Configure SMTP Relay for BPOS/Exchange Online

Published on May 9, 2010 in BPOS. 33 Comments

When we made the move to Microsoft’s BPOS, we were left with a situation where some of our appliances were not able to make secure connections to the BPOS servers in order to send secure mail. The Microsoft Online Services (MOS) had a blog entry that explains how to setup SMTP relay to Exchange Online for your devices, but it makes an assumption that you can change the port on your appliance and/or software. We had ones that wouldn’t allow us to do that.

We talked to the support team about setting up a local SMTP relay that we could use to send messages to locally and in turn would send messages to Exchange Online securely. Unfortunately, they weren’t able to help much. They had some instructions on how to set it up, which was the blog post above, but nothing detailed.

I decided to use IIS’s SMTP Relay since it was something that was free and looked to be fairly simple to use.

Here is how I set it up. I’m making the assumption that you’ve already installed IIS and the SMTP service as shown below.

image

1) Go to the properties of the SMTP Virtual Server. Select the IP address of the server, and then click Advanced. In the Advanced section, verify the port that you want to use. In this case, I chose to use port 25.

image image

2) Select the Access tab. Click on Connection inside the Connection Control section and select the nodes you would like to have access to the SMTP Relay. Next click Relay under the Relay Restrictions section and select the nodes you want to relay through the server. In this example, I only chose this single server the ability to relay messages.

image image

3) Select the Delivery tab. Click the Outbound Security option. Select the Basic Authentication radio button and the TLS encryption option as well. Under basic authentication, enter the username/password (I left the username blank intentionally) of the mailbox that is going to be the account that is going to send out the email. IMPORTANT: This user must be an Exchange Online user, so you will use a license on this account. Once you have entered the information, hit OK. Select the Outbound Connections button. Change the TCP port to 587 and hit OK. And finally, select the Advanced button and enter in smtp.mail.microsoftonline.com into the smart host field. (Thanks Jeff for the reminder.)

image image image

NOTE: If you attempt to send as a user that is not an actual Exchange Online account, you will see the following message inside the logs. The logs are located here if you used the default values: C:\WINDOWS\system32\LogFiles\SMTPSVC1.

550+5.7.1+Client+does+not+have+permissions+to+send+as+this+sender

Otherwise you should see this entry in the log file.

250+2.1.0+Sender+OK

At this point, you can send a test email via the SMTP relay server to a recipient. I used a free command line utility called SendEmail. It has enough options to get the job done.

Once you send the email, check the logs to make sure that everything went through OK. When I enabled logging, I selected quite a few options because I’m not very familiar with IIS and didn’t know what I needed to record. I cleaned up the logs a little, but not enough. However, it’s enough for you to see what’s going on below.

EHLO - +tnssync1.tnslab.org 250 0 197 24 0 SMTP -
MAIL - +FROM:<trusteduser@senddomain.com> 250 0 41 28 0 SMTP -
RCPT - +TO:<user@recdomain.com> 250 0 33 30 0 SMTP -
DATA - +<792785.64453125-sendEmail@tnssync1> 250 0 120 720 16 SMTP -
QUIT - tnssync1.tnslab.org 240 31 68 4 0 SMTP -
220+smtp.mail.microsoftonline.com+Microsoft+ESMTP+MAIL+Service+ready+at+Sun,+9+May+2010+11:10:58+-0700 0 0 102 0 188 SMTP -
EHLO - tnssync1.tnslab.org 0 0 4 0 188 SMTP -
250-smtp.mail.microsoftonline.com+Hello+[75.228.236.136] 0 0 56 0 656 SMTP -
STARTTLS - - 0 0 8 0 656 SMTP -
220+2.0.0+SMTP+server+ready 0 0 27 0 1031 SMTP -
EHLO - tnssync1.tnslab.org 0 0 4 0 2281 SMTP -
250-smtp.mail.microsoftonline.com+Hello+[75.228.236.136] 0 0 56 0 2750 SMTP -
AUTH - - 0 0 4 0 2750 SMTP -
334+UGFzc3dvcmQ6 0 0 16 0 3063 SMTP -
235+2.7.0+Authentication+successful 0 0 35 0 3391 SMTP -
FROM:<trusteduser@senddomain.com>+SIZE=982 0 0 4 0 3391 SMTP -
250+2.1.0+Sender+OK 0 0 19 0 3531 SMTP -
RCPT - TO:<user@recdomain.com> 0 0 4 0 3531 SMTP -
250+2.1.5+Recipient+OK 0 0 22 0 3656 SMTP -
BDAT - 982+LAST 0 0 4 0 3656 SMTP -
250+2.6.0+<792785.64453125-sendEmail@tnssync1>+Queued+mail+for+delivery 0 0 71 0 4266 SMTP -
QUIT - - 0 0 4 0 4266 SMTP -
221+2.0.0+Service+closing+transmission+channel 0 0 46 0 4406 SMTP -

As you can see, the message sent out to Exchange Online via TLS. To verify it even further, look at the header information in the email that you received. In the header you should see the following line:

Received: from tnssync1.tnslab.org (75.228.236.136) by
smtp.mail.microsoftonline.com (10.32.16.41) with Microsoft SMTP Server (TLS)

At this point, your server is setup to send messages to Exchange Online securely.

If you have any additional input or if I missed anything, please email me and let me know.

  • Jeff

    don’t you have to specify the stmp server somewhere? i.e. Smtp.mail.microsoftonline.com

  • Jeff

    don’t you have to specify the stmp server somewhere? i.e. Smtp.mail.microsoftonline.com

  • Jason

    A followup to Jeffs question, where did you put the smtp server information? I cant seem to get the emails to go through

  • Jason

    A followup to Jeffs question, where did you put the smtp server information? I cant seem to get the emails to go through

  • http://jimjacob.com jim

    @Jeff: You’re right! Thanks for catching that! I accidentally left that step out. I’ll update the post tonight to include that step.

    @Jason: On the Delivery tab > Advanced, the smarthost should read smtp.mail.microsoftonline.com like Jeff mentioned. The rest of the settings on that page should be fine with the defaults. I’ll update the entry with a picture a little later on.

  • http://jimjacob.com jim

    @Jeff: You’re right! Thanks for catching that! I accidentally left that step out. I’ll update the post tonight to include that step.

    @Jason: On the Delivery tab > Advanced, the smarthost should read smtp.mail.microsoftonline.com like Jeff mentioned. The rest of the settings on that page should be fine with the defaults. I’ll update the entry with a picture a little later on.

  • Jason

    Thanks! Even after plugging those settings in it still wouldnt work. What I had to do was make sure that the originating “sender” was the email address in bpos. So my network monitoring program sends emails out as “networkoutage@company.com” even though its not a real address. BPOS requires a legit email address name from the sender. That sucks because my juniper firewall doesnt give me that option

  • Jason

    Thanks! Even after plugging those settings in it still wouldnt work. What I had to do was make sure that the originating “sender” was the email address in bpos. So my network monitoring program sends emails out as “networkoutage@company.com” even though its not a real address. BPOS requires a legit email address name from the sender. That sucks because my juniper firewall doesnt give me that option

  • http://jimjacob.com jim

    @Jason: It is possible to send from “fake” addresses – meaning email addresses that are not actual accounts. I sent you an email telling you how to do that. I’ll write up an entry tonight about that. It was actually on my to-do list.

  • http://jimjacob.com jim

    @Jason: It is possible to send from “fake” addresses – meaning email addresses that are not actual accounts. I sent you an email telling you how to do that. I’ll write up an entry tonight about that. It was actually on my to-do list.

  • Shaun

    Hi Jim,

    Had the same issue with Jason. How do you send emails that are not actual accounts?

  • Shaun

    Hi Jim,

    Had the same issue with Jason. How do you send emails that are not actual accounts?

  • http://jimjacob.com jim

    @Shaun: I finally got around to adding the entry (http://jimjacob.com/2010/05/24/send-email-to-bpos-from-a-fake-email-address/) on how to do that. It’s actually pretty simple.

  • http://jimjacob.com jim

    @Shaun: I finally got around to adding the entry (http://jimjacob.com/2010/05/24/send-email-to-bpos-from-a-fake-email-address/) on how to do that. It’s actually pretty simple.

  • Martin

    Alias is a good solution for devices/appliances on the network. Do you have a solution for an application server who has to send email using actual (real) internal email account?

    My understanding is that you will get the error “does+not+have+permission+to+send” if the sender account does not math the account or an alias the account used for the TLS session.

  • Martin

    Alias is a good solution for devices/appliances on the network. Do you have a solution for an application server who has to send email using actual (real) internal email account?

    My understanding is that you will get the error “does+not+have+permission+to+send” if the sender account does not math the account or an alias the account used for the TLS session.

  • Eric H

    This was a life saver for us when we discovered _after_ our BPOS migration that our ERP system did not have an option for using SSL. Thank you!

  • Eric H

    This was a life saver for us when we discovered _after_ our BPOS migration that our ERP system did not have an option for using SSL. Thank you!

  • http://www.cortex.net Tim Rosenquist

    Hi Jim,

    I have followed both the instructions from BPOS and your notes above on a Windows Server 2008 sp2 32 bit server that we have also installed the Directory Sync tool on. I am not having any luck getting email to go out. I am always getting a .BAD email with:
    Diagnostic-Code: smtp;550 5.7.1 Client does not have permissions to send as this sender

    Of interest is that the LogFilesSMTPsvc1log file is not being created so I suspect there is some issue with the 2008 SMTP service. It appears that the service is not even attempting to contact BPOS, the failure is internal to the Server 2008 SMTP service. I have spent too much time on this configuration that I think I will try setting up the service on one of our Server 2003 domain controllers and see if it behaves as expected there. My feeling is it will work just fine there. Pity, as I was hopping that all email functions would be on one server.

    Thanks for your guidance and I am glad to hear it is working for some.

    Tim

  • http://www.cortex.net Tim Rosenquist

    Hi Jim,

    I have followed both the instructions from BPOS and your notes above on a Windows Server 2008 sp2 32 bit server that we have also installed the Directory Sync tool on. I am not having any luck getting email to go out. I am always getting a .BAD email with:
    Diagnostic-Code: smtp;550 5.7.1 Client does not have permissions to send as this sender

    Of interest is that the LogFiles\SMTPsvc1\log file is not being created so I suspect there is some issue with the 2008 SMTP service. It appears that the service is not even attempting to contact BPOS, the failure is internal to the Server 2008 SMTP service. I have spent too much time on this configuration that I think I will try setting up the service on one of our Server 2003 domain controllers and see if it behaves as expected there. My feeling is it will work just fine there. Pity, as I was hopping that all email functions would be on one server.

    Thanks for your guidance and I am glad to hear it is working for some.

    Tim

  • http://www.cortex.net Tim Rosenquist

    Server 2003 behaved the same way. Eureka! The FROM: address must match the user address entered in Outbound Security.

    I didn’t make the connection to your “fake” email address blog entry AND I assumed that the FROM: could be ANY actual BPOS user.

  • http://www.cortex.net Tim Rosenquist

    Server 2003 behaved the same way. Eureka! The FROM: address must match the user address entered in Outbound Security.

    I didn’t make the connection to your “fake” email address blog entry AND I assumed that the FROM: could be ANY actual BPOS user.

  • Mark

    Jim, maybe you can help me: I am using bpos and have a network printer setup in the the little office here, it printes through a print server running windows xp pro 32 bit. i have installed smtp relaying and have configured the setting per your document but when trying to scan to email the connection fails. any help would be great.

    thanks,

    Mark

  • Mark

    Jim, maybe you can help me: I am using bpos and have a network printer setup in the the little office here, it printes through a print server running windows xp pro 32 bit. i have installed smtp relaying and have configured the setting per your document but when trying to scan to email the connection fails. any help would be great.

    thanks,

    Mark

  • Kit

    Can anyone please help me with setting up devices such as UPS and printers to send email (or text messages) to cell phones using the BPOS mail server?

    Thanks.

    Kit

  • Kit

    Can anyone please help me with setting up devices such as UPS and printers to send email (or text messages) to cell phones using the BPOS mail server?

    Thanks.

    Kit

  • Barclay

    Does the email address/account in the delivery tab | outbound security have to match the senders email address? I have some scripts that send out using different return address than the exchange online account that I setup to use for this?

  • WhiteIsland

    Thank you! You’re my hero!!!

  • http://jaworskiblog.com jaworskiblog

    @Tim – I’m glad you posted this, I came across the same thing. Whatever the username is in outbound security, it has to match the username and/or an alias of the user on the application that is generating the message. Essentially the “from” address on the application that is generating the message has to be the same user that is configured in the smtp relay.

  • Mike

    Any chance for updating for IIS 7? It doesn’t appear to have an SMTP virtual server, at least that I can find.

  • Lenny Yu

    Hi Jacob,
    I followed your instruction steps exactly, however I am still not able to receive any email from the either sendemail tool or via the telnet session to the smtp server i setup on the windows 2003 box. Is there anything else i missed? The username i used to access the mircosoftonline smtp server is a fully authorized user. I typed the whole email address as the username.

  • http://www.facebook.com/profile.php?id=1032037941 Josh Jondle

    You need to install the IIS 6 management console components and do everything from there.  

  • http://www.facebook.com/profile.php?id=1032037941 Josh Jondle

    @1068273cfe403790ae66a8290c450786:disqus , I tried to follow the link below for sending emails from a different address than the licensed account, but the page was not found.  Do you have the steps?  I have the relay working, but I would like to be able to do that.

    Additional notes to ALL,Make sure your Domain is “Authoritative” in the domain tab in BPOS management.  IF you haven’t fully migrated to BPOS yet and thus, your “real domain” is not authoritative, use your @domain.microsoftonline.com domain as a test, because it is authoritative from the start

    Ensure your test user is part of the above mentioned authoritative domain (@domain.microsoftonline.com) if needed.  If you add a new domain and make it “default” in the interface, you may accidentally create a test user in the wrong domain instead of changing the drop down.  

    Use this email address as both the FROM: address in your code/configuration and the User Account in the SMTP Outbound Authentication