Send emails with SMTP using a Microsoft 365 Connector
SMTP (simple mail transfer protocol) is used by a various vendors to send emails. To send an email you need a public domain setup and configured with basic email security. SMTP relay which is what im covering in this article works by a server or service forwards a SMTP message to an existing email server which is already configured and validated by the domain. Once the mail server recives the SMTP message its then sent through that server out to the recipant.
How does an SMTP connector work?
A microsoft 365 connector is used to handle incomming email requests by fx. forwarding them to a recipiant. The pros by using an SMTP connector is that you won’t have to validate all your smtp services aginst your domain just the office365, but the major thing is is email security, not all email SMTP services supports sending emails with domain keys (DKIM). DKIM is an essential setting that helps ensuring the delivery of an email.
A Connector can be configured to allow SMTP messages to be forwarded based on the certificate used to send the message or the Public IP the message is forwarded from. SMTP Relay can also be configured with a user account however this is strongly not recommended, becouse it allows for bypassing multi factor authentication in order for it to work smoothly. A conncetor builds on Oauth flows which is an secure authentication and authorization method used in a lot of modern applications.
How to configure the Connector
Step 1: Navigating to the connector configuration page
Open the exchange online admin center, choose mail flow and then Connectors in the side panel.
Step 2: Creating the connector
Create the connector and give it a name
Step 3: Configuration
Choose the from option, this option is required but what you choose is less important, choose what sounds most right.
Step 4: Validation
With an exchange online connector you have 2 options, you can either validate using a certifcate or an Ip Address.
Using a Certicate
For setting up the connector with a certificate you need the CN (Common Name) field from the certificate used by the SMTP service. The certificate can be self signed or public it does not matter when creating the connector. To configure it all you need to do is to paste the CN into the field like shown below:
Using an Ip Adress
To use IP validation simply type the public ip address of location where the SMTP Service sends messages from. A connector can allow multiple IPs in a single connector.
With IP validation some security actions should be performed, allowing one public ip technicly allows everyone from that ip address to send with any email address with any domain registered in microosft 365. I therefore recommend blocking outbound traffic on port 25 for everything except for the smtp services like a printer or scanner.
How to configure the SMTP Client / Service
The SMTP service can often be a Printer or scanner, however other things like Veeam, a UPS or similar could also be using SMTP relay to send emails. All interfaces are different but each requires the same configuration.
To setup the relay the first step is to grab your MX endpoint for you Office365, it can be found in the Admin center under domains but can also be found by using tools like mxtoolbox.com to lookup the MX endpoint.
Once you have the MX endpoint it should look similar to: domain.mail.protection.outlook.com
Use this for the field often called server or host
Select port number 25 and disable all authentication if enabled.
Once done test and verify that you can recieve mails sent from the SMTP client through the connector. For troubleshooting check the mail flow in the Exchange admin centor or research any error code you might get on the client.
Best Pratice
- Only allow SMTP clients to use outgoing traffic on port 25 when validating by IP Address.