How to email from your local apps & devices post Office 365 migration

The pitfalls of migration

Have you moved to Microsoft Office 365? Then there's a fair chance that you will by now have discovered that simply pointing email enabled applications and devices at the new cloud based Exchange servers will not get your email delivered. So, we need to do something about that, right?

In common with most businesses today you probably use a multi-function device that offers a one stop shop for printing, scanning and copying. Typically, these devices offer a scan-to-email capability. Other businesses commonly use web applications that distribute e-mails. This setup is commonplace and often overlooked by SMEs.

Microsoft's preferred solution is to relay your mail by using an IIS server with SMTP service enabled. The problem with this is that, in reality, many businesses -certainly a large number of those, simply do not have any servers in the office. Or they have tipped their local server over the edge of the nearest abandoned quarry to save costs. In these real-world circumstances, Microsoft's fancy solution won't work.

A simple solution

Still, no need to despair—I offer a simple solution. One that will work natively from within Microsoft Exchange, with or without TLS encrypted connections. It also supports either port 25 or port 587 and does not require any type of authentication. In fact, no user accounts or additional licenses are required to make this work. This is good because many older devices and applications support clear text across port 25 only.

First steps

The first step is to create a connector on the Exchange Server to allow for connection by an unauthenticated user. This sounds like it is an open relay but we'll take steps to allow this connection only from known IP Addresses permitted to use the connector. All other attempts are classified as unauthorised and denied.

Creating the Exchange Connector: 

• Log into the Microsoft Online Portal as a Global Administrator
• Click on the Admin menu and then on Exchange to open the Exchange Admin Centre.
• Click on the Mail Flow category and click the Connectors sub menu.
• Add an Inbound Connector
• Give the connector a descriptive name
• Set the Connector Type to On-premises
• Set Connection Security to Opportunistic TLS
• Set Domain Restrictions to Restrict domains by IP addresses
• Add a single Sender domain and use an * wildcard character to allow all.
• Add the public IP addresses that you will allow to relay
• Save the Connector
• Enable the connector if you have not already done so

A well earned rest

Those of you still with me at this point—including anyone who has resisted the temptation to run away and join the circus in an attempt to escape their IT responsibilities should brace themselves, because this is where I tell you how to make this connector burst out of its shirt like the Incredible Hulk and start performing astounding feats.

The SMTP Server used in your sending application or device is a little different but easy to locate. Here's one of the many ways to get this information:

Finding the SMTP Server

• Go back to the O365 portal and click the Admin menu and click on Office 365
• Click on the Domains category
• Select a primary domain 
• Click Manage DNS
• Find the MX record and copy the 'Point To' Address for that record 
• The 'Point To' format is likely to be [-.mail.protection.outlook.com] though we have also seen [-.mail.eo.outlook.com]. For example, if your domain was xxyyzz.com your MX record would look like this: xxyyzz.com.mail.protection.outlook. You'll use this value to represent the SMTP Server when you define your outbound mail settings in the application or device you want to send relay email.

Creating a bypass rule

One additional setting you may want to enable on the Exchange Online Server prevents all your relay email from heading straight for the Junk Folder. This process will create a mail filtering rule.

• Return to the Exchange Admin Console
• Click on the Mail Flow category and then the Rules sub menu
• Add a new rule of type "Bypass Spam Filtering..."
• Choose a good descriptive name for your rule.
• Set Apply this rule if... to "The sender is..." 
• Add the email addresses you want to use for sending relay email. These can be anything you like, but it must match exactly, or else the rule will not function correctly.
• Set Do the following... to Set the spam confidence level (SCL to... then set the action to Bypass spam filtering.
• Leave the remaining options on their default settings
• Save the rule.

If you have multiple rules, you may want to adjust the order of this rule so it fires properly. I suggest you make it the first rule while you test things and then adjust all of your rules to accommodate the order in which you ultimately want to process them. Mail Flow in general is complex and I have deliberately avoided giving too many details in this walk through on how best to manipulate these features.

Modifying your SMTP settings for your application or device

The final step in this process is to put everything together and make it work. Here's how;

Game, set and match

That's all there is to it.

Of course, the client side configuration will differ with every application and device you try to set up this way. But I can assure you that I have made this work with:

• Numerous MFP devices
• In-house web applications
• Routers and network devices that send notifications
• Mozilla Thunderbird, which is a good simple testing application

If you can make things work using Thunderbird, you should be able to translate the settings to any application or device and make it work as well.