SMTP relay using Exchange Online Protection (EOP)

Exchange Online Protection (EOP) is a service which you can buy from Microsoft. They also offer a 1 month trial. You can use EOP with your on-premise Exchange as a mail gateway solution in and out. However, if you have Office 365 with Exchange Online, this uses EOP already. So you can make use of its features and relay mail through it using an IIS SMTP server. Why would you want to relay mail through EOP and not send directly? Because EOP ensures that everything is okay with outbound mail, ensuring mail is squeaky clean, keeping things top notch in relation to security.

You can also relay mail from Office 365 itself, however this provides a major limitation, in that you can’t send mail from any domain you like, you can only relay mail from domains that have been setup as ‘accepted domains’ in your Office 365 tenant account. In other words, you need to prove ownership of the domains that you wish to send on behalf of. In contrast, EOP doesn’t care, you can send/relay mail from any domain you wish. But, don’t forget to add in an SPF TXT record in the domain’s DNS that you are sending on behalf of, to ensure that you are legitimately authorised.

There are several things you will need to do for a SMTP relay solution using EOP. The following are steps which I took that worked for us:

  1. Dedicate a Windows Server 2012 server virtual machine hosted with Windows Azure
  2. Have a tenant account with Office 365/Exchange Online (comes with EOP), or just buy the EOP service by itself
  3. Setup an inbound connector in EOP
  4. SSL certificate, you need this so you can have a secure TLS connection between your IIS SMTP server and EOP

The steps I took here were based on a recent webcast done by Frank Brown of Microsoft listed here. If you download and look at the PowerPoint presentation, I am focusing on the last solution, solution number 3 in the slides. However I have added some more detail based on my experience.

Dedicate a Windows Server 2012 server to use for SMTP relay

This server will be used as your IIS SMTP server, aka the SMTP relay server. For my example, I used a virtual machine hosted with Windows Azure.

On your Windows Azure hosted SMTP server, you will need to install IIS SMTP. Some steps listed below are taken from here How to set up an SMTP relay in Office 365.

Create the external hostname and firewall rule 

  • In your Windows Azure management portal, you need to allow for Port 25 inbound to your server. With Windows Azure, this is called an Endpoint.

    image

  • You’ll need to get the external IP address of your hosted server and create a DNS record both internally and externally which points to this IP address, or external DNS only if you don’t have an internal DNS infrastructure. The external IP address of your VM can be found in the Windows Azure portal under the virtual machines dashboard. In this example, I will use smtp.contoso.com which will point to my allocated IP address.

    * What ever you do, don’t shutdown the virtual machine from the console. If you do, the VM will be de-allocated and once you power the VM back up, the VMs public IP address will change.

    * I had a problem with the external IP address I was allocated from Windows Azure for my IIS SMTP relay server, in that it was listed on some SPAM databases and as a result EOP wouldn’t let me even relay off of it. So beware. If this happens, not only will you need to remove the IP address from the SPAM databases, but also from Microsoft by sending email to delist@messaging.microsoft.com

IIS installation

  • Start Server Manager, click Features, and then click Add Features.
  • On the Select Features page, select the SMTP Server check box. If you’re prompted, click Add Required Role Services.

    Note This step automatically installs all prerequisite roles and features, including IIS (if they’re not already installed).

  • On the Select Features page, click Next. Then, on the Web Server (IIS) page, click Next.
  • On the Select Role Services page, make sure that the following role services check boxes are selected, and then click Next:
    • The ODBC Logging check box under Health and Diagnostics
    • The IIS Metabase Compatibility check box in IIS 6 Management Capability under Management Tools
    • The IIS 6 Management Console check box in IIS 6 Management Capability under Management Tools
  • On the Confirm Installation Selections page, click Install.
  • After the SMTP Server installation is completed, click Finish.
  • Open IIS 6.0 Manager, right click Default SMTP Virtual Server, and then click Properties.

    image

  • Click the Access tab, and then click Relay.
  • In the Select which computers may relay through this virtual server area, click Only the list below, and then enter the IP addresses of the on-premises LOB devices and application servers that will relay through the SMTP server. image

    Warning Make sure that you enter only the IP addresses of the devices and servers that you trust. This setting lets you relay mail that’s coming from these sources to any destination. In effect, this makes the on-premises server that’s running IIS an open relay.

  • On the Access tab, click Connection, enter the IP addresses of the devices and servers that you want to be able to connect to the SMTP server. This is similar to relay, however one level above, it stops un-authorised connections before they attempt to relay.

    image

  • On the Access tab, click Authentication, make sure that the Anonymous access check box is selected, and then click OK.

    image

  • Click the Delivery tab, click Advanced, and then, under Smart host, enter the SMTP end-point for the tenant domain. This will be the same as your MX record. (i.e contoso-com.mail.protection.outlook.com).

    image

  • On the Delivery tab, click Outbound Connections.
  • In the TCP Port box, type 25, and then click OK.

    image

  • On the Delivery tab, click Outbound Security, and then follow these steps: 
    • Click Anonymous Access
    • Select the TLS encryption check box, and then click OK.

image 

  • Right click Domains, and then click New > Domain

    image

  • Select Remote and click Next.

    image

  • Enter the name of the remote domain in which you want to send/relay to, click Finish.

    image

  • Right click on the domain you just created, then click Properties. On the General tab, enter the same smart host value as you did previously, then click OK.

    image

Setup an inbound connector in EOP

Logon to your online tenant account http://portal.microsoftonline.com. Under the Admin menu at the top, select Exchange and then click on the Mail Flow link on the left. Click on Connectors, and click Add.

image

In the New Inbound connector window, enter the following information:

Name: Choose a unique name for the Inbound connector.
Connector type: Choose On-premises
Connection security: Choose Force TLS, and specify the certificate subject name of the certificate that you will install on your IIS SMTP relay server

image 

Under Domains, click the Add Icon. In the resulting Add domain window, enter * to apply the connector to all of your sending domains. Under IP addresses click the Add Icon, and in the resulting Add IP address window, add the external IP address of your IIS SMTP server.

image

SSL certificate

For the SSL certificate, you’ll need this for the TLS communication. Easiest way to do this, create a file on the IIS SMTP server’s C:\ drive called RequestConfig.inf

Populate this file with the following information, changing the CN to suit your own domain. Close and save the file.

[NewRequest]
Subject="CN=smtp.contoso.com"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

Run the following command using command prompt:

certreq -new -f RequestConfig.inf BinaryRequest.req

This will create a certificate request file for a single domain SSL certificate which you can use to generate a certificate with your favourite provider. We use Go Daddy.

Once the certificate has been approved and generated, add this certificate to the local computer personal certificate store.

Computers and Internet Uncategorized

8 Comments Leave a comment

  1. Great walk through! Our company specializes in O365 Enterprise migrations and deployments, and its nice to be able to show this to their local IT on how the process works. The only thing that me and my colleagues disagree on however is creating a separate Inbound connector for SMTP relay. Why not just use the existing Hybrid connector that gets created? It already is bound to an SSL certificate and saves the headache AND the cost?

  2. Yes, good point, I guess I have always been the type to now mix things, like with servers, one server provides a single task. Some people like to have servers do many things. No right no wrong, its how I have always done things.

  3. Keep in mind that with Azure machine as your IIS SMTP server, the IP address is never static, (Until recently in Azure where you can reserve IP addresses which is supported through Regional Vnets) which means your relaying will not work when the EOP sees the smtp connection coming from a different IP other than 203.169.105.98 (from the screenshot)

  4. Thanks for the very useful guide! I do have a question for you. In an MS presentation by engineer Frank Brown on this topic, he mentions updating your SPF record to include the public IP of the originating (relay) server. Your instructions do not mention that, so I am wondering if it will work without updating the SPF record because I have been unsuccessful in getting an on-prem relay to work and the only thing (as far as I can tell) I have not done is update the SPF record. Thanks!

  5. hey there and thank you for your information – I have definitely
    picked up something new from right here. I did
    however expertise several technical issues using this website,
    as I experienced to reload the website a lot of times previous to I
    could get it to load correctly. I had been wondering if your web hosting is OK?
    Not that I am complaining, but sluggish loading instances times
    will often affect your placement in google and can damage
    your high quality score if ads and marketing with
    Adwords. Well I am adding this RSS to my email and could look out for much more of your respective interesting content.
    Make sure you update this again soon.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: