SMB Office 365 / Exchange Online SMTP Relay

This article is for  SMB offices that have moved to the Microsoft Office 365 platform only to find that you cannot simply point email enabled applications and devices at the new cloud servers and get the email delivered. Example of this is multi-function scanner/copier/printer device and using the scan-to-email capability.

The most common solution that is suggested by Microsoft and others is to use an internal Exchange Server to relay the mail or use an IIS server with SMTP service enabled to relay the mail. Like so many that I assist, these clients just do not have any servers on premesis or retired the local server to save costs, as such, these solutions do not work. I am here to tell you there is a simple solution to make this work natively from within the Microsoft Exchange Online platform.

The solution I describe here will work with or without TLS encrypted connections and also supports either port 25 or port 587 and does not require any type of authentication. In fact, no user accounts or additional licenses are required to make this work. This is good because many older devices/applications only support clear text across port 25.

The first step is to create a connector on the Exchange Server to allow for the connection by an unauthenticated user. This sounds like it is an open relay but we are going to take steps to allow this connection ONLY from known IP Addresses that should be allowed to use the connector. All other attempts will be denied as an unauthorized relay attempt.

Creating the Exchange Connector:

• Log into the Microsoft Online Portal as a user that has Global Administrator access
• Click on the Admin menu and then on Exchange to open the Exchange Admin Center.
• Click on the Mail Flow category and click the Connectors sub menu.
• Add an Inbound Connector
  
  • Give the connector a descriptive name
  • Set the Connector Type to On-premises
  • Set Connection Security to Opportunistic TLS
  • Set Domain Restrictions to Restrict domains by IP addresses
  • Add a single Sender domain and use an * wildcard character here to allow all.
  • Add the public IP addresses that you will allow to relay
  • Save the Connector
• Enable the connector if it is not already.

Now for some of the secret sauce that will make this connector stand up and do most of the heavy lifting for you. The SMTP Server you use in your sending application/device is a little different but easy to locate. There are many ways to get this info, I am going to show you only one.

Finding the SMTP Server:

• Go back to the O365 portal and click the Admin menu and click on Office 365
• Click on the Domains category
• Select your primary domain (or the domain you wish to use) and then click Manage DNS
• Find the MX record and copy the Point To Address for that record.
  
  • The format will be in this format: -.mail.protection.outlook.com or I have also seen -.mail.eo.outlook.com. If your domain was "XXYYZZ.COM" then your MX record would look like this: XXYYZZ-COM.mail.protection.outlook.com as an example.

That value will be what you use as the SMTP Server when you define your outbound mail settings in the application/device you want to send relay email.

One additional setting you may want to enable on the Exchange Online Server which will prevent all of your relay email from going directly to the Junk Folder. This process will create a mail filtering rule which will bypass the filters altogether.

Creating Bypass Rule:

• Go back to the Exchange Admin Console.
• Click on the Mail Flow category and then the Rules sub menu.
• Add a new Rule of type "Bypass Spam Filtering..."
  
  • Give the rule a good descriptive Name.
  • Set Apply this rule if... to "The sender is..." and add the email addresse(s) you will be using for sending relay email. Keep in mind this can be anything you want butit must match exactly, else this rule will not work.
  • Set Do the following... to "Set the spam confidence level (SCL to..." and then set the action to Bypass spam filtering.
  • The remaining options can be left as default.
  • Save the rule.
• If you have multiple rules, you may want to adjust the order of this rule so it fires properly. I would suggest that you make it the first rule while you test things and then adjust all of your rules to accomdate the order in which you ultimately want to process the rules. Mail Flow in general is complex and I am not giving much detail in this walk through on how best to manipulate these features.

The final step of this process is to put it all together and make it work. Modify your SMTP settings for the Application/Device as follows:

• SMTP Server: Set this to the MX data that we gathered from the above step "-.mail.protection.outlook.com".
• SMTP Port: 25 or 587
• SMTP TLS: Enabled or Disabled (Enabled is recommended if it is an option)
• SMTP Username: This can be anything you want as it is not used at all. Leave it blank if you can. If you do need to populate this info, use the email address of the FROM address you set in the Spam bypass filter above.
• SMTP Password: This can be anything you want as it is not used at all. Leave it blank if you can.
• SMTP TO: Set this email address of the recipient of the email message. Be aware, this does not have to be a user within the domain defined by the MX record or the SMTP Server above.
• SMTP FROM: Use the email address you specified in the Bypass Spam Filtering rule. This MUST match exactly.

That should be all there is to make this work. Of course, the client side configuration will be different on every application/device you try to set up this way but I can say that I have made this work with a number of different MFP devices as well as Routers that send notifications. I have also made this work with Mozilla Thunderbird which is a good simple testing application. If you can make things work using Thunderbird, you should be able to translate the settings to any application/device and make it work as well.

WARNINGS:

• The first thing you want to check for is to see if you can even use port 25 or not. I will not detail how to do this here as there are plenty of walk throughs for this but I will tell you I still get caught from time to time behind a DSL/UVerse or Cable provider that blocks port 25 so watch out.
• Not all applications/devices support anything but port 25. If you have one of these AND you have a port 25 port block ISP, you may need to take some fancier steps within the router to make this work. I have found that not all providers will turn off port 25 blocks and if they do, it is very common for the block to get turned back on randomly.
• Microsoft frowns heavily on bulk email and will block your ability to send any email outbound if you use this to abuse their mail platform. Microsoft uses the phase" Reasonable Limits" when decribing how many emails they will allow you to send using this technique so be reasonable... If the mail is being sent internally, you really should not have much issue but if you send a lot of email externally, then you might run into some limits problems. I have never had any client cut off due to this sending hundreds of emails with internal recipients but I have never tried to stress test this either. Your results may vary so be cautious.