Send mail to Exchange Online – Article Series
- Send mail to Exchange Online | Part 1#4
- Send mail to Exchange Online using standard SMTP session | Part 2#4
- SMTP Relay in Office 365 environment | Part 3#4
- SMTP Relay in Office 365 environment | Troubleshooting scenarios |Part 4#4
In the past, the main way to address Exchange Online server was by using the TLS protocol + provide user credentials.
This requirement posed great difficulty before the “external hosts” that need to use the Exchange Online services as a mail server because many times, the external host didn’t have the ability to support the TLS protocol or provide a particular user credential.
The good news is that we can choose an “easy path” which will enable the external host to address Exchange Online server and ask for mail services without the need for a complicated configuration.
The only condition we should fulfill is enabled Exchange Online to identify the “external host” by providing Exchange Online the public IP of this host.
The “identification mechanism” is implemented by creating an inbound mail connector which will include the IP address that used by the external hosts that address Exchange Online server.
In the following diagram, we can see a logical representation of the mail channel between the external mail-enabled host (web application, printer, fax device, etc.) and Exchange Online server.
Notice that the external hosts can address Exchange Online server to ask him to deliver an email message to Office 365 recipients or an external recipient (non-Office 365 recipients).
It’s important that we can differentiate between the logical channel versus the “physical channel”. In reality, the mail-enabled hosts don’t address Exchange Online directly, but instead via a gateway such as firewalls.
In other words, in fact, when mail enables host address the Exchange Online server, the external hosts are represented by the public IP address that is used by the firewall.
As mentioned, to enable Exchange Online to identify the external mail enable host so Exchange Online can “trust” them and provide them the required mail services. The Exchange Online server will need to configure in advance, with information about the particular IP address that will be used by the external mail-enabled hosts.
In the following diagram, we can see an example of a scenario in which the Firewall “represent” a couple of mail-enabled hosts.
The Exchange Online doesn’t need to “know” about the internal IP address of this host or the particular IP address of each mail-enabled host.
Instead, the Exchange Online server will know only about the public IP address that used by the firewall server who represent the particular network.
Exchange Online and EOP (Exchange Online protection).
In the current article, we relate to the Office 365 mail server “entity” as an Exchange Online server. If we want to be more accurate, the “real entity” that we address is the EOP (Exchange Online Protection) server.
The EOP server is the mail gateway and the mail security gateway that represents the Office 365 mail infrastructure.
Throughout this article, I use both terms in parallel.
The configuration of a mail flow in which our mail-enabled hosts will use Exchange Online as their mail server based on the following steps:
- Get the host name of the Exchange Online server that represents our domain name.
- Get the Public IP address that represents the mail-enabled hosts
- Create a new inbound Exchange Online mail connector that will identify the IP address of this host as “trusted.”
- Optional – in case that we experience a problem in which the E-mail message doesn’t send to the destination recipient or doesn’t accept by Exchange Online server, we can use a simple SMTP test to verify that we can communicate with the Exchange Online server using SMTP protocol.
In the following section, we will review each of these steps in details.
Step 1#4 – Get the host name of the Exchange Online server who represents our domain in Office 365.
There are a two ways that we can use to get information about the FQDN (Fully Qualified Domain Name) of the Exchange Online that “send E-mail for our domain.”
Option 1: Office 365 administrate portal.
- Log in to Office 365 portal as global administrator
- On the left sidebar – choose the domain
- Choose – Manage DNS
Under the Exchange Online section, look for information about the MX record hostname (POINTS TO ADDRESS). In our scenario, the Exchange Online server who will “represent” our organization is: o365info-com.mail.protection.outlook.com
Option 2: using the nslookup tool.
Another option for getting information about the “Host name” of the Exchange Online mail server that “represent” our organization is: by using the nslookup tool.
- Open the command prompt
- Type the command: Nslookup
- Type the command: set type=mx
- Type the name of the domain that you want to display his MX record. In our scenario: com
In the following screenshot, we can see the result of our MX query.
In our example, the host name of the Exchange Online server who represents our domain is: o365info-com.mail.protection.outlook.com
Step 2#4 – Get the Public IP address that represents the mail-enabled hosts
To be able to configure the required Exchange Online incoming mail connector, we will need to Prepare in advance the public IP address that is used by the mail-enabled hosts.
In case that the external mail-enabled hosts are the host that located on your network, you can consult the technical contact who is responsible for the firewall infrastructure what the IP address is\s that represents the organization.
A simple option that will enable you to discover the public IP address that represents a particular desktop or network is by using your browser and type the query – what is my IP.
In the following screenshot, we can see an example of the answer that we got.
Its import net to emphasize that this is not a “definite answer” because, in many scenarios, the network is represented by more than one public IP address.
In a scene in which the mail-enabled host is a web application that is hosted by external ISP, consult your ISP and ask him regarding the public IP or the public IP range that he uses.
Step 3#4 – Create a new inbound Exchange Online mail connector that will identify the IP address of this host as “trusted”
In the following section, we will provide a step by step instruction on how to create the required Exchange Online incoming mail connector.
Metaphorically, we can relate to the Exchange Online incoming mail connector as an “ear” that listens to the communication request of the mail-enabled hosts.
- Log in to Exchange Online admin center
- On the left menu bar choose – Mail flow
- On the top menu bar choose – connectors
- In the From: option box, choose the option: Your organization email server
- In the To: option box, choose the option: Office 365
In the *Name: box type the name whom you choose.
The Description: box is optional, but I recommended adding a detailed description that will help us in the future (or other IT members) to easily understood the purpose of the Exchange Online mail connector.
In the following screenshot, we can see that we can “authenticate” the external mail-enabled hosts by using one of the following options.
- Server certificate
- IP address
In our scenario, we need to identify the external mail-enabled hosts by using the option of IP address.
Choose the option – By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization
Click on the plus icon to add the IP address.
In the following screenshot, we can see the IP address that “represent” our external mail-enabled host.
In the following screenshot, we can see the result, the IP address that is “allowed” by the Exchange Online server.
In the following screenshot, we can see the summary information about the new Exchange Online incoming mail connector.
In the following screenshot, we can see the final result. A new incoming mail connector created.
Step 4#4 – Verifying communication with Exchange Online
Technically speaking, the task of creating the required configuration for enabling our hosts to address Exchange Online server are completed.
In many scenarios, the task will not be completed because there could be some obstacles such as:
- A firewall that doesn’t include “outbound rule” that will allow the mail-enabled device to the communication Exchange Online server using port 25
- Spelling mistake of the Exchange Online host name
To be able to verify that we can implement the communication channel between the source (the mail-enabled hosts) and the destination (the Exchange Online server), we can simulate the communication channel by trying to telnet from our network (the network the hosts the mail-enabled hosts) to the Exchange Online server and verify if we can create the required communication channel.
In the following section, we will demonstrate how to communicate the Exchange Online server using telnet client and friendly GUI telnet client.
Verifying communication with Exchange Online using Telnet
In case that you want to check or simulate the communication channel to the EOP server using a “standard SMTP session,” you can try to send E-mail via EOP using Telnet session.
In the following section, we will demonstrate how to use Telnet client for verifying the communication channel with EOP.
Note – the Telnet client is not installed by default in the Windows OS, you will need to install the Telnet client.
- Windows 2008 – use the Server manager ==> add feature option and, then add Telnet client.
- Window 7,8 – control panel ==> Programs and features ==> Turn Windows features on or off and then, add Telnet client.
- Another option is to run the following command from the command prompt: pkgmgr /iu:”TelnetClient”
In our example, the host name of the EOP that represents the domain name: o365info.com is: o365info-com.mail.protection.outlook.com
Open a new command prompt and type the Telnet command using the following syntax:
Telnet <Host name> <port>
In our example: Telnet o365info-com.mail.protection.outlook.com 25
In the following screenshot, we can see the result, the answer from the EOP server appears on the screen:
220 AM1FFO11FD029.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Sun, 3 May 2015 08:26:10 +0000
At this stage, we can know that
- We know to “right hostname” of the EOP server that represented our domain.
- That the EOP server name was successfully resolved to an IP address.
- That we can create an SMTP session (the firewall enables us to use SMTP, etc.).
In our scenario, we will send an E-mail message to a recipient named: firstname.lastname@example.org
To simplify the test process, we will use the E-mail address of John also as the “source E-mail address”.
In simple words: we will simulate a process in which John sends E-mail to himself by addressing the EOP server.
1. Starting an SMTP session
The first command that we use for starting the SMTP session with the EOP server is:
The result is an answer that sends from the EOP server:
250 AM1FFO11FD029.mail.protection.outlook.com Hello [22.214.171.124]
2. Define the source recipient
In our scenario, the source recipient is: email@example.com
The Telnet commands that we use for configuring the source recipient is:
The EOP server reply is:
250 2.1.0 Sender OK
3. Define the destination recipient
In our scenario, the destination recipient is also: firstname.lastname@example.org
The Telnet command that we use for configuring the destination recipient is:
The EOP server reply is:
250 2.1.5 Recipient OK
4. Create the E-mail message content
To be able to “tell” the destination mail server that we want to enter the E-mail message content, we use the command: data
The EOP server reply is:
354 Start mail input; end with <CRLF>.<CRLF>
5. Ending the SMTP session
To be able to “tell” EOP server that we want to end the session and send the E-mail message, we use the period charter:
In our example, we see the response of the EOP server. The message “Queued mail for delivery” is usually a good sign.
The meaning is that the destination mail server agrees to accept our E-mail message and, the E-mail message was placed on the mail server queue.
250 2.6.0 <f9b0d90a-b4b6-4d72-9a7d-0a5c92b71960@AM1FFO11FD029.protection.gbl>
[InternalId=13370233193878, Hostname=HE1PR05MB1146.eurprd05.prod.outlook.com] Queued mail for delivery
Verifying the SMTP communication channel with Exchange Online
Another way that we can use for: Verifying the SMTP communication channel with Exchange Online and for getting more detailed information in a communication failure scenario is a very nice and useful tool named: Basic SMTP Telnet Client
All you need to do is just double-click on the EXE file.
In the following section, we will demonstrate how to use the Basic SMTP Telnet Client tool for creating an SMTP session with the Exchange Online server.
Scenario description: in our example, we will address the Exchange Online server who represents the o365info.com domain name, and we will send the email message from: email@example.com to himself.
- Receive Connector IP – in our example, we will use the Exchange Online server hostname: o365info-com.mail.protection.outlook.com
- TCP Port – type 25 as the port number
- Mail form: The E-mail address of the “source recipient” (in our scenario firstname.lastname@example.org)
- Recipient to: The E-mail address of the “destination recipient” (in our scenario email@example.com)
- Subject: any text that you would like
To be able to send the E-mail message we need to move on to the “Telnet” tab
- Click on the SEND button.
In the following screenshot, we can see the log of the SMTP session.
We can see information about the source and the destination recipients.
We can assume that the mail delivery completed successfully because in the Log file we can see the information: “Queued mail for delivery.”
It is important for us to know your opinion on this article