28 Dec

SMTP Relay on IIS for Exchange Online

On March 1, 2018, Microsoft will disable support for TLS 1.0 and TLS 1.1 protocols in many of its online services. That means TLS 1.2 or later version will be only allowed in browser-server and client-server connections. It is a good move and security enhancement. You should not even see this change unless you use the old legacy software.

During the past few weeks, I have been working on the project related to the implementation of the GDPR law for one of my customers. One of the milestone tasks was a migration to Office365 and Exchange Online. They were using external email service from one of the national providers so far. One of the applications they are still using is the on-premise CRM – I cannot name the product, but it has support from the vendor and every few months users get a new release. However, this CRM does not support TLS at all in deployed version, only the SSL, for connection to the SMTP server. It was not a problem for previous email service provider, but Microsoft is not going to enable SSL for you just because you need it.

Even in small company changing or upgrading the CRM is not a quick and easy task, so it was not an option in this case. So I had to make changes to SMTP service. My choice was to install SMTP Relay.


What is the SMTP Relay?

SMTP Relay is a service that routes emails through a trusted server. Network administrators use them for specialized tasks like sending the newsletters or other batch operations. In my solution, it acts as a proxy between the client (the CRM system) and Office 365 SMTP server. The CRM run on Windows 2012 Server, so I decided to configure SMTP Relay service directly on this server. So the service works like on the diagram below

The SMTP Relay service hosted on same server as the application providing TLS1.2 connection to Exchange Online server

The SMTP Relay service hosted on the same server as the application providing TLS1.2 connection to Exchange Online server

In this solution connection between the CRM and SMTP Relay is enclosed within the Windows 2012 server. The CRM connects to SMTP Relay service with no authentication on dedicated ports. SMTP Relay service access is limited only to IP addresses assigned to the network interface. Outbound connection to Exchange Online server use TLS 1.2 and Azure AD authentication and works on port 587.

I could configure SMTP Relay on any server, even one outside the company network but that means much more focus has to be on the security of the whole solution. It will also expose SSL transmission either in LAN network or over the Internet which I wanted to avoid. I decided to allow connections with no authentication, so I do not have to maintain an additional user database. Because SMTP Relay service accepts connections only from the server itself on multiple dedicated ports, I consider it as limited service.


Installing the SMTP feature on Windows Server

The installation and configuration process is almost the same on Windows 2008, Windows 2012 and Windows 2016 Server editions. SMTP Relay service is part of the IIS (Internet Information Services) role. To install it open Server Manager, click Add roles and features and add Web server (IIS) role to your server. You need to install all dependent packages as well.

Add Web Server Role to Windows Server. This will install the IIS on your server

Add Web Server Role to Windows Server. This will install the IIS on your server

Click Next to go to Features section and select SMTP Server and accept installation of all dependent features.

Add SMTP Server Feature from IIS to your server to enable SMTP Relay capability

Add SMTP Server Feature from IIS to your server to enable SMTP Relay capability

If you want to deploy authentication additionally on Role Service select Basic Authentication or any other form of authentication you want to use. You are now ready to go to the summary page and click Install button.


Configuring the SMTP Relay service

To configure the SMTP Relay service on the server, you need to open Administrative Tools and start Internet Information Services (IIS) 6.0 Manager. On the left pane, you will find your server – it already has one preconfigured default SMTP Virtual Server. You can either change its settings (right-click on available virtual service and select Properties) or delete it and create a new one.

When you open virtual service properties, you will see several tabs. Not all of them are essential for our configuration. Here are the settings that you need to configure:

  • On General tab select the IP address you want service to listen for connections. Then click Advanced button and for selected address change the default port 25 to any other – you will need this for multiuser setup, but you can also treat it as essential security precaution
  • On General tab enable logging with all options – you may need it for troubleshooting
  • On Access tab click the Authentication button and select desired authentication method or leave Anonymous access to disable authentication
  • In Connection control and Relay restrictions sections select Only the list below option and provide only the IP address of your server where you run the SMTP service
  • On Delivery tab click the Outbound Security button, select Basic Authentication and provide user Azure AD credentials. Also, mark the TLS encryption checkbox
  • On Delivery tab click the Outbound connections button and change the TCP port from default 25 to 587 – this is the port where Exchange Online SMTP server listens for incoming connections protected by TLS protocol
  • On Delivery tab click the Advanced button and provide smtp.office365.com as the Smart host value. You may also increase Maximum hop count value

This slideshow requires JavaScript.

When you configure all required parameters click Ok or Apply to deploy changes. You need to restart the SMTP Virtual Server service – right-click on the service and first select Stop then Start.

When you confirm that provided configuration is correct, and you can send emails do not forget to save the SMTP configuration. I am not sure why you need to do this manually. All you need to do is right-click on the server name, select All tasks and then Save Configuration to Disk.

I also found it useful for troubleshooting if each virtual server has its folder for email processing. By default, it is C:\inetpub\mailroot and server share it across multiple virtual SMTP servers. However, you can create new folders for each service. IIS will create all required subfolders when you run the virtual server the first time. You can specify the virtual server root folder only during the initial wizard setup and cannot change it later.


Multiuser and shared mailbox configurations

You should already notice that you can configure only one Office 365 (Azure AD) user in SMTP service parameters. If you need to send the emails from multiple Azure AD accounts, you need to create various virtual SMTP services, assign each of them unique port and provide Azure AD credentials in each service. So this solution is flexible only if you do not have many users. Also, you need to be aware that allowing unauthenticated access to the SMTP Relay service creates security issue – if anyone knows the assigned port he can send emails from Azure AD account provided in SMTP Relay configuration.

If you want to send emails from shared mailbox address as Office365 credentials provide username and password of the user that has Send As permission assigned to the shared mailbox. Otherwise, you will see an error message in the logs.


4 thoughts on “SMTP Relay on IIS for Exchange Online

  1. Thanks for the guide. What I do not see is how to set TLS to 1.2. Everything is setup as described but the email headers still say my server is using TLS 1.0. The server is a Windows 2008 R2 with updates current as of Dec 2018.
    • @Wesley Wilson - which header exactly? It should by default negotiate the strongest TLS version from available
      • It has been resolved. The server itself was not setup for the new TLS protocols. We had to update the registry to get it to reconignize and use the newer ones. Here was the article we found... https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/
        • Glad to see it is sorted out. For most security protocols the default is to use the newest version recognized by both sides. At least that how it should be but always check!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: