After the migration to Office 365 (Exchange Online) users complain that they stop to get a mail message from a Fax device located within the organization Office. You start to investigate this issue, check the Fax device settings.
Everything looks O.K and still, email messages that send by the Fax device don’t reach their destination. mmmm …., what happened? The little thing that we forgot is that, until now, Mail enabled Devices\Application was configured to connect the on-premises Exchange server.
Before we can restore the ability of the Mail enabled Devices\Application to send mail to the organization recipient (that located in the cloud) we will need to face a number of “obstacles.” Fear not, there is a solution!
In this article, we will discuss the reason for using IIS SMTP relay configuration when using Office 365 subscriptions, the required configuration and in the last part we will demonstrate how to troubleshoot common mail flow scenarios.
|Expand All Headers||Collapse All Headers|
Part 1: Basic introduction to Mail relay scenarios.
LAN Mail enabled devices\application and Exchange on Premises configuration
When using Exchange on Premises as an SMTP server (Mail relay) for: Mail enabled Devices\Applications, The basic assumption is that: LAN environment considered as a “safe” (isolated from the external network). For this reason, the common characters of the communication between the Mail enabled Devices\Applications and the on premises Exchange server are:
- Communication channel
The Mail enabled Devices\Applications communicate with the premises Exchange server using the SMTP protocol (non-encrypted communication).
Most of the time, the Mail enabled Devices\Applications doesn’t use or authentication mechanism (Anonymous authentication).
- IP Address restriction
In some cases, if the administrator wants to implement a basic security mechanism, the on premises Exchange server is configured to accept anonymous SMTP connection only from a specific predefined IP address.
LAN Mail enabled devices\applications and Exchange Online
When dealing with a public network such as the cloud (Exchange Online), the characters of the communication channel are based on different requirements:
- Mail server Verse the Exchange on Premises
When using the Exchange Online infrastructure, we cannot use a custom setting such as a receive connector that enables to configure the communication channel between the LAN Mail enabled Devices\Applications and the Exchange Online. An additional factor is, that we don’t know what the Exchange Online server IP is.
- Communication channel
The communication channel between the Mail enabled Devices\Applications and the Exchange Online is created using a public network infrastructure (non-trusted environment). In Exchange Online environment, there is a mandatory requirement for a secure communication channel (encryption) between the two end points (Hosts who need to relay mail messages to Exchange Online recipients).
In the Exchange Online environment, there is no option for relaying mail to the Office 365 recipients without an authentication. In other words, anonymous authentication is not supported.
Relaying mail to Exchange Online
When we want to enable mail enabled Devices\Applications to relay mail to: Exchange Online, we will need to implement the following requirements:
- Secure communication channel
The secure (encrypted) communication channel is created using the TLS Protocol (port 587 or Port 25).
The “Host” that wants to relay mail to the Exchange Online will need to provide credentials (user name + password) using the basic authentication protocol.
- Mail server IP address\Host name
The “Host” that wants to relay mail to the Exchange Online, will need to know what is the IP address\host name, of the Exchange Online server.
To implement these requirements, we can use one of the following scenarios:
Scenario 1: Mail enabled devices\application connect directly with the Exchange Online
In case that the Mail enabled Devices\Applications support the use of authentication and TLS communication, we can configure this Hosts to communicate directly with the Exchange Online server. The less good news is that: most of the time, Mail enabled Devices\Applications doesn’t support these requirements.
Scenario 2: using the IIS SMTP relay server
In case that the Mail enabled Devices\Applications doesn’t support the mandatory requirement (TLS & Authentication) or in case that we want to use centralized\managed solution, we can use the scenario of SMTP relay server.
The IIS SMTP Server is a built-in component in each of the Windows based OS such as Windows 7, Windows server 2008, 2012).
The IIS SMTP server can use as a mail relay or “Intermediary” between the LAN Mail enabled Devices\Applications and the Exchange Online server.
The IIS SMTP server, can answer the need for the mandatory requirements of Exchange Online for: TLS & Authentication. In the scenario, the IIS SMTP server will be configured with two “interfaces”:
- The interface that accepts requests from LAN Mail enabled Devices\Applications This “interface,” will allow\accept the mail relay requests from LAN Mail enabled Devices\Applications, without the need for authentication ( anonymous) and the communication channel that we use for communicating with the LAN Mail enabled Devices\Applications is based upon the SMTP protocol ( no need for encryption).
- The interface that communicates with the Exchange Online – The other “leg” or interface will be used by the IIS SMTP server for the communication with the Exchange Online using: TLS and implement the requirements for authentication.
Part 2: implementing IIS SMTP relay
In the following section, we will review all the settings and pre requirements that we need to implement for using IIS SMTP as a mail relay server.
SMTP Relay pre requirements
1. IIS SMTP User credentials
The credentials that the IIS SMTP use for communicating with the Exchange Online, could be any Office 365 user credentials that have a valid license (license for Exchange Online Mailbox). There is no need for purchasing a “detected” license for this purpose. The only “issue” that we should consider regarding the recipient name(the Office 365 users that we use for authenticate to the Exchange Online server) is that: by default, each of the messages that will be relayed to the Exchange Online server will include this recipient name in the from field.
For example: in case that we use to configure the IIS SMTP server to use the credentials of an Office 365 users named: John, each of the messages that will be sent from an LAN Mail enabled Devices\Applications to: other Office 365 recipients, will be displayed at the destination recipient as a mail message that sent by “John.”
Later on, we will review the scenario in which the LAN Mail enabled Devices\Applications use different mail address and how to enable the IIS SMTP to send email “on behalf” this Hosts.
2. Firewall settings
To enable the IIS SMTP server to create a communication channel to the Exchange Online, we need to create in the organization Firewall, outbound rule which allow the IIS SMTP to use TLS (port 587 or Port 25).
3. Exchange Online server Host name
To be able to refer the Exchange Online server, Office 365 use a general Host name: smtp.office365.com
in case that you want to find the information about the Exchange Online server name, use the following instructions
- Logon to Office 365 portal
- In the top menu choose – Outlook
- Click on the Settings icon
- Choose the Options menu
- on the left side menu bar choose the account menu
- in the bottom on the page, click on the Settings for POP or IMAP
In the windows that appear, look for the section: SMTP Settings.
Here you can find the Exchange Online server name (smtp.office365.com) and additionally, we can see that there is a mandatory requirement for using TLS protocol ( port 587 or port 25).
Installing and configuring the IIS SMTP server
In the following section we will demonstrate how to install IIS SMTP server on a windows 2008 server.
Step 1: install IIS Server
- Open Server Manager Console and under Features select Add Features
- Select the option of: SMTP Server
(The reset of the installation process is just next, next etc.)
Step 2: IIS SMTP Service
By default the IIS SMTP service, is not started and the startup type is: manual
- We will need to change the default setting to: Automatic.
Double click on the SMTP Service: Simple Mail Transfer Protocol (SMTP) and, change the Startup type to: Automatic
- Start the IIS SMTP service (SMTPSVC)
Step 3: IIS SMTP Server MMC
The management console for the IIS SMTP is Internet Information Services 6.0.
( There is no option of managing the IIS SMTP using the “standard” IIS 7 management console). we can find the IIS 6.0 Manager under Administrative Tools -> Internet Information Services 6.0
IIS SMTP relay Configurations
In the following section we will review all of the required settings for configuring the IIS SMTP server as an “SMTP Relay”.
1. IIS SMTP relay “LAN interface
The first part relates to the: settings for the interface or the “IIS Leg” that serves the LAN Hosts (Mail enabled Devices\Applications).
Open the IIS SMTP management console, right click on the
[SMTP Virtual server #1] and choose: Properties
Access tab – Authentication
Select the Access tab -> Authentication
Access tab – Relay
The “relay” settings use for configuring the IP address of the: Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.
In our example, we have two hosts who need to send mail to the IIS SMTP server:
Help Desk application that installed on a workstation with the IP address 10.100.102.2 and, FAX device that uses the IP address: 10.100.102.3
To enable this Hosts to send (Relay) mail to the IIS SMTP server, we will need to add this IP address to the “allowed list.”
Select the Relay tab -> Relay option.
In the Relay restriction window, add the IP address of the Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.
2. Troubleshooting Really permissions
2. IIS SMTP relay “Exchange Online interface”
In this section, we will create the required settings that enable the IIS SMTP server to relay mail messages to the Exchange Online server.
The Delivery tab use for: configure the IIS SMTP “interface” that communicate with the Exchange Online server.
Select the Delivery tab -> Outbound Security option.
In the Outbound Security window select the option: Basic Authentication
We will need to provide the Office 365 user credentials which have Exchange Online Mailbox.
In our example, we will use the credentials of a user named: John@o365info.com
Select the Delivery tab -> Outbound Security option.
In the Outbound Security window select the option: TLS encryption (For creating a secure communication channel to Exchange Online).
Select the Delivery tab -> Outbound connection option.
The TLS port number that we use for communicating with the Exchange Online is:25 (or Port 587)
(Please verify that the organization Firewall will have the required outbound rule that will enable the IIS SMTP Server to use this port ).
Select the Delivery tab -> Advanced option
In the Smart host text box we need to provide the Exchange Online server name .
The section of: Fully qualified domain name is not a mandatory requirement. You can add the FQDN of the IIS SMTP server.
Part 3: Enable the IIS SMTP relay to send mail on behalf other Email address
After creating the required setting for the IIS SMTP relay, we will need to solve additional issue that can be described as: Enable the IIS SMTP relay to send mail on behalf another Email address.
For the demonstration purpose, let’s use the following scenario:
We want to enable two internal Hosts, to send email using the IIS SMTP server.
One Host is a Help desk application that uses the Email address: HelpDesk@o365info.com, and the other host is a Fax machine that uses the use the email address: FaxService@o365info.com
In case that this Hosts will try to relay mail to the IIS SMTP server, that mail message will be rejected by the Exchange Online server because: by default, a recipient( in our example: John@o365info.com) cannot send email “on behalf” other recipient’s ( in our example: FaxService@o365info.com and HelpDesk@o365info.com).
The good news is that we don’t need to create a user account and Mailbox that will “represent” these Hosts, who will relay mail to the IIS SMTP Server.
To enable the IIS SMTP server to send email for this Hosts, we can choose one of the following solutions:
1. Using distribution group and assign “Send as permissions”
This solution is based on creating a distribution group for each of the Hosts who needs to relay email to the IIS SMTP server. The distribution group will be configured as: security group (a Security\Distribution group). The next step is: assigning “Send as permission” for the recipient whom the IIS SMTP Server use for authentication (in our example: John@o365info.com). The send as permission could be assigned by using the Web interface or by using a PowerShell command.
- Log in to Office 365 portal, in the Admin menu choose the option: Exchange
- In the Exchange admin center choose the recipient menu –> groups
- Click on the “Add” option and choose the Security group option.
- In our example, we will name the new security-distribution group as: FaxService
- Double click on the name of the new security-distribution (FaxService) and choose the menu – group delegation.
- Click on the add option and, add the recipient name that we use for the IIS SMTP credentials (in our example: John).
We will need to repeat this procedure, for each of the LAN Hosts that will need to relay email using the IIS SMTP Server.
Assign “Send As” Permissions for a Mailbox/Distribution group
PowerShell command syntax:
2. Add additional Email address ( Alias)
An additional option that we can use ( instead of the security\distribution group solution) is: add the email address that will be used by the LAN Mail enabled Devices\Applications as an additional email addresses (Alias) for the recipient who is used by the IIS SMTP Server.
In our example, we will add two additional email address to the recipient named: John
- Log in to Office 365 portal, in the Admin menu choose the option: Exchange
- In the Exchange admin center choose the recipient menu –> mailboxes
- Choose the recipient name that is used by the IIS SMTP Server (in our example- John).
- Click on the “add” option
- In the Mailbox properties choose the option: Email address.
- In our example, we will add to “John Mailbox” additional two email addresses ( Alias): FaxService@o365info.com and HelpDesk@o365info.com
Part 4: Testing IIS SMTP Relay mail flow
Test IIS SMTP Relay settings
In this section, we will review: how to test the IIS SMTP Relay mail flow. One option is: trying to send email using the LAN Mail enabled Devices\Applications but in case that there is a problem that prevents from the LAN Mail enabled Devices\Applications to send mail using the IIS SMTP server, it’s hard to find the cause for the problem.
The preferred way that I recommend is to: use a nice free mail client tool named: Basic SMTP Telnet Client, that enables us to simulate the mail flow and in case that there are problems, we can use the option of “debug” ( enable step by step sending) option to get information about the specific cause for the problem.
In the following section, we will demonstrate how to test the IIS SMTP relay infrastructure by using the Basic SMTP Telnet Client.
Test 1: testing the ability of the IIS SMTP server to relay mail to Office 365 recipient
In the Telnet properties tab we will configure the required setting for the communication with the IIS SMTP Server.
Telnet tab – click on the Send button
To verify that the mail message was sent to the destination recipient, log in to the destination recipient mailbox and check if the mail was accepted.
In case that the mail was not sent to the destination recipient, we can use the option of: Enable Step by Step Sending.
Using this option, enables us to verify each of the steps that involved in the “send mail process.” We will need to “Activate” each of the steps such as: EHLO, MAIL FROM, etc. and observe the result in the “step window.”
Test 2: Testing the ability of the IIS SMTP server to relay mail to Office 365 recipient “on behalf” (Send as permission”) of a LAN Mail enabled devices\application.
In case that the first “Test” complete successfully, we can continue with the second test, that will enable us to simulate the scenario of LAN Mail enabled Devices\Applications that relay mail to the IIS SMTP Server. The basic assumption is that: we complete all the required settings that will enable the IIS SMTP to send mail “on behalf” of the LAN Mail enabled Devices\Applications.
- Receive connector IP: add the IP Address of the IIS SMTP Server
- TCP Port: add the SMTP port number (25)
- Mail From: in this text box, we will need to add email address the represent the “LAN Mail enabled Devices\Applications” that will relay mail to the IIS SMTP server. In our example, we will use the email address of the Helpdesk application (HelpDesk@o365info.com).
- Recipient To: in this text box, we will need to add the email address of the “destination recipient” that is supposed to get the mail from the Mail enabled Devices\Applications. In our example we will use the email address of the recipient named Isabel (IsabelY@o365info.com).
- Subject: this is an optional parameter that will create the “Subject header”
Part 5: Troubleshooting IIS SMTP Relay settings
In this section, we will review how to troubleshoot common “causes” for mail flow problem when using IIS SMTP relay option.
1. Troubleshooting communication port
The first step is to verify that the IIS SMTP server can use port 25 (or port 587), for creating the required communication channel with the Exchange Online server. An additional parameter that we need to check is that we use the correct host name for the: Exchange Online server.
To be able to verify these parameters, we can use the built-in Telnet tool.
To test the communication channel to the Exchange Online server, from the IIS SMTP Server open a command prompt and type the following syntax:
In the following screenshot, we can see that to connection attempt was failed.
The reasons could be:
- We didn’t create the required “outbound Firewall rule” that will enable to the IIS SMTP server to use port 587
- The Exchange Online server name is not correct
2. Troubleshooting Really permissions
Part of security settings in the IIS SMTP settings is to create a restricted list of Hosts (the IP address of the internal Hosts), that allowed to relay mail to the IIS SMTP server.
In this following example, we use the tool: Basic SMTP Telnet Client, for simulating the process of relaying a mail message to the IIS SMTP Server. When using the “debug” option: Enable Step by Step Sending.
In the following screenshot, we can see that the error message that was return from the IIS SMTP Server, relate to the issue that the IP Address of Host whom we use is not configured in the “Allowed list” in the IIS SMTP server.
3. Troubleshooting “Mail from” settings
In this section, we will review how to troubleshooting errors that relate to the “Send on behalf” that the IIS SMTP Server need for relaying email messages from Mail enabled Devices\Applications.
In case that the IIS SMTP doesn’t have the required permission for sending email “on behalf” another email address, the connection attempt will be rejected by the Exchange Online. Failed mail messages will be kept by the IIS SMTP in the “Badmail” folder (The default location for the IIS SMTP Mail folder is: C:\inetpub\mailroot )
In the following example we simulate mail delivery from recipient named: HelpDesk@o365info.com to a “destination recipient” named: IsabelY@o365info.com
When checking “Isabel mailbox,” we notice that the mail didn’t send successfully.
To be able to find the cause for the problem, we can look at the IIS SMTP Server – Badmail folder.
In the following screenshot, we can see that the IIS SMTP creates 3 different log files, that includes information about the mail delivery process and the reason for the failure of the mail message delivery.
To open the Log message open the file with the *.BAD extension using a text editor such as: Notepad.
In the text file, we can see the description of the error:
Diagnostic –code: smtp;550 5.7.1 client does not have permissions to send as this sender
The meaning of this error is that the IIS SMTP User account, that we use for creating the communication channel with Exchange Online, doesn’t have the required permission to send mail on behalf of the recipient who tries to relay mail to the IIS SMTP server.
Summery and Recap
I feel that we went together on a long journey in the “IIS SMTP World.”
In the beginning, we review the business need for: the SMTP relay scenario for an organization that use the Exchange Online services.
In the next section, we review: what are the required configurations of the IIS SMTP server and how to enable the IIS SMTP Server to send email on behalf other recipient. In the last section, we review some common problems\errors when using relay scenarios and the way we can use for to troubleshooting these problems.
I hope that this information will help you to implement the SMTP relay solutions in an Office 365 environment.
See you in the next articles
- Office 365 and SMTP relay
- Use Office 365 as an SMTP relay server for applications
- SMTP error 550 5.7.1 Client does not have permissions to send as this sender
- Some messages are rejected when you try to use Exchange Online servers as an SMTP relay for on-premises business applications and network hardware devices
We really want to know what you think about the article