SMTP Relay - Issue and Troubleshooting : Client Submission, DirectSend, and SMTP Relay

Hello All

Hope everyone is doing great , we are going to walk through the options available to send the SMTP relay emails in Microsoft - Exchange online and   application or devices  as well.



This article will give some clear picture about which options should we use to relay the emails from any of the applications or devices

There are three options are available - mentioned below

1. SMTP-AUTH Client Submission

2. Direct Send

3. SMTP Relay

Let us go through one by one. 

 SMTP-AUTH Client Submission 

  • This is suitable for to send emails to internal and external users from your applications.
  • Modern Authentication must be enabled, like MFA  and APP password 
  • Security Default not supported, which means the mailbox account must be enabled MFA
  • Password cannot be used, instead, we need to use app password for the account
  • APP password used for authentication for the applications and Devices
  • TLS 1.2 must be supported
  • If the application or devices are nor supported TLS 1.2 , then we must choose either direct send or SMTP Relay
  •  SMTP-AUTH Client Submission uses mailbox credential that is hosted in M365 to connect M365 servers , if the email address and password is not configured correctly , we cannot connect M365 servers 
  • Once the Authentication is successful, we can send emails to internal and external 
  • Relay name : SMTP.office365.com
  • Communication Port : 25 
Please note : APP PASSWORD is now depreciated and we need to use Oauth Authentication method to send email via   SMTP.office365.com 

Direct Send

  • Direct Send uses the SMTP  client Authentication mechanism in the tenant level or Mailbox Level
  • We need to make sure SMTP client  authentication is enabled in the tenant level
  • Powershell command to check for tenant level 
==========================================================================
Ramki:> Get-TransportConfig | fl *Smtp*


InternalSMTPServers                             : {}
AgentGeneratedMessageLoopDetectionInSmtpEnabled : True
SmtpClientAuthenticationDisabled                : False

SmtpClientAuthenticationDisabled    = False , which means, Its enabled for SMTP client authentication
==========================================================================

  • We can use this option [Direct Send] , if the application or devices are not supported TLS 1.2
  • It supports only to send emails to internal users, not suitable for sending emails to external users from applications or devices
  • We need a public Static IP for the application or devices , that will be used to relay the emails because, we are going to connect MX record of our M365 tenant domain

How to find the MX of Domain

In this case, my domain name is cloudmonkeys.xyz




Click on Domain Name and followed by DNS Records on it


SMTP server  Name for direct send : cloudmonkeys-xyz.mail.protection.outlook.com 
Communication PORT : 25

  • We need to PUBLISH an SPF records for that domain that will include the PUBLIC IP ADDRESS of the application or devices  where it relays the emails
  • if the SPF is not configured , the emails will go to junk
SMTP Relay

  • We can use this options , if the applications / devices are not supported TLS 1.2
  • we can use this options to send emails to internal and external users
  • It needs to be use STATIC Public IP address
  • This method requires, a mail flow connector in exchange online, with static Public IP or TLS Certificate
  • In this method , we have to use MX records of our tenant domain
  • SMTP server  Name for SMTP Relay : cloudmonkeys-xyz.mail.protection.outlook.com 
  • Communication PORT : 25
  • In SMTP Relay, authentication is performed by Microsoft 365 - exchange online connector using the static IP of our application, that we configured with in the connector
  • On based on the authentication , the emails are sent to external recipients 


Non Delivery Report - Error Codes  on smtp.office365.com - Port 587 


use the below script to send email to external users  or you can use any applications, and some python scripts

Ramki: 12/28/2023 17:20:33>$cred=Get-credential -username "aisha.bhari@cloudmonkeys.xyz" -Message "Enter the password"
Ramki: 12/28/2023 17:20:40>$mailParam =@{
>> smtpserver = "smtp.office365.com"
>> Port = "587"
>> useSSL = $True
>> Credential = $Cred
>> From = "aisha.bhari@cloudmonkeys.xyz"
>> To = "rush2ramki@gmail.com"
>> Subject = "Send-MailMessage"
>> Body = "This is mail from Send-MailMessage"
>> }
Ramki: 12/28/2023 17:20:40>Send-Mailmessage @Mailparam
Send-Mailmessage : The SMTP server requires a secure connection or the client was not authenticated. The server
response was: 5.7.57 Client not authenticated to send mail. Error: 535 5.7.139 Authentication unsuccessful, basic
authentication is disabled. [MA0PR01CA0105.INDPRD01.PROD.OUTLOOK.COM 2023-12-28T11:50:52.546Z 08DC073764B53CD9]
At line:1 char:1
+ Send-Mailmessage @Mailparam
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpExcept
   ion
    + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage


As basic auth is disabled in exchange online, we cannot use this option and app password as well - we need to use OAuth method

In short using this method, you cannot send email to internal and External users, as this method needs Basic auth needs to be enabled, however its disabled now in M365


i will write a separate blog for how to send email via OAUTH


Direct Send for Internal Users Only 

Ramki: 12/28/2023 17:26:07>$cred=Get-credential -username "aisha.bhari@cloudmonkeys.xyz" -Message "Enter the password"
Ramki: 12/28/2023 17:30:43>$mailParam =@{
>> smtpserver = "cloudmonkeys-xyz.mail.protection.outlook.com"
>> Port = "25"
>> useSSL = $True
>> Credential = $Cred
>> From = "aisha.bhari@cloudmonkeys.xyz"
>> To = "selvam@cloudmonkeys.xyz"
>> Subject = "Send-MailMessage"
>> Body = "This is mail from Send-MailMessage"
>> }
Ramki: 12/28/2023 17:30:43>Send-Mailmessage @Mailparam
Ramki: 12/28/2023 17:30:46>


 RELAY for Internal Users and External Users 

RELAY for EXTERNAL users using SMTP Relay

$cred=Get-credential -username "aisha.bhari@cloudmonkeys.xyz" -Message "Enter the password"
$mailParam =@{
smtpserver = "cloudmonkeys-xyz.mail.protection.outlook.com"
Port = "25"
useSSL = $True
Credential = $Cred
From = "aisha.bhari@cloudmonkeys.xyz" 
To = "rush2ramki@hotmail.com"
Subject = "Send-MailMessage"
Body = "This is mail from Send-MailMessage"
}
Send-Mailmessage @Mailparam

Ramki: 12/27/2023 17:38:57>Send-Mailmessage @Mailparam
Send-Mailmessage : Mailbox unavailable. The server response was: 5.7.64 TenantAttribution; Relay Access Denied
[ValidationStatus of '' is EmptyCertificate] [BMXIND01FT021.eop-IND01.prod.protection.outlook.com
2023-12-27T12:08:55.256Z 08DC06D0F71517D9]
At line:1 char:1
+ Send-Mailmessage @Mailparam
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpExcept
   ion
    + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage


After Created the below connector in exchange online


SMTP Relay
Mail flow scenario
From: Your organization's email server
To: Office 365
Name
SMTP Relay
Status
On
Edit name or status
How to identify email sent from your email server
Identify incoming messages from your email server by verifying that the sending server's IP address is within these IP address ranges: ‎210.18.181.5‎, and the sender's or recipient's email address is an accepted domain for your organization.
Edit sent email identity




Ramki: 12/27/2023 18:23:59>$cred=Get-credential -username "aisha.bhari@cloudmonkeys.xyz" -Message "Enter the password"
Ramki: 12/27/2023 18:25:57>$mailParam =@{
>> smtpserver = "cloudmonkeys-xyz.mail.protection.outlook.com"
>> Port = "25"
>> useSSL = $True
>> Credential = $Cred
>> From = "aisha.bhari@cloudmonkeys.xyz"
>> To = "rush2ramki@hotmail.com"
>> Subject = "Send-MailMessage"
>> Body = "This is mail from Send-MailMessage"
>> }
Ramki: 12/27/2023 18:25:57>Send-Mailmessage @Mailparam
Ramki: 12/27/2023 18:26:00>

I hope this article is  worth for messaging admins to know about the relaying emails in office365 . Happy learning 😃


Comments