Exchange Online Protection (EOP) is a service which you can buy from Microsoft. They also offer a 1 month trial. You can use EOP with your on-premise Exchange as a mail gateway solution in and out. However, if you have Office 365 with Exchange Online, this uses EOP already. So you can make use of its features and relay mail through it using an IIS SMTP server. Why would you want to relay mail through EOP and not send directly? Because EOP ensures that everything is okay with outbound mail, ensuring mail is squeaky clean, keeping things top notch in relation to security.
You can also relay mail from Office 365 itself, however this provides a major limitation, in that you can’t send mail from any domain you like, you can only relay mail from domains that have been setup as ‘accepted domains’ in your Office 365 tenant account. In other words, you need to prove ownership of the domains that you wish to send on behalf of. In contrast, EOP doesn’t care, you can send/relay mail from any domain you wish. But, don’t forget to add in an SPF TXT record in the domain’s DNS that you are sending on behalf of, to ensure that you are legitimately authorised.
There are several things you will need to do for a SMTP relay solution using EOP. The following are steps which I took that worked for us:
- Dedicate a Windows Server 2012 server virtual machine hosted with Windows Azure
- Have a tenant account with Office 365/Exchange Online (comes with EOP), or just buy the EOP service by itself
- Setup an inbound connector in EOP
- SSL certificate, you need this so you can have a secure TLS connection between your IIS SMTP server and EOP
The steps I took here were based on a recent webcast done by Frank Brown of Microsoft listed here. If you download and look at the PowerPoint presentation, I am focusing on the last solution, solution number 3 in the slides. However I have added some more detail based on my experience.
Dedicate a Windows Server 2012 server to use for SMTP relay
This server will be used as your IIS SMTP server, aka the SMTP relay server. For my example, I used a virtual machine hosted with Windows Azure.
On your Windows Azure hosted SMTP server, you will need to install IIS SMTP. Some steps listed below are taken from here How to set up an SMTP relay in Office 365.
Create the external hostname and firewall rule
- In your Windows Azure management portal, you need to allow for Port 25 inbound to your server. With Windows Azure, this is called an Endpoint.
- You’ll need to get the external IP address of your hosted server and create a DNS record both internally and externally which points to this IP address, or external DNS only if you don’t have an internal DNS infrastructure. The external IP address of your VM can be found in the Windows Azure portal under the virtual machines dashboard. In this example, I will use smtp.contoso.com which will point to my allocated IP address.
* What ever you do, don’t shutdown the virtual machine from the console. If you do, the VM will be de-allocated and once you power the VM back up, the VMs public IP address will change.
* I had a problem with the external IP address I was allocated from Windows Azure for my IIS SMTP relay server, in that it was listed on some SPAM databases and as a result EOP wouldn’t let me even relay off of it. So beware. If this happens, not only will you need to remove the IP address from the SPAM databases, but also from Microsoft by sending email to firstname.lastname@example.org
- Start Server Manager, click Features, and then click Add Features.
- On the Select Features page, select the SMTP Server check box. If you’re prompted, click Add Required Role Services.
Note This step automatically installs all prerequisite roles and features, including IIS (if they’re not already installed).
- On the Select Features page, click Next. Then, on the Web Server (IIS) page, click Next.
- On the Select Role Services page, make sure that the following role services check boxes are selected, and then click Next:
- The ODBC Logging check box under Health and Diagnostics
- The IIS Metabase Compatibility check box in IIS 6 Management Capability under Management Tools
- The IIS 6 Management Console check box in IIS 6 Management Capability under Management Tools
- On the Confirm Installation Selections page, click Install.
- After the SMTP Server installation is completed, click Finish.
- Open IIS 6.0 Manager, right click Default SMTP Virtual Server, and then click Properties.
- Click the Access tab, and then click Relay.
- In the Select which computers may relay through this virtual server area, click Only the list below, and then enter the IP addresses of the on-premises LOB devices and application servers that will relay through the SMTP server.
Warning Make sure that you enter only the IP addresses of the devices and servers that you trust. This setting lets you relay mail that’s coming from these sources to any destination. In effect, this makes the on-premises server that’s running IIS an open relay.
- On the Access tab, click Connection, enter the IP addresses of the devices and servers that you want to be able to connect to the SMTP server. This is similar to relay, however one level above, it stops un-authorised connections before they attempt to relay.
- On the Access tab, click Authentication, make sure that the Anonymous access check box is selected, and then click OK.
- Click the Delivery tab, click Advanced, and then, under Smart host, enter the SMTP end-point for the tenant domain. This will be the same as your MX record. (i.e contoso-com.mail.protection.outlook.com).
- On the Delivery tab, click Outbound Connections.
- In the TCP Port box, type 25, and then click OK.
- On the Delivery tab, click Outbound Security, and then follow these steps:
- Click Anonymous Access
- Select the TLS encryption check box, and then click OK.
- Right click Domains, and then click New > Domain
- Select Remote and click Next.
- Enter the name of the remote domain in which you want to send/relay to, click Finish.
- Right click on the domain you just created, then click Properties. On the General tab, enter the same smart host value as you did previously, then click OK.
Setup an inbound connector in EOP
Logon to your online tenant account http://portal.microsoftonline.com. Under the Admin menu at the top, select Exchange and then click on the Mail Flow link on the left. Click on Connectors, and click Add.
In the New Inbound connector window, enter the following information:
Name: Choose a unique name for the Inbound connector.
Connector type: Choose On-premises
Connection security: Choose Force TLS, and specify the certificate subject name of the certificate that you will install on your IIS SMTP relay server
Under Domains, click the Add Icon. In the resulting Add domain window, enter * to apply the connector to all of your sending domains. Under IP addresses click the Add Icon, and in the resulting Add IP address window, add the external IP address of your IIS SMTP server.
For the SSL certificate, you’ll need this for the TLS communication. Easiest way to do this, create a file on the IIS SMTP server’s C: drive called RequestConfig.inf
Populate this file with the following information, changing the CN to suit your own domain. Close and save the file.
Run the following command using command prompt:
certreq -new -f RequestConfig.inf BinaryRequest.req
This will create a certificate request file for a single domain SSL certificate which you can use to generate a certificate with your favourite provider. We use Go Daddy.
Once the certificate has been approved and generated, add this certificate to the local computer personal certificate store.