Best Practices To Configure SMTP Relay Emails (Tested)
2022/02/07 Microsoft Cloud Solutions 2657 visit(s) 7 min to read
CtelecomsK
Many people do not yet realize that SMTP Virtual server reached the end of support in 2015. But when they migrate to Office 365, they begin to notice that SMTP does not work, and even if it works, tons of problems requiring troubleshooting will arise.
As you already know, SMTP server component feature was built on IIS 6. At this point, you shall relay email to Office 365.
If you have Exchange On-prem, you can still use your connectors by creating receive connector front-end and adding the serves or clients you need.
The following are links for end of support:
- Internet Information Services (IIS) - Microsoft Lifecycle | Microsoft Docs
- How to: Install and Configure SMTP Virtual Servers in IIS 6.0 | Microsoft Docs
- SMTP relay is unsupported. Article should be updated with a clear statement · Issue #2908 · MicrosoftDocs/OfficeDocs-Exchange · GitHub
The following are tested methods with 2 Products. Every scenario has its own requirements and features. The following table describes all options including Gmail.
|
Tested Products |
Features |
SMTP client submission |
Direct send |
SMTP relay |
Google SMTP |
|
Printers |
|
No |
Yes |
No |
|
|
VEEAM |
|
Yes |
No |
No |
Yes |
|
Send to recipients in your domain(s) |
Yes |
Yes |
Yes |
Yes |
|
| Relay to internet via Microsoft 365 or Office 365 | Yes | No. Direct delivery only. | Yes | ||
| Bypasses antispam | Yes, if the mail is destined for one of your Microsoft 365 or Office 365 mailboxes. | No. Suspicious emails might be filtered. We recommend a custom Sender Policy Framework (SPF) record. | No. Suspicious emails might be filtered. We recommend a custom SPF record. | yes | |
| Supports mail sent from applications hosted by a third party | Yes | Yes. We recommend updating your SPF record to allow the third party to send as your domain. | No | Yes | |
| Saves to Sent Items folder | Yes | No | No | Yes | |
| Requirements | |||||
| Open network port | Port 587 or port 25 | Port 25 | Port 25 | 587 | |
| Device or application server must support TLS | Required | Optional | Optional | Required | |
| Requires authentication | Microsoft 365 or Office 365 username and password required | None | One or more static IP addresses. Your printer or the server running your LOB app must have a static IP address to use for authentication with Microsoft 365 or Office 365. | yes, username and password |
Starting with the first tested method
Option 1: Authenticate your device or application directly with a Microsoft 365 or Office 365 mailbox, and send email using:
SMTP AUTH client submission (tested)
This option is very easy, but there’s too many details when configuring a lot of things.
So, the first requirement as per the following note is only authentication. We also have 3 other perquisites.
The following prerequisites is only the authentication requirements
Prerequisites in this note Only
- No security defaults this can be checked from Azure portal
- SMTP auth is enabled and this shall be checked from Office 365 portal
- SMTP AUTH is disabled for any tenants created after January 2020
- Check SMTP globally and you can enable it per the user
Other prerequisites
Mailbox license, port 587 preferred and DNS use smtp.office365.com
Features
As you can see, you can send in and out and Bypass spam checks
You have lot of homework to do before this method
Script for checking on enabling the authentication per mailbox
-
Check SMTP AUTH on all tenant if true then it is disabled if false then it is working (false means working)
-
Check SMTP auth for the required mailbox if null then inheriting from tenant and we need to make it false.
You must also verify that SMTP AUTH is enabled for the mailbox being used. enabled per-mailbox.
https://docs.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission
#>
Connect-ExchangeOnline
# Set-TransportConfig -SmtpClientAuthenticationDisabled $true
#true means disabled false means enabled
Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
#The value $null indicates the setting for the mailbox is controlled by the global setting on the organization.
<#from GUI
Open the Microsoft 365 admin center and go to Users > Active users.
Select the user, and in the flyout that appears, click Mail.
In the Email apps section, click Manage email apps.
Verify the Authenticated SMTP setting: unchecked = disabled, checked = enabled.
When you're finished, click Save changes.#>
get-CASMailbox -Identity "username@domain.com" | Format-List -property smtp*
#Set-CASMailbox -Identity " username@domain.com" -SmtpClientAuthenticationDisabled $false
This means it is disabled for the tenant
Let’s check for the required sender user
get-CASMailbox -Identity "username@domain.com" | Format-List -property smtp*null means same as tenant now I will set it to false for this mailbox
Set-CASMailbox -Identity username@domain.com -SmtpClientAuthenticationDisabled $false
Test it on VEEAM
SMTP Settings
SMTP Settings - Veeam Backup for Microsoft Office 365 Guide
Configuring and testing
First method SMTP AUTH client submission.
Second working scenario configure Gmail scenario
Gmail
Received on public emails and Microsoft emails
Appears in the sent items
If you received the following error
Then go to:
https://www.google.com/settings/security/lesssecureapps
make this on
Tested
Appears in sent
We hope we’ve managed to help you out. For more information or if you have any questions, feel free to get in touch with us.
Karim Zaki,
Solutions
Computing & Hyper-converged Infrastructure Solutions
Take your IT infrastructure to the next level ...
