Scenario 1 – LAN Mail clients (devices\application) addressing an internal mail server
In a scenario in which LAN Mail clients (devices\application) address an internal mail server, the basic assumption is that the LAN environment considered as a “safe” (isolated from the external network).
For this reason, the typical characters of the communication between the Mail enabled Devices\Applications, and the on-premises mail server is:
- Communication channel – mail-enabled Devices\Applications communicate with the On-Premises mail server using the SMTP protocol (non-encrypted connection).
- Authentication – most of the time, the Mail enabled Devices\Applications doesn’t use authentication mechanism (Anonymous authentication).
- IP Address restriction – in some scenarios, if the administrator wants to implement a basic security mechanism, the on-premise mail server is configured to accept anonymous SMTP connection only from a particular predefined IP address.
Scenario 2 – LAN Mail clients addressing Office 365 mail services using secure communication channel (TLS)
In a scenario of mail flow in a public network such as the cloud (Office 365 mail services), the characters of the communication channel are based upon different assumptions – the communication channel – the communication channel between the Mail enabled Devices\Applications and the Office 365 mail services are created via a public network infrastructure (non-trusted environment).
For this reason, the best practice from the security point of view is the need to establish a security mechanism that will enable sending mail via the Office 365 mail infrastructure in a secure way.
The “translation” for the “secure way” is implementing encrypted communication channel + the need for the Office 365 mail infrastructure to identify the “element” (Mail enabled Devices\Applications) that connect him and ask for mail services.
The charter of this scenario is Mail enabled Devices\Applications that have the ability to address the Office 365 mail infrastructure “directly” by addressing the Office 365 entities that represent the Exchange Online mail services that are available for mail clients.
To be able to address the Office 365 mail server – smtp.office365.com using a secure communication channel, the Mail enabled Devices \ Applications need to have the ability to communicate using TLS protocol + provide a user credential of Office 365 users who have an Exchange Online mailbox.
Scenario 3- LAN Mail clients (devices\application) addressing Office 365 mail services via mail relay
The third scenario, is a situation in which we want to enable Mail enabled Devices \ Applications address the Office 365 mail infrastructure using a secure communication channel.
Because the Mail enabled Devices\Applications doesn’t support the mandatory requirement for using TLS protocol + authentication, we need to use an Intermediary element that will serve as a “logic connector” between the organization Mail enabled Devices\Applications and the Office 365 mail infrastructure (EOP server).
The “logic connector” will be implemented by using an SMTP relay server.
The SMTP relay server will use two separate interfaces:
- Interface 1 – the internal interface that will communicate with the organization Mail enabled Devices\Applications.
- Interface 2 – the public interface that will contact the Office 365 mail infrastructure (the EOP server) using a secure communication channel.
The public interface of the SMTP relay server will have to answer the following mandatory requirements:
- Secure communication channel – encrypted communication channel that is created by using the TLS Protocol (Port 587 or Port 25).
- Authentication – the “SMTP relay server” that wants to relay mail to the Office 365 mail infrastructure will need to provide credentials (username + password) using the basic authentication protocol.
- Mail server IP address\Host name – the “SMTP relay server” that wants to relay mail to the 365 mail infrastructure, will need to know what is the Pubic host name of the 365 mail server (smtp.office365.com).
The IIS SMTP server can answer the need for the mandatory requirements of Exchange Online for TLS & Authentication. In the scenario, the IIS SMTP server will be configured with two “interfaces”:
- The interface that accepts requests from LAN Mail enabled Devices\Applications – this “interface,” will allow\accept the mail relay requests from LAN Mail enabled Devices\Applications, without the need for authentication (anonymous) and the communication channel that we use for communicating with the LAN Mail enabled Devices\Applications is based upon the SMTP protocol (no need for encryption).
- The interface that communicates with the Exchange Online – The other “leg” or interface will be used by the IIS SMTP server for the communication with the Exchange Online using: TLS and implement the requirements for authentication.
Part 1 – Implementing SMTP mail relay using IIS server
SMTP Mail Relay pre-requirements
1. IIS SMTP User credentials
The credentials that the IIS SMTP use for communicating with the Exchange Online could be any Office 365 user credentials that have a valid license (license for Exchange Online Mailbox).
There is no need for purchasing a “detected” license for this purpose. The only “issue” that we should consider regarding the recipient name (the Office 365 users that we use for authenticating to the Exchange Online server) is that by default, each of the messages that will relay to the Exchange Online server will include this recipient name in the from field.
For example – in case that we configure the IIS SMTP server to use the credentials of an Office 365 users named John, each of the E-mail address that sent from a LAN Mail enabled Devices\Applications to other Office 365 recipients, will be accepted at the destination recipient as an E-mail address that sent by “John.”
Later on, we will review the scenario in which the LAN Mail enabled Devices \ Applications use different mail address and how to enable the IIS SMTP to send email “on behalf” this Hosts.
2. Firewall settings
To enable the IIS SMTP server to create a communication channel to the Exchange Online, we need to create in the organization Firewall, an outbound rule which allows the IIS SMTP to use TLS (Port 587 or Port 25).
3. Office 365 mail server entity | Hostname
To be able to refer the Exchange Online server, Office 365 use a general Hostname: smtp.office365.com
In case that you want to find the information about the Exchange Online server name, use the following instructions
- Login to Office 365 portal
- Access OWA (Mail) client
- In the top menu click on the Settings icon
- Choose the Options menu
- On the left side menu bar choose the POP and IMAP menu
- in the bottom of the page, click on the Settings for POP or IMAP
- In the windows that appear, look for the section: SMTP settings
here, you can find the Exchange Online server name (smtp.office365.com) and additionally, we can see that there is a mandatory requirement for using TLS protocol (port 587 or port 25).
Installing and configuring the IIS SMTP server
In the following section, we will demonstrate how to install IIS SMTP server on a Windows 2008 server.
Step 1: install IIS Server
- Open Server Manager Console and under Features select Add Features
- Select the option of SMTP Server
(The reset of the installation process is just next, next, etc.)
Step 2: IIS SMTP Service
By default, the IIS SMTP service is not started, and the startup type is: manual
- We will need to change the default setting to – Automatic.
Double click on the SMTP Service: Simple Mail Transfer Protocol (SMTP) and, change the Startup type to Automatic
- Start the IIS SMTP service (SMTPSVC)
Step 3: IIS SMTP Server MMC
The management console for the IIS SMTP is Internet Information Services 6.0.
(There is no option of managing the IIS SMTP using the “standard” IIS 7 Management console). We can find the IIS 6.0 Manager under Administrative Tools -> Internet Information Services 6.0
Part 2 – Configuring IIS server as mail relay for Office 365 environment
In the following section, we will review all of the required settings for configuring the IIS SMTP server as a “SMTP Relay.”
1. IIS SMTP relay “LAN interface.”
The first part relates to the: settings for the interface or the “IIS Leg” that serves the LAN Hosts (Mail enabled Devices\Applications).
Open the IIS SMTP management console, right click on the
[SMTP Virtual Server #1] and choose: Properties
1. Access tab | Authentication
Select the Access tab -> Authentication
2. Access tab | Relay
The “relay” settings use for configuring the IP address of the: Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.
In our example, we have two hosts who need to send mail to the IIS SMTP server:
Help Desk application that installed on a workstation with the IP address 10.100.102.2 and, FAX device that uses the IP address: 10.100.102.3
To enable this Hosts to send (Relay) mail to the IIS SMTP server, we will need to add this IP address to the “allowed list.”
Select the Acesss tab -> click on the Relay… button.
In the Relay restriction window, add the IP address of the Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.
2. IIS SMTP mail relay “cloud” interface
In this section, we will create the required settings that enable the IIS SMTP server to relay mail messages to the Exchange Online server.
The Delivery tab, use for configuring the IIS SMTP “interface” that communicate with the Exchange Online server.
1. Delivery Tab | Outbound security
Select the Delivery tab -> Outbound Security option.
In the Outbound Security window select the option: Basic Authentication
We will need to provide the Office 365 user credentials which have Exchange Online Mailbox.
In our example, we will use the credentials of a user named: John@o365info.com
Select the Delivery tab -> Outbound Security option.
In the Outbound Security window select the option: TLS encryption (for creating a secure communication channel to Exchange Online).
2. Delivery Tab | TCP port
Select the Delivery tab -> Outbound Connection option.
The TLS port number that we use for communicating with the Exchange Online is:25 (or Port 587)
(Please verify that the organization Firewall will have the required outbound rule that will enable the IIS SMTP Server to use this port ).
3. Delivery Tab | Advanced
Select the Delivery tab -> Advanced option
In the Smart host text box, we need to provide the Exchange Online server name.
The section of Fully qualified domain name is not a mandatory requirement. You can add the FQDN of the IIS SMTP server.
Part 3 – Enable the IIS SMTP relay to send mail on behalf other Email address
After creating the required setting for the IIS SMTP relay, we will need to solve the additional issue that can describe as Enable the IIS SMTP relay to send mail on behalf another Email address.
For the demonstration purpose, let’s use the following scenario:
We want to enable two internal Hosts, to send email using the IIS SMTP server.
One Host is a Helpdesk application that uses the Email address:HelpDesk@o365info.com, and the other host is a Fax machine that uses the use the email address: FaxService@o365info.com
In case that this Hosts will try to relay mail to the IIS SMTP server, that mail message will be rejected by the Exchange Online server because: by default, a recipient (in our example: John@o365info.com) cannot send email “on behalf” other recipient’s (in our example: FaxService@o365info.com and HelpDesk@o365info.com).
The good news is that we don’t need to create a user account and Mailbox that will “represent” these Hosts, who will relay mail to the IIS SMTP Server.
To enable the IIS SMTP server to send email for this Hosts, we can choose one of the following solutions:
1. Using distribution group and assign “Send as permissions.”
This solution based on creating a distribution group for each of the Hosts who needs to relay E-mail to the IIS SMTP server.
The distribution group configured as a security group (a Security\Distribution group).
The next step is: assigning “Send as permission” for the recipient whom the IIS SMTP Server use for authentication (in our example:John@o365info.com).
The Send As permission could be assigned by using the Web interface or by using a PowerShell command.
- Log in to Office 365 portal, in the Admin menu choose the option: Exchange
- In the Exchange admin center choose the recipient menu –> groups
- Click on the “Add” option and choose the Security group option.
- In our example, we will name the new security-distribution group as FaxService
- Double click on the name of the new security-distribution (FaxService) and choose the menu – group delegation.
- Click on the add option and, add the recipient name that we use for the IIS SMTP credentials
(in our example: John).
We will need to repeat this procedure, for each of the LAN Hosts that will need to relay email using the IIS SMTP Server.
Assign “Send As” Permissions for a Mailbox/Distribution group
PowerShell command syntax example:
2. Add additional Email address ( Alias)
The other option that we can use ( instead of the security\distribution group solution) is: add the email address that will be used by the LAN Mail enabled Devices\Applications as an additional email address (Alias) for the recipient who is used by the IIS SMTP Server.
In our example, we will add two additional email address to the recipient named: John
- Log in to Office 365 portal, in the Admin menu choose the option: Exchange
- In the Exchange admin center choose the recipient menu –> mailboxes
- Choose the recipient name that is used by the IIS SMTP Server (in our example- John).
- Click on the “add” option
- In the Mailbox properties choose the option: Email address.
- In our example, we will add to “John Mailbox” additional two email addresses (Alias): FaxService@o365info.com and HelpDesk@o365info.com