This article will explain how Administrators configure O365 SMTP server (smtp.office365.com) as an email relayhost from your internal mail server by authenticating through an app password.
Prerequisites
Before continuing the steps in this article, please ensure that your organization already have:
- Microsoft product licenses:
- At least Entra ID P1 license or Microsoft 365 Business Premium license to enable authentication using app password.
- Exchange Online license (should be available with M365 Business Standard) to configure email settings.
- Account in Microsoft Entra ID with these roles:
- Conditional Access Administrator or Authentication Policy Administrator
- Exchange Administrator
- Internal mail server with these permissions:
- Inbound access on port 25 from App Gateway's server
- Outbound access on port 587 to smtp.office365.com
Enabling Authentication Using App Password in Entra ID
By default, users can't create app passwords. The app passwords feature must be enabled before users can use them. To give users the ability to create app passwords, admin needs to complete the following steps:
- Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
- Browse to Conditional Access > Named locations.
- Select "Configure MFA trusted IPs" in the bar across the top of the Conditional Access | Named Locations window.
- On the Per-user multifactor authentication page, click Service settings and select the "Allow users to create app passwords to sign in to non-browser apps" option.
Creating App Password for a User
Before a user can create an App Password, they need to enable MFA for their account first. After that, the user can create app passwords by following these steps:
- Sign in to your Microsoft account and then go to https://myaccount.microsoft.com/ page.
- Select Security info from the left navigation pane or from the link in the Security info block, and then select Add sign-in method from the Security info page.
- On the Add a method page, select App password from the list, and then select Add.
- Type the name of the app that requires the app password, and then select Next.
- Copy and keep the text from the Password box then click Done
Enable SMTP Auth Protocol in Exchange Online
SMTP client email submissions (also known as authenticated SMTP submissions or SMTP AUTH) protocol is used for SMTP client email submissions, typically on TCP port 587. This is considered a legacy feature by Microsoft and is disabled by default. To enable it, follow these steps:
- Sign in to the Exchange admin center as an Exchange Administrator.
- Browse to Settings > Mail Flow
- On the security section, uncheck the "Turn off SMTP AUTH protocol for your organization" option.
- Click Save
Notes:
- If security defaults is enabled in your organization, SMTP AUTH is already disabled in Exchange Online. To use SMTP AUTH, you need to disable security defaults. For more information, see Security defaults in Microsoft Entra ID
- If your authentication policy disables basic authentication for SMTP, clients cannot use the SMTP AUTH protocol even if you enable the settings outlined in this article. For more information, see Disable Basic authentication in Exchange Online.
Configure Internal Mail Server to Use O365 SMTP as Relayhost
To use a relayhost, you need to set the necessary parameters such as username and password for authentication, address of the relayhost and the port to use for sending email. In this article, we will use postfix as an internal mail server to provide an example.
Disclaimer:
The Postfix configuration provided below is intended solely as a reference example. It is not advisable to implement this exact setup in a production environment.
If you already have an existing Postfix installation or another internal mail server, it is recommended that you utilize that instead and adjust the necessary settings based on your specific mail server configuration.
- Add Postfix env file under the /etc/cyolo/config folder.
sudo vi /etc/cyolo/config/.env # Mandatory: Server address of the SMTP server to use.
SMTP_SERVER=
# Optional: (Default value: 587) Port address of the SMTP server to use.
SMTP_PORT=
# Optional: Username to authenticate with.
SMTP_USERNAME=
# Optional (Mandatory if SMTP_USERNAME is set): Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used)
SMTP_PASSWORD=
# Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain.
SERVER_HOSTNAME=
# Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers.
#SMTP_HEADER_TAG=
# Optional: Setting this will allow you to add additional, comma seperated, subnets to use the relay. Used like SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx'.
SMTP_NETWORKS=
# Optional: Set this to a mounted file containing the password, to avoid passwords in env variables.
#SMTP_PASSWORD_FILE=
# Optional: Set this to yes to always add missing From:, To:, Date: or Message-ID: headers.
#ALWAYS_ADD_MISSING_HEADERS=yes
# Optional: This will rewrite the from address overwriting it with the specified address for all email being relayed.
#OVERWRITE_FROM=
# Optional: This will use allow you to set a custom $mydestination value. Default is localhost.
#DESTINATION=
# Optional: This will output the subject line of messages in the log.
#LOG_SUBJECT=
# Optional: This will disable (no) or enable (yes) the use of SMTPUTF8
#SMTPUTF8_ENABLE=
# Optional: This will use allow you to set a custom $message_size_limit value. Default is 10240000.
#MESSAGE_SIZE_LIMIT= - Edit it according to the table below:
Changes in Red # Mandatory: Server address of the SMTP server to use. SMTP_SERVER=smtp.office365.com # Optional: (Default value: 587) Port address of the SMTP server to use. #SMTP_PORT= # Optional: Username to authenticate with. SMTP_USERNAME=<your O365 email>
# Optional (Mandatory if SMTP_USERNAME is set): Password of the SMTP user. (Not needed if SMTP_PASSWORD_FILE is used) SMTP_PASSWORD=<your App Password>
# Mandatory: Server hostname for the Postfix container. Emails will appear to come from the hostname's domain. SERVER_HOSTNAME=hostname of the AppGW # Optional: This will add a header for tracking messages upstream. Helpful for spam filters. Will appear as "RelayTag: ${SMTP_HEADER_TAG}" in the email headers. #SMTP_HEADER_TAG= # Optional: Setting this will allow you to add additional, comma separated, subnets to use the relay. Used like SMTP_NETWORKS='xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx'. SMTP_NETWORKS=100.100.100.0/24 # Optional: Set this to a mounted file containing the password, to avoid passwords in env variables. #SMTP_PASSWORD_FILE= # Optional: Set this to yes to always add missing From:, To:, Date: or Message-ID: headers. #ALWAYS_ADD_MISSING_HEADERS=yes # Optional: This will rewrite the from address overwriting it with the specified address for all email being relayed. #OVERWRITE_FROM="Your Name" <email@company.com> # Optional: This will use allow you to set a custom $mydestination value. Default is localhost. #DESTINATION= # Optional: This will output the subject line of messages in the log. #LOG_SUBJECT=yes # Optional: This will disable (no) or enable (yes) the use of SMTPUTF8 #SMTPUTF8_ENABLE=no # Optional: This will use allow you to set a custom $message_size_limit value. Default is 10240000. #MESSAGE_SIZE_LIMIT= - Edit the docker-compose.yml file of the relevant AppGW to add the postfix* container as a new service:
sudo vi /etc/cyolo/config/docker-compose.yml postfix:
container_name: postfix
image: juanluisbaptiste/postfix:latest
networks:
- share
env_file:
- .env
restart: always
volumes:
- "/etc/localtime:/etc/localtime:ro" - Bring up the postfix service
sudo docker compose -f /etc/cyolo/config/docker-compose.yml up -d - If there is a cluster with multiple App GWs, configure the postfix noted above in every node.
Configure SMTP settings in Safous Admin Portal
- Login to Safous Admin Portal
- Go to Settings > ZTNA > Configurations > SMTP Setting, then click Edit
- Configure your SMTP Settings with these details:
- Host: postfix
- Port: 25
- From Address: <Your O365 email address>
- From Name: <Your O365 email address>
- Click Save
Testing
- Create a new user and provide it with an email address used for testing.
- Go to your tenant's user portal (login.<tenant>.ztna.safous.com) and login with the testing user's credential.
- Skip the personal desktop registration as this is just a testing user.
- Choose the Email option and click Send
- Check your mail inbox for the email from Safous containing MFA code.
- Enter the code obtained from your email into the provided field.
- You have successfully enrolled using email, proving that the integration succeeded.
Troubleshooting
- Check spam to see if the email was stuck there.
-
Email service not configured, or misconfigured: Please double check the configuration, and follow the rules/limitations.
-
Email provider returned an error: Check the error message and follow the suggestion for the fix in the returned error.
- If your mail server is located in the clouds, there is a high chance that the email won't be accepted as it is marked for spam by O365.