Support Center

Safous ZTA Admin Guide

Configurations

[ZTA] How to Setup Email MFA with O365 SMTP as Relayhost

This article will explain how Administrators configure O365 SMTP server (smtp.office365.com) as an email relayhost from your internal mail server by authenticating through an app password.

Prerequisites

Before continuing the steps in this article, please ensure that your organization already have:

Microsoft product licenses:
- At least Entra ID P1 license or Microsoft 365 Business Premium license to enable authentication using app password.
- Exchange Online license (should be available with M365 Business Standard) to configure email settings.
Account in Microsoft Entra ID with these roles:
- Conditional Access Administrator or Authentication Policy Administrator
- Exchange Administrator

Internal mail server with these permissions:
- Inbound access on port 25 from App Gateway's server
- Outbound access on port 587 to smtp.office365.com

Enabling Authentication Using App Password in Entra ID

By default, users can't create app passwords. The app passwords feature must be enabled before users can use them. To give users the ability to create app passwords, admin needs to complete the following steps:

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
Browse to Conditional Access > Named locations.
Select "Configure MFA trusted IPs" in the bar across the top of the Conditional Access | Named Locations window.
On the Per-user multifactor authentication page, click Service settings and select the "Allow users to create app passwords to sign in to non-browser apps" option.

Creating App Password for a User

Before a user can create an App Password, they need to enable MFA for their account first. After that, the user can create app passwords by following these steps:

Sign in to your Microsoft account and then go to https://myaccount.microsoft.com/ page.
Select Security info from the left navigation pane or from the link in the Security info block, and then select Add sign-in method from the Security info page.
On the Add a method page, select App password from the list, and then select Add.
Type the name of the app that requires the app password, and then select Next.
Copy and keep the text from the Password box then click Done

Enable SMTP Auth Protocol in Exchange Online

SMTP client email submissions (also known as authenticated SMTP submissions or SMTP AUTH) protocol is used for SMTP client email submissions, typically on TCP port 587. This is considered a legacy feature by Microsoft and is disabled by default. To enable it, follow these steps:

Sign in to the Exchange admin center as an Exchange Administrator.
Browse to Settings > Mail Flow
On the security section, uncheck the "Turn off SMTP AUTH protocol for your organization" option.
Click Save

Notes:

If security defaults is enabled in your organization, SMTP AUTH is disabled in the security defaults policy even if you enable the settings outlined in this article. To use SMTP AUTH, you need to disable security defaults. For more information, see Security defaults in Microsoft Entra ID
If your authentication policy disables basic authentication for SMTP, clients cannot use the SMTP AUTH protocol even if you enable the settings outlined in this article. For more information, see Disable Basic authentication in Exchange Online.

Configure Internal Mail Server to Use O365 SMTP as Relayhost

To use a relayhost, you need to set the necessary parameters such as username and password for authentication, address of the relayhost and the port to use for sending email. In this article, we will use postfix as an internal mail server to provide an example.

Disclaimer:

The Postfix configuration provided below is intended solely as a reference example. It is not advisable to implement this exact setup in a production environment.

If you already have an existing Postfix installation or another internal mail server, it is recommended that you utilize that instead and adjust the necessary settings based on your specific mail server configuration.

Add Postfix env file under the /etc/cyolo/config folder.

sudo vi /etc/cyolo/config/.env

# Mandatory: Server address of the SMTP server to use.
SMTP_SERVER=

# Optional: (Default value: 587) Port address of the SMTP server to use.
SMTP_PORT=

# Optional: Username to authenticate with.
SMTP_USERNAME=

# Optional (Mandatory if SMTP_USERNAME is set): Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used)
SMTP_PASSWORD=

# Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain.
SERVER_HOSTNAME=

# Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers.
#SMTP_HEADER_TAG=

# Optional: Setting this will allow you to add additional, comma seperated, subnets to use the relay. Used like SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx'.
SMTP_NETWORKS=

# Optional: Set this to a mounted file containing the password, to avoid passwords in env variables.
#SMTP_PASSWORD_FILE=

# Optional: Set this to yes to always add missing From:, To:, Date: or Message-ID: headers.
#ALWAYS_ADD_MISSING_HEADERS=yes

# Optional: This will rewrite the from address overwriting it with the specified address for all email being relayed.
#OVERWRITE_FROM=

# Optional: This will use allow you to set a custom $mydestination value. Default is localhost.
#DESTINATION=

# Optional: This will output the subject line of messages in the log.
#LOG_SUBJECT=

# Optional: This will disable (no) or enable (yes) the use of SMTPUTF8
#SMTPUTF8_ENABLE=

# Optional: This will use allow you to set a custom $message_size_limit value. Default is 10240000.
#MESSAGE_SIZE_LIMIT=

Edit it according to the table below:

	Changes in BOLDED
# Mandatory: Server address of the SMTP server to use.	*SMTP_SERVER=smtp.office365.com*
# Optional: (Default value: 587) Port address of the SMTP server to use.	#SMTP_PORT=
# Optional: Username to authenticate with.	SMTP_USERNAME=<your O365 email>
# Optional (Mandatory if SMTP_USERNAME is set): Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used)	SMTP_PASSWORD=<your App Password>
# Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain.	SERVER_HOSTNAME=hostname of the AppGW
# Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers.	#SMTP_HEADER_TAG=
# Optional: Setting this will allow you to add additional, comma separated, subnets to use the relay. Used like SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx'.	SMTP_NETWORKS=100.100.100.0/24
# Optional: Set this to a mounted file containing the password, to avoid passwords in env variables.	#SMTP_PASSWORD_FILE=
# Optional: Set this to yes to always add missing From:, To:, Date: or Message-ID: headers.	#ALWAYS_ADD_MISSING_HEADERS=yes
# Optional: This will rewrite the from address overwriting it with the specified address for all email being relayed.	#OVERWRITE_FROM="Your Name" <email@company.com>
# Optional: This will use allow you to set a custom $mydestination value. Default is localhost.	#DESTINATION=
# Optional: This will output the subject line of messages in the log.	#LOG_SUBJECT=yes
# Optional: This will disable (no) or enable (yes) the use of SMTPUTF8	#SMTPUTF8_ENABLE=no
# Optional: This will use allow you to set a custom $message_size_limit value. Default is 10240000.	#MESSAGE_SIZE_LIMIT=

Edit the docker-compose.yml file of the relevant AppGW to add the postfix container as a new service:

sudo vi /etc/cyolo/config/docker-compose.yml

postfix:
      container_name: postfix
      image: juanluisbaptiste/postfix:latest
      networks:
         - share
      env_file:
         - .env
      restart: always
      volumes:
        - "/etc/localtime:/etc/localtime:ro"

Bring up the postfix service

sudo docker compose -f /etc/cyolo/config/docker-compose.yml up -d
If there is a cluster with multiple App GWs, configure the postfix noted above in every node.

Configure SMTP settings in Safous Admin Portal

Login to Safous Admin Portal
Go to Settings > ZTNA > Configurations > SMTP Setting, then click Edit
Configure your SMTP Settings with these details:
- Host: <Your internal mail server's hostname or IP address>
- Port: 25
- From Address: <Your O365 email address>
- From Name: <Your O365 email address>
- Username: If you need to be authenticated to your internal mail server, put the username here. Otherwise, leave it blank.
- Password: If you need to be authenticated to your internal mail server, put the password here. Otherwise, leave it blank.
Click Save

Testing

Create a new user and provide it with an email address used for testing.
Go to your tenant's user portal (login.<tenant>.ztna.safous.com) and login with the testing user's credential.
Skip the personal desktop registration as this is just a testing user.
Choose the Email option and click Send
Check your mail inbox for the email from Safous containing MFA code.
Enter the code obtained from your email into the provided field.
You have successfully enrolled using email, proving that the integration succeeded.

Troubleshooting

Check spam to see if the email was stuck there.
Check the log of the internal mail server for any relevant error logs.
initiate-email returned error with status code 500: Check the SMTP settings in the admin portal and ensure it is correctly configured.
If your mail server is located in the clouds, there is a high chance that the email won't be accepted as it is marked for spam by O365.