is a Fax machine that uses the use the email address: [email protected]

In case that this Hosts will try to relay mail to the IIS SMTP server, that mail message will be rejected by the Exchange Online server because: by default, a recipient( in our example: [email protected]) cannot send email “on behalf” other recipient’s ( in our example: [email protected] and [email protected]).

The good news is that we don’t need to create a user account and Mailbox that will “represent” these Hosts, who will relay mail to the IIS SMTP Server.

Enable the IIS SMTP relay to send mail for other Email address

To enable the IIS SMTP server to send email for this Hosts, we can choose one of the following solutions:

1. Using distribution group and assign “Send as permissions”

This solution is based on creating a distribution group for each of the Hosts who needs to relay email to the IIS SMTP server. The distribution group will be configured as: security group (a Security\Distribution group). The next step is: assigning “Send as permission” for the recipient whom the IIS SMTP Server use for authentication (in our example: [email protected]). The send as permission could be assigned by using the Web interface or by using a PowerShell command.

Assign “Send as permission” using the Office 365 management Web interface
  1. Log in to Office 365 portal, in the Admin menu choose the option: Exchange
  2. In the Exchange admin center choose the recipient menu –> groups
  3. Click on the “Add” option and choose the  Security group option.
    Using distribution group and assign “Send as permissions” -01
  4. In our example, we will name the new security-distribution group as: FaxService
  5. Double click on the name of the new security-distribution (FaxService) and choose the menu – group delegation.
  6. Click on the add option and, add the recipient name that we use for the IIS SMTP credentials (in our example: John).
    Using distribution group and assign “Send as permissions” -02

 

We will need to repeat this procedure, for each of the LAN Hosts that will need to relay email using the IIS SMTP Server.

Assign “Send as permission” using PowerShell command

Assign “Send As” Permissions for a Mailbox/Distribution group
PowerShell command syntax:

Add-RecipientPermission <User/Distribution Group> -AccessRights SendAs -Trustee <User>

Example:

Add-RecipientPermission FaxService -AccessRights SendAs -Trustee John
Note- In case that you need additional information about how to use the PowerShell for Office 365, you can read the following article: Using remote PowerShell to manage Office 365 (2/4)

2. Add additional Email address ( Alias)

An additional option that we can use ( instead of the security\distribution group solution) is: add the email address that will be used by the LAN Mail enabled Devices\Applications as an additional email addresses (Alias) for the recipient who is used by the IIS SMTP Server.

In our example, we will add two additional email address to the recipient named: John

  1. Log in to Office 365 portal, in the Admin menu choose the option: Exchange
  2. In the Exchange admin center choose the recipient menu –> mailboxes
  3. Choose the recipient name that is used by the IIS SMTP Server (in our example- John).
    Add additional Email address( Alias) -01
  4. Click on the “add” option
  5. In the Mailbox properties choose the option: Email address.
  6. In our example, we will add to “John Mailbox” additional two email addresses ( Alias):  [email protected] and [email protected]
    Add additional Email address( Alias) -02

 



Part 4: Testing IIS SMTP Relay mail flow

Test IIS SMTP Relay settings

In this section, we will review: how to test the IIS SMTP Relay mail flow. One option is: trying to send email using the LAN Mail enabled Devices\Applications but in case that there is a problem that prevents from the LAN Mail enabled Devices\Applications to send mail using the IIS SMTP server, it’s hard to find the cause for the problem.

The preferred way that I recommend is to: use a nice free mail client tool named: Basic SMTP Telnet Client, that enables us to simulate the mail flow and in case that there are problems, we can use the option of “debug” ( enable step by step sending) option to get information about the specific cause for the problem.
In the following section, we will demonstrate how to test the IIS SMTP relay infrastructure by using the Basic SMTP Telnet Client.

Note – before you can start to use the Basic SMTP Telnet Client, verify that you add the IP address of the Host that you use in the IIS SMTP server in the Relay restriction section.

Test 1: testing the ability of the IIS SMTP server to relay mail to Office 365 recipient

In the Telnet properties tab we will configure the required setting for the communication with the IIS SMTP Server.

Test IIS SMTP Relay settings -01

Telnet tab – click on the Send button

Test IIS SMTP Relay settings -02

To verify that the mail message was sent to the destination recipient, log in to the destination recipient mailbox and check if the mail was accepted.

In case that the mail was not sent to the destination recipient, we can use the option of: Enable Step by Step Sending.

Using this option, enables us to verify each of the steps that involved in the “send mail process.” We will need to “Activate” each of the steps such as: EHLO, MAIL FROM, etc. and observe the result in the “step window.”

Test IIS SMTP Relay settings -03

Test 2: Testing the ability of the IIS SMTP server to relay mail to Office 365 recipient “on behalf” (Send as permission”) of a LAN Mail enabled devices\application.

In case that the first “Test” complete successfully, we can continue with the second test, that will enable us to simulate the scenario of LAN Mail enabled Devices\Applications that relay mail to the IIS SMTP Server. The basic assumption is that: we complete all the required settings that will enable the IIS SMTP to send mail “on behalf” of the LAN Mail enabled Devices\Applications.

Note – you can review the required setting in the section: Part 3: Enable the IIS SMTP relay to send mail on behalf other Email address
  • Receive connector IP: add the IP Address of the IIS SMTP Server
  • TCP Port: add the SMTP port number (25)
  • Mail From: in this text box, we will need to add email address the represent the “LAN Mail enabled Devices\Applications” that will relay mail to the IIS SMTP server. In our example, we will use the email address of the Helpdesk application ([email protected]).
  • Recipient To: in this text box, we will need to add the email address of the “destination recipient” that is supposed to get the mail from the Mail enabled Devices\Applications.  In our example we will use the email address of the recipient named Isabel ([email protected]).
  • Subject: this is an optional parameter that will create the “Subject header”

Test IIS SMTP Relay settings -04



Part 5: Troubleshooting IIS SMTP Relay settings

In this section, we will review how to troubleshoot common “causes” for mail flow problem when using IIS SMTP relay option.

1. Troubleshooting communication port

The first step is to verify that the IIS SMTP server can use port 25 (or port 587), for creating the required communication channel with the Exchange Online server. An additional parameter that we need to check is that we use the correct host name for the: Exchange Online server.
To be able to verify these parameters, we can use the built-in Telnet tool.

Note – the Telnet tool is not installed by default. To install the Telnet client on Windows 2008 server, use the Server manager –> features –> Telnet client

To test the communication channel to the Exchange Online server, from the IIS SMTP Server open a command prompt and type the following syntax:

Telnet smtp.office365.com 587

checking the Firewall settings port 587 -A

In the following screenshot, we can see that to connection attempt was failed.
The reasons could be:

  • We didn’t create the required “outbound Firewall rule” that will enable to the IIS SMTP server to use port 587
  • The Exchange Online server name is not correct

checking the Firewall settings port 587 -C

After creating the required configuration, we use again the Telnet command. In the following screenshot we can see the “Exchange Online response” to the communication attempt.

checking the Firewall settings port 587 -B

2. Troubleshooting Really permissions

Part of security settings in the IIS SMTP settings is to create a restricted list of Hosts (the IP address of the internal Hosts), that allowed to relay mail to the IIS SMTP server.

In this following example, we use the tool: Basic SMTP Telnet Client, for simulating the process of relaying a mail message to the IIS SMTP Server. When using the “debug” option: Enable Step by Step Sending.

In the following screenshot, we can see that the error message that was return from the IIS SMTP Server, relate to the issue that the IP Address of Host whom we use is not configured in the “Allowed list” in the IIS SMTP server.

Troubleshooting relay permissions

Note – You can use the following link: Access tab – Relay for reviewing: how to add the IP address of the LAN Hosts to the “Allowed list”.

3. Troubleshooting “Mail from” settings

In this section, we will review how to troubleshooting errors that relate to the “Send on behalf” that the IIS SMTP Server need for relaying email messages from Mail enabled Devices\Applications.

In case that the IIS SMTP doesn’t have the required permission for sending email “on behalf” another email address, the connection attempt will be rejected by the Exchange Online. Failed mail messages will be kept by the IIS SMTP in the “Badmail” folder (The default location for the IIS SMTP Mail folder is: C:\inetpub\mailroot )

Troubleshooting different mail from Badmail directory -00

In the following example we simulate mail delivery from recipient named: [email protected] to a “destination recipient” named: [email protected]

Troubleshooting different mail from Badmail directory -01

When checking “Isabel mailbox,” we notice that the mail didn’t send successfully.
To be able to find the cause for the problem, we can look at the IIS SMTP Server – Badmail folder.

In the following screenshot, we can see that the IIS SMTP creates 3 different log files, that includes information about the mail delivery process and the reason for the failure of the mail message delivery.

Troubleshooting different mail from Badmail directory -02

To open the Log message open the file with the *.BAD extension using a text editor such as: Notepad.

In the text file, we can see the description of the error:

Diagnostic –code: smtp;550 5.7.1 client does not have permissions to send as this sender

Troubleshooting different mail from Badmail directory -03

The meaning of this  error is that the IIS SMTP User account, that we use for creating the communication channel with Exchange Online, doesn’t have the required permission to send mail on behalf of the recipient who tries to relay mail to the IIS SMTP server.

Summery and Recap

I feel that we went together on a long journey in the “IIS SMTP World.”
In the beginning, we review the business need for: the SMTP relay scenario for an organization that use the Exchange Online services.

In the next section, we review: what are the required configurations of the IIS SMTP server and how to enable the IIS SMTP Server to send email on behalf other recipient. In the last section, we review some common problems\errors when using relay scenarios and the way we can use for to troubleshooting these problems.

I hope that this information will help you to implement the SMTP relay solutions in an Office 365 environment.

See you in the next articles :-)

Print Friendly

Now it’s Your Turn!
We really want to know what you think about the article


Like this Article? Subscribe to Our Feed!

Eyal DoronSMTP Relay in Office 365 environment

Comments 31

  1. Anonymous

    love this! really helped me out, one little problem. The system is passing email from things but it still shows up as coming from the default account (in your example john)

    1. edoron777

      Hello
      I’m happy to hear that the article helps you :-)
      Regarding your question: I assume that you need to use the option of “impersonation” in which the SMTP Relay server send mail “on behalf of” other “object” such as an application or device. In that case, two conditions should be fulfilled: the “application” should be configured to send mail using user X credentials and the account that is used by the SMTP relay server should have “send as” permission for this account ( user X account).
      Most of the time we will implement this need by creating a distribution group that will “represent” user X and assign to required permission (Send as permission).

  2. Anonymous

    We where trying to configure Avaya ip office voicemail to email but it could only work with port 25….this was the perfect work around
    You are the man!!!

  3. Yi Jia Lin

    Hi There,

    Is it possible to do the “enabling SMTP Relay to send on behalf of other email” but leveraging on Security Group created at Organization’s Active Directory end. Its a 365 + DirSync environment we are having here.

    Thanks,

    YJ

  4. Binod

    I have done everything as per the document. I am still getting following error

    “Diagnostic-Code: smtp;550 5.7.1 Client does not have permissions to send as this sender”

    can you please let me know anything to be checked?

    [email protected]

  5. Anonymous

    Great article, all works for me apart from setting up the security group containing all the users that need to use scan to mail. What I have to do at the moment is add the scantomail account as an alias on each user so they can receive the email. Not ideal for 850 users as you can imagine. Has anyone else run into this issue and have you managed to sort it?

    Cheers

  6. Lukasz Malinowski

    It is nice article but i have a problem with this one, we just moved to office 365 and all is nice just relay wont work, i tried it from different network and it works from there thou all settings are the same, would local domain beeing the same as email domain affect relay capabilities?
    logs wont leave anything besides status code 5.0.0

  7. Prayag Pal

    Excellent Article. Probably the most comprehensive I’ve seen on this topic. Most seasoned Email Geeks should have figured this on their own, but for rookies getting on Office365 it’s great to have a guide like this.
    Include additional how tos on powershell connectivity to ensure the article is entirely complete on it’s own.
    Anyway, once again…. thanks for the great post!!

  8. Pingback: How to configure an Office365 SMTP Relay in IIS7 | Andrew Shelor - Portfolio and BlogAndrew Shelor – Portfolio and Blog

  9. Anonymous

    Do you ever run into the Event Viewer error regarding TLS will not work unless the server has a certificate installed? If the server doesn’t have a certificate installed will the above configuration work?

  10. Steve Garvie

    I was wondering if any one successfully used anonymous authentication. MS told me that I could point to my MX record and use port 25. It even was detailed out in the article they sent me. You have to create an inbound connector in the Exchange admin panel.

    Benefit: You dont need to create email address or do send as permissions. It just works!

    We previously had this working using mail.messaging.microsoft.com

  11. Seth

    Nice, but what about if want to relay you mails from Office365 –> Outbound Smarthost? The Outbound Smarthost only supports Basic Authentication and no IP Whitelist or something. Office365 doesn’t support relay authentication. what a shame.

    Regards
    Seth

  12. Guy Saar

    I think that it’s the best article that i read about SMTP Relay.
    It helped me to solve a case with a customer of mine.

Leave a Reply

Your email address will not be published. Required fields are marked *