How to Setup Applications & Scanners to Use Office 365 Online Exchange to Send Emails

Intro:

There are three (3) methods: (1) SMTP client authentication, (2) Direct Send, and (3) SMTP Relay. Authentication is the most secured and recommended path. Direct Send and SMTP Relay are useful in circumstances where certain multi-functional devices or applications are not able to use Auths. Direct Send is slightly safer to use than SMTP Relay. Hence, the order or recommendation is as numbered.

1. SMTP Client Authentication

Requirements:
* Authentication: The network scanner or application must have fields to input a username and password
* Mailbox: On Office 365 mailbox needed to be created with a valid subscription
* Transport Layer Security (TLS): Your device must be able to use TLS version 1.2 and above. The precludes SSL3.0, TLS1.0, and TLS1.1 (deprecated and unsecure)
* Firewall: Port TCP/587 and/or TCP/25 is required and must be unblocked outbound. Use PowerShell command Test-NetConnection smtp.office365.com -port 587 to check to verify result such as this:

* Windows PowerShell
* Copyright (C) 2016 Microsoft Corporation. All rights reserved.
*
* PS H:\> Test-NetConnection smtp.office365.com -port 587
*
*
* ComputerName : smtp.office365.com
* RemoteAddress : 40.97.220.34
* RemotePort : 587
* InterfaceAlias : Ethernet
* SourceAddress : 10.10.10.10
* TcpTestSucceeded : True

How to Setup
* Create an Office365 mailbox
* Input the authentication credentials of such mailbox into the Application or scanner send mail module. The format is Username: mailbox@companyname.com, Password: [chosen password]
* Enable TLS or StartTLS. This should default to outbound port number 587

2. Direct Send

Notes:
1. Does not require an Office 365 mailbox
2. Cannot send to email addresses that are outside of the organization
3. Use this option when the application or multifunction machines doesn’t support TLS 1.2 or Client Authentication
4. Senders are not bound by the 30 messages per minute or 10,000 recipients per day limit; however, outgoing messages will have a higher probability of being marked as spam and company WAN IP being blacklisted

How to Setup
1. Obtain the Public IP of the WAN interface of your network. An easy way to do this is to run this PowerShell command: Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
2. Obtain MX record while login to the Office 365 Portal
1. Navigate to the MX record entry of the company’s domain > write down that information (i.e. kimconnect-com.mail.protection.outlook.com)
3. Configure the device or application
1. Input the MX record entry found above into the SERVER or SMART HOST field
4. Update Company DNS record at the Registrar
1. Edit the Sender Policy Framework (SPF) record with an entry in this format: v=spf1 ip4:<Public_IP> include:spf.protection.outlook.com ~all

3. SMTP Relay

Notes
1. Senders will be able to spoof email address origins from an any address within the organization
2. Authentication is via the Public IP address of the sender

How to Setup – Creating a “Connector”
1. Login to the Office 365 portal > Admin > Exchange > Mail flow > Connectors > click on the + sign to initiate the wizard > specify the mail flow scenario > Next > choose the option “By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization, and add the Public IP address of the company’s network > Save
2. Obtain the MX record as shown in the Direct Send method
3. Access the DNS control panel at the registrar > Edit the Sender Policy Framework (SPF) record with an entry in this format: v=spf1 ip4:<Public_IP> include:spf.protection.outlook.com ~all
4. Configure the device or application to use the MX record entry into the SERVER or SMART HOST field

Leave a Reply

Your email address will not be published. Required fields are marked *