Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Relaying with Exchange Online: sometimes an unexpected endeavor

Introduction

In a regular Exchange on-premise deployment, allowing some devices to relay is relatively simple: you have to manually add the “ms-Exch-SMTP-Accept-Any-Recipient” Extended Right to a receive connector which will then allow any application or device that connects through it to relay externally. Perhaps this is something you would want to do for large all-in-one devices (printer/scanner/copier) or other appliances that e.g. need to send alerting-emails to an external recipient. The connection that the device/appliance/application server/… makes to your Exchange Server is – usually – a plain, simple and unauthenticated SMTP connection on port 25 (no TLS).

For customers who are moving to Exchange Online, this scenario can potentially become a bit of a problem. Sometimes, it is possible that the device you are using to send emails from only offers limited configuration towards SMTP settings. The problem that I experience the most – so far – is the fact that the device cannot either change the port, does not support TLS or does not allow for authentication. Because allowing to relay has always been relatively simple in traditional on-premise deployments, it’s easily forgotten during the planning phase of an Exchange Online implementation. Office 365 (Exchange Online) requires you to make an authenticated connection over port 587 with TLS enabled. This could actually mean that devices which don’t support these options will not be able to relay. Fortunately, there’s a relatively simple solutions for this problem.

IIS to the rescue

Buried within IIS lies a SMTP service. We all know it because - as you might recall - prior to version 2007, Exchange relied on the same service for all SMTP communications. Enabling the SMTP service allows us to configure unauthenticated inbound SMTP connections and create authenticated outbound SMTP connections. Exactly what we were looking for!  Since the service is relatively small, the overhead for the server on which you are running it should be fairly minimal. Nonetheless, the actual load largely depends on the amount of emails you are sending through it. So make sure that you think twice before adding the service to one or another server.

In this example, I’ll be installing the SMTP service on a regular Windows Server 2008 R2 and configure it to accept incoming connections on port 25. Afterwards I will configure the service to forward all incoming mails through port 587 to Office 365.

To install the SMTP Server service, run the following cmdlet from PowerShell:

Import-Module ServerManager

Add-WindowsFeature SMTP-Server

At the same time, the prerequisites for the SMTP-Server will also be installed:

image

Configuring the SMTP Service

Before configuring the service, there are two things that need to be dealt with:

  1. Create a new Exchange Online user which will be used to send emails from
  2. Get the SMTP Server information:
  • Open Outlook Web App and go to options

image

  • Click Accounts, My Accounts and then Settings for POP, IMAP and SMTP access

image

  • Write down the SMTP settings from the pop-up window

image

Now that we’ve completed step 1 and step 2, we can move on to the next steps:

  1. In the IIS Manager, right-click the SMTP Virtual Server and select properties

    image
  2. Navigate to the Delivery Tab, click Outbound Connections, change the TCP port to 587 and confirm.

    image
  3. Click the Outbound Security button. Configure Basic Authentication and enable TLS Encryption.
    Enter the Office 365 user’s credentials that you’ve created earlier.

    image
  4. Navigate to the Access Tab, open the authentication settings and verify that anonymous access is enabled

    image
  5. Depending on what devices you want to allow/block, change the Relay settings.

    image
  6. Now, expand the default SMTP Virtual Server, right click Domains and choose New > Domain:

    image
  7. Select Remote and click Next

    image
  8. In the name-field, type “*.com” and click Finish

    image
  9. Open the properties for the domain you just created and check “Allow incoming mail to be relayed to this domain” and
    in the Route Domain field, enter the name of the mailbox server we retrieved earlier:

    image
  10. Click the Outbound Security button. Configure Basic Authentication and enable TLS Encryption.
    Enter the Office 365 user’s credentials that you’ve created earlier.

    image

That’s it! You’ve now configured your IIS server to accept mails without authentication or TLS and you will forward them to Office 365.

If you need your emails to be sent from different email addresses, you could create multiple Virtual SMTP Servers on the same server. However, you cannot have multiple Virtual SMTP servers listening on port 25 on a single machine at the same time. You therefore need to modify the SMTP for each additional virtual server. Once the SMTP Virtual Server is configured, the exact same configuration steps as above apply to configure it to allow relaying through Office 365.

  1. Right-click the server node, select New > SMTP Virtual Server

    image
  2. Enter a name and click Next

    image
  3. Configure an IP address and click Next

    image
  4. Choose a home directory and click Next

    image
  5. Enter a default domain name and click Finish

    image
  6. Open the properties for the newly created Virtual SMTP server and click  advanced on the General tab

    image
  7. Edit the configuration to use another TCP port. e.g. 27

    image
  8. Start the Virtual SMTP Server

Repeat the configuration steps (1-10) as described earlier. Only this time, use a different Office 365 (Exchange Online) account. Once that is done, all that is left is to modify the SMTP TCP port to 27 on all your devices that need to relay through this new virtual SMTP server.

Cheers!


Posted 03-01-2012 12:31 by Michael Van Horenbeeck