Monday, 6 April 2015

Office365: Sending mails from application or device

Sending mails from application or device in Microsoft Office365

When moving from on-premises to the cloud environment we are focused mainly on users' mailboxes. Although is actually the most important thing, it's not the only one. We have to remember about re-configuring application and devices which are part of our company's mail traffic.
In this article I will look closer on methods that can be used to accomplish this task.
Applications and devices use SMTP to send mail. Depending on the environment in which they operate, we have to deal with the uniform environment- with one or more mail servers that have been transferred to Office365 - or hybrid, in which server on the local network running in parallel with Exchange Online.
When dealing with a hybrid environment, Microsoft recommends that you use local servers for mail transfer from applications and devices.
This is due in part to the limitations imposed by Office365 service, which you also need to keep in mind when implementing it (https://technet.microsoft.com/en-us/library/exchange-online-limits.aspx):
- message with attachment - max. 25 MB in size,
- 10 000 recipients limit per day for the whole organization(tenant) - prevents antispam,
- 500 recipients limit for every one single message in FROM:, TO: and CC: fields together,
- 5000 recipients limit for the distribution group with 2 MB max size of attachment for this large group mail.
Given the above limitations, for organizations wishing to send a mailing to thousands of recipients, the Office365 offer may be insufficient. Microsoft informs about it and recommends using of other SMTP services for those purposes.

There are three supported and documented methods of sending mails from devices and applications from Office365:

1. SMTP Relay – Office365 is the relay which allows to send mails without the authentication
2. Using user's mailbox credentials
3. Direct Send


Method1. SMTP Relay
Traditional form of sending message with Exchange mail server is an SMTP relay. It is also a method that Microsoft recommends to use as the base for handling e-mails sent from devices and applications.
By using the SMTP connector created on the Exchange Online page in Office365 service, we are able to send e-mails without authentication, i.e. we do not need to use functional, specially created mailbox. Given that we have in the organization many devices and applications with the SMTP role active - it is beneficial mainly due to the lack of costs associated with the licenses.
Authentication on the Exchange Online, is based on our designated IP addresses or certificate. We can use any e-mail within the domains that have signed up for Office365.
From the description of this functionality on the Microsoft website we should know, that if we use it for a device that does not have a mailbox, we should buy for each such account Exchange Online Protection license, because we use anti-spam gateway.
To use this method, check the public IP addresse of your organization, which will participate in communication with Office365 and Exchange Online.
You need to create the inbound connector in the mail flow - connectors site menu.
Before configuring the connector check, whether domains added to the Office365 service are fully functional, i.e. they must have the status of "Setup completed".

Domain management panel


 To create the incoming e-mail inbound connector to communicate with the device or application:
1. Select the "+" icon to create a new connector
2. Give a name
3. Select the type: Local
4. In the "Domain Sender" insert domain names to which the connector will send messages.
If you cannot specify a domain list, insert the asterisk character *.
5. In the "IP address of the sender", insert the public IP addresses of your organization
6. In the "Accepted domains" - specify domains that are added to Office365 subscription, which connector will serve,
7. Other options leave as the defaults and save the configuration.


Created, running inbound connector





Inbound connector - general section


Inbound connector - Security section


Inbound connector - Scope section - domains and IP addresses



After creating the inbound connector you can proceed to configure the device or application.
However, before that, you need to modify or create if not exists there SPF record in the public DNS for domains, which will participate in sending emails via SMTP relay in Office365 service. In most of the cases it will be website panel for domain management .
This TXT record should be supplemented by company's public IP addresses, which the device or applications will connect to Exchange Online servers.

Ready TXT SPF record looks like this:
v=spf1 ip4:90.12.23.34 include:spf.protection.outlook.com -all
Where ip4:90.12.23.34 is a public IP address and spf.protection.outlook.com - Office365's Exchange Online Protection address.
If the communication will be taking a few IP addresses, they can also be added one after the other:
v=spf1 ip4:90.12.23.34 ip4:90.12.23.33 include:spf.protection.outlook.com -all

Configure the device to send mails through the SMTP connector
The first thing you need to do is to determine the address of the SMTP server, which you need to specify in the sender account setup.
Although there is a general SMTP address: smtp.office365.com, Microsoft recommends that you use it only for the purposes of sending from the POP3 / IMAP mailboxes.
To send a message from a device or an application, check the public DNS MX record.
The one for a particular domain is visible in the domain settings Office365 panel management:
DNS domain management - checking MX record



 For the XYZ.com.pl domain, it will look like xyz-com-pl.mail.protection.outlook.com .
This record we will use as the SMTP server address.

Configuration data:
·      SMTP server name: xyz-com-pl.mail.protection.outlook.com
·      TLS encryption: On or Off
·      Port:25
·      SMTP authentication is not needed - we are not using user account
   
    Example of working configuration for Konica-Minolta Bizhub C220:


Note: the address specified as the administrator of the machine and used to send e-mails should be the same. The point here is the device will not use different address, which could cause problems with mail delivery.

(Un) expected problems
Although the correct configuration of the device according to the specifications of Microsoft, send attempt caused the error appearance in the device logs, and of course email has not been delivered.
It became necessary to check what causes these problems.
For this purpose, you can use the telnet command, but it is more convenient to use PowerShell.

Execute the command:
Send-MailMessage -From administrator@xyz.com.pl -to yourmail@abc.com -Subject "test" –body “testit” –smtpserver xyz.mail.protection.outlook.com

As I thought, command execution caused the error:



With the completion of the test, it was found that the public IP address of the company is on the Microsoft's blacklist.
I would recommend to check the public DNS configuration, in particular an SPF record, on this site:
SPF record should also be compared with relay connector settings: for IP addresses and domains permitted - those should coincide with the DNS entries.
If everything looks correct, we send a request to unblock the IP address or addresses  to delist@messaging.microsoft.com. 
Within a few hours, our request should be made and IP's unblocked.

Sample of answer for mail sent to delist@messaging.microsoft.com

Test run again after delisting was successful:

And in my Outlook I was able to find sent message.

Before configuring devices I recommend to check all of the elements twice to be sure that IP addresses will not show in the spam lists.

Method 2: Use a user mailbox to send emails from an application or device
The easiest to set up and the most reliable method is to use a specially created mailbox. Thanks to our rights to send mails directly on the mail server to Exchange Online, there will be the problem presented earlier with the possible blocking of the company's IP addresses. Devices and applications that send e-mails using authentication, may have a dynamic IP address - do not need to be reported as eligible to send, thus there is no need to create the additional inbound connector,
If the device or application does not have the SMTP configuration options - only has place to enter the address of the mail server - you can configure the local SMTP server in Windows Server, and set the authentication of Office365.

Configuration data
·    SMTP server name: smtp.office365.com
·   TLS Encryption: On
·   Port: 25 or 587 (suggested)
·   SMTP authentication: yes
If the device cannot use TLS, it will not work with Office365 using this method. Port 465 with SSL cannot be used.

Sample, working configuration for Konica-Minolta C220

If sending mails fails, and you can found authentication error, make sure that the device does not have configured email address other than the one used to send. Sometimes the device administrator e-mail address is used as a default . If so, you need to change it to the same as the one used in the SMTP settings tab.
Konica Minolta's administrator e-mail configuration - to match SMTP settings


Method 3: Direct Send
If the device or application has a built-in mail server - it can directly send emails.
There is no need to use Office365 SMTP at all. Mails are delivered to recipients ,  based on the DNS records of the domain to which the message has been sent.
If, however, the device does not have mechanisms for SMTP and needs to connect to an external server - you need to use another, previously mentioned methods, or configure additional, SMTP server.







No comments:

Post a Comment