Sunday, August 10, 2014

Using a Windows Server as an authenticated relay server to Office365

If you've got an on-premise device that doesn't support TLS and you're on Office365 (or other outsourced Exchange), you're in a bind.  Most of the info here comes from this article:

http://www.configureoffice365.com/configure-office-365-smtp-relay/

I'm copying and pasting parts of it below, simplifying parts, and adding my own hints.  This presumes Windows Server 2008.  Some Windows 2012 steps are here.

Part 1 - Add IIS if not already installed

  1. In Server Manager, select Add Roles.
  2. On the Select Server Roles page, select Web Server (IIS) and select Install.
  3. Select Next until you get to the Select Role Services page.
  4. In addition to what is already selected, make sure that ODBC Logging, IIS Metabase Compatibility, and IIS 6 Management Console are selected and then select Next.
  5. When you’re prompted to install IIS, select Install. You may need to restart the server after the installation is finished.
Part 2 - Install SMTP

  1. Open Server Manager and select Add Features.
  2. On the Select Features screen, choose SMTP Server. You may be prompted to install additional components. If that’s the case, select Add Required Features and select Next.
  3. Select Install. After the installation is finished, you may have to start the SMTP service by using the Services snap-in for the Microsoft Management Console (MMC).
Part 3 - Add TLS certificate

  1. Office 365 requires TLS encryption and for this server to use TLS, it must have a certificate installed. 
  2. In order to do this the Web Server (IIS) role and IIS Management Console must be installed (needs to be added via Server Manager -> Add Roles).  
  3. To create the self-signed certificate: (Start->Administrative Tools->Internet Information Services (IIS) Manager->Select Host->Server Certificates->Create Self-Signed Certificate)
Part 4 - Configure SMTP server relay

  1. Start->Administrative Tools->Internet Information Services (IIS) 6.0 Manager.
  2. Click on the ‘+’ next to your host name.
  3. Right-click on the [SMTP Virtual Server…] and select Properties. It’s now time to step through each of the tabs to configure the SMTP relay.
  4. General Tab: The IP address should be set to (All Unassigned)
  5. Access Tab: Click Authentication… and select the Anonymous access check box.
  6. Access Tab: Click Connection… Select ‘All Except the list below’ and leave the list below blank. This allows any device inside your firewall to access this relay.
  7. Access Tab: Click Relay… Select ‘All Except the list below’ and leave the list below blank. This allows any device inside your firewall to access this relay.
  8. Messages Tab: No changes. The default works well.
  9. Delivery Tab: Click Outbound Security… Select Basic authentication and enter the username and password that is used to send e-mail to the external server (Office 365 in this case). The user name must be a fully qualified (ex: user@companyname.com) valid Office 365 user licensed for Exchange. Check TLS encryption.
  10. Delivery Tab: Click Outbound connections… Set the TCP port to 587.
  11. Delivery Tab: Click Advanced Delivery and set the Fully-qualified domain name box to the name of the local server that is acting as the relay (ex: myserver1.domain.local). Set the Smart host the full-qualified name of the Office 365 SMTP Server (as of 8/6/14 - this is smtp.office365.com in all cases). Make sure the “Attempt direct…” box is unchecked.
  12. LDAP Routing and Security Tabs: No changes to these areas.
  13. Now there has to be a remote domain setup with the Office 365 domain name in it. Click the ‘+’ next to the [SMTP Virtual Server…] item
  14. Right-click on Domains and select New-Domain which will launch a Wizard.
  15. Select Remote and Next.
  16. Enter the name of the Office 365 vanity domain (ex: mycompany.com)
  17. Now this remote domain will be setup very similarly to the overall SMTP server. Right-click on the new domain name and select Properties.
  18. Select Forward all mail to smart host and enter the same Office 365 SMTP Server as above (ex. smtp.office365.com)
  19. Click on Outbound Security and configure the same as above. Select Basic authentication and enter the username and password that is used to send e-mail to the external server (Office 365 in this case). The user name must be a fully qualified (ex: user@companyname.com) valid Office 365 user licensed for Exchange. Check TLS encryption
  20. Repeat steps 14 through 19 where step 16 is *.com for the domain
  21. Repeat steps 14 through 19 where step 16 is *.org for the domain
Part 5 - Configure the on-premise device
  1. Configure the on-premise device (copier, phone system, etc) with the IP address for the Windows server you have been working with as the SMTP server
  2. For email address, enter the same address you entered in Part 4 step 9
  3. Use port 25 and no authentication of any kind and no SSL or any other kind of encryption
Troubleshooting tips
  • Make sure the firewall on the Windows server allows connections on port 25.  A good test is "telnet 10.0.0.18 25" where 10.0.0.18 might be the IP address of the server you're using as the relay
  • I've seen instances where the first emails can take up to 90 minutes to relay.  I cannot explain this.  But it is true.
  • As a test, try using Windows Mail or Outlook as a test mechanism.  If it succeeds through your test program, it's just a matter of configuring your device (copier, etc) properly
  • On the relay server, there can be error messages located here if things aren't coming through after 90 minutes - C:\inetpub\mailroot\Badmail

No comments: