In this TechTip, we’ll discuss how to set up an SMTP relay for use with Office 365, what they’re used for, and a couple of little nuances to watch out for and pay attention to.
For the sake of argument, the scope of this article covers using the SMTP Server within IIS on Windows Server. There are plenty of third party applications and options available, but I will not cover or discuss them in this post.
The reason that many businesses choose to implement a relay is to ensure that an existing LOB (Line of Business) application or appliance can still send email to its intended recipients. Microsoft has ratcheted down the security settings fairly tightly on Office 365, which many scanners/copiers/LOB apps cannot or are not smart enough to capitulate to. That having been said, we work around this roadblock by tossing a relay between the LOB device/application and Office to encapsulate the outgoing email with TLS and deliver it to the cloud over port 587.
The server I’m using as an example in this post is 2012, but the methodology is the same in 2003 and 2008. PLEASE NOTE: these instructions apply only to servers that are not running Microsoft Exchange.
1.) On your server, ensure that the IIS 6.0 Manager is installed, along with the SMTP Server feature. This is visible in the Server Manager window.
2.) Fire up the IIS 6.0 Manager, expand the node that has your server’s name, and you should see a “Default SMTP Server” or “SMTP Virtual Server #1″, depending on which version of Windows Server you’re running. Right click on the SMTP Server node, and go to Properties.
3.) Your relay has two sides to it – the receiving end (internal) and the sending end (external). We’ll work on the Internal side first. Click the Access tab, and then click Authentication. You want to ensure that this is set to Anonymous, and then click OK.
4.) For testing purposes, we’re going to leave the internal side of the relay wide open, but you can choose to lock it down later to only the IP addresses of the machines/applications that you want connecting to it. Click the Connection button, ensure that the list is blank, choose the option for “All except the list below” and then click OK.
5.) Click the Relay button, ensure that the list is blank, choose the option for “All except the list below,” and also tick the checkbox that allows all computers to relay, and then click OK.
This takes care of the internal side of the relay.
6.) Now click the Delivery tab, and then click the Outbound Security button. Set the authentication method to Basic, and then enter the account information for one of your 365 mailboxes that the relay will use to authenticate with. (Note: This is also the user that the emails will appear to come from.) Then tick the TLS encryption checkbox, and click OK.
7.) Click the Outbound Connections button, and set the TCP port to 587. Click OK.
8.) Click the Advanced button, and then enter “smtp.office365.com” into the Smart Host field. You can leave everything else intact, and then click OK.
9.) From here, go ahead and fire up the command prompt (as an administrator) and perform an iisreset.
10.) Now we can go ahead and run a quick test to ensure that the relay is at least delivering mail to Office 365. Substitute in the email address of your chosen 365 account in the MAIL FROM command, of course. Press Enter after each of these commands, and then also press enter before and after the period in the last part of the test, as indicated.
telnet localhost 25
This is a test
A couple of nuances to watch out for, though:
- You need to ensure that the account you put into the outbound security section has a licensed mailbox on Office 365.
- If you get connection dropped errors in the SMTP event logs, you may want to change the server from smtp.office365.com to smtp.outlook.com. Microsoft has had quite a number of DNS-related issues as of late, and this is an acceptable workaround if the connections TO 365 start dropping mysteriously.
- If you have password expiry policies in place on 365, the user account that you use to send with will have to have that password changed on the relay when it changes in the cloud, or the relay will break