Configuring SMTP Relay

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning everybody and welcome back to Next Door netadmin email email is something that most people I was about to say everybody but maybe not everybody most people definitely make use of on the internet and why not email is the simplest thing there is right no not if you're a system administrator not if you're a network administrator email is a pain and most people don't understand that email is viewed as something that is ridiculously simple you click a button and somebody gets the message right away no it doesn't work like that email is fantastically complicated and I'm not going to get into all of it right now today I'm going to be talking about something very specific and that is SM SMTP relay okay so I just set a bunch of letters what does that mean SM MTP is the simple maale transfer protocol simple right it says so right in the name that doesn't matter it's not SMTP is the protocol that mail servers use when sending emails back and forth between each other this is usually something that you don't have to interact with directly the case where you do is where you have an application say in the cloud somewhere and it wants to send emails from your domain used to be that you could set it up to just announce itself hi I am sending email for example.org and that was the end of it everybody trusted it oh yeah sure you you're from example.org I trust that go for it doesn't work that way anymore thanks very much to spammers fisers and all the other Mis creant who filth up the pool for everybody else oh well I digress these days there's a lot of authentication that needs to happen before email servers will trust that you're sending from who you say you are these sorts of authentications are generally done fairly centrally they'll take place with whoever your mail provider is Office 365 or Google workspace or some third party system they'll have all of those authentication mechanisms set up for themselves but if you need to connect an application in the cloud to send emails or here's an even more common example if you have a big office photocopier that has a scan to email function you want to put something through the scanner and have it email your photocopier has to send it somewhere and so you're going to have to link it up to a mail system the process for doing this then is SMTP relay where you're taking a device or an application that wants to send email and you're telling it to relay that email through an authorized SMTP server for your organization cool so that's the explanation for it what makes this so difficult well the difficulty comes in where you're now needing to deal with a whole lot of network security that is specifically there to prevent other people from being to relay email and make it look like it's coming from your organization when it's actually from some nasty spammer or Fisher or other miscreant like I mentioned before there's nothing good about email coming from what looks to be your address and it's some spammer that's not a good thing that that disrupts a lot of business trust among other things so we're going to talk about Office 365 or Microsoft 365 as they call it these days specifically because that's what I work with on a regular basis but you can take the steps that I'm going to be showing to you and you can apply them to other email servers as well whether that's Google workspace I have done this in Google workspace so I know it works or whatever your third party email provider has set up so in broadest Strokes what do we need to be doing well we need to configure a connector for Exchange in Microsoft 365 Google workspace has something very similar I don't remember remember what they call it off the top of my head but it functions the same way as a connector so as I demonstrate this you should be able to dig around in Google workspace and find something that looks and acts similar and it'll do the much the same thing so we need to create a connector in exchange we need to adjust the SPF record for the organization in DNS again more alphabet SPF in this case is sender policy framework DNS is the main name system SPF is a way of indicating which email servers are authorized to send email on the organization's behalf so if you're adding a photocopier or a cloud application you need to specify that they're actually allowed or else any email that they send is going to get trashed and rightly so exchange SPF and then we'll review the settings that you would need in this case to uh relay through Microsoft 365 because that's what I have available although I don't have an actual application so we're just going to review the settings and I will do my best to be very clear about what we need to be doing sound like fun let's get started then and find out where we end up all right so the first thing that we want to look at is getting the actual instructions for how to set this up Google is your friend as always I would just look for Office 365 SMTP relay just like that and it'll be the first or it should be the first app uh link that you get at the time of this recording anyway how to set up a multi-function device or application you'll see that there's three options listed here option one option two option three I'm going to be really nice and tell you that you can skip most of this and just go to option three you can do option one but one of the first things you see right here is this option isn't compatible with security default um which means that you probably want to avoid it and you must also verify blah blah blah blah blah it's disabled for organizations created after January 2020 so using option one has a lot of extra configuration that requires changing security defaults for anybody that's using Microsoft 365 and in all honesty I have not found it to be very reliable people often try to do this first CU it's the first option it doesn't work reliably in my experience if we scroll down further option two okay cool maybe this is what we want to do send mail directly no most of the time you don't want this um the Restriction here is where you only need to send messages to recipients in your own organization that means if you want to scan to email and email something directly to somebody at another organization this won't work if you have a cloud application that's trying to email people elsewhere then it won't work so while option two looks like it might be a good solution it's really not we want to keep scrolling down or just click the link at the top to option three configure a connector to send emails SMTP relay that's exactly what we want now it looks very complicated but that's why I'm going to show you how to do this you can do this with a certificate based connector most of the time I'm just going to configure an IP address based connector to relay email through 365 because that works really well now this does mean that you need a static IP address if you don't have a static IP address and we're talking about the external address here then it's going to not be practical to send this up and it's also not going to be secure because if anybody gets the address that is assigned to you they can now send email as you with no restrictions pretty much and that's a bad thing so if you have a cloud application it probably has a static IP address if you're sending from a photocopier in your organization you may or may not have a static IP address and you should probably get one uh if you can make sure you get a true static IP address not a fake static IP address there are untrustworthy isps out there who will sell you what they say is a static IP address and it requires DHCP which means it's a fake and they're lying to you so get a static IP address once you have that you can open up your exchange admin Center if you're on 365 that's going to be admin. Exchange . microsoft.com fairly simple on the left hand side come down to mail flow and then we're going to select connectors and you'll get this screen here um I'm going to blur out most of what's already here because you know this is an actual live organization and security being what it is I really shouldn't be uh showing all the details here but we're going to go to add connector new connector we're going to set up a connection from your organization's email server this is what you want even if you are configuring this to come from a cloud application or a photocopier so when you select that it says oh connection to Office 365 perfect next name our test connector I would suggest actually probably being a little more specific and saying Cloud application of whatever the name is you can add a description if you want what you want to do after the connector is saved turn it on is a good idea uh I will also usually retain internal exchange email headers the more headers you have the better chance you have of troubleshooting things if something goes wrong so I will typically retain as much information as I can um I suppose there's a reason why you wouldn't want to retain that if it was a security concern but I will typically retain it because I don't have anything that needs to be that secure how is Office 365 going to authenticate and identify email from your server this first option is what you would want to use if you were using something certificate based since we're using an IP address we will just go down here and verify that the IP address address matches whatever IP address I put in which for this example I'm just going to make something really basic like 1 12345678 simple and then you hit the plus there it is great then you hit next review the connector it's coming from your side to Office 365 here's the name here's the options and it's going to be within this IP address range here's the last key point for this and the sender or recipient email address is an accepted domain from your organization what does this mean this means that when you're sending something out through this connector you need to make sure that it comes from something at your domain you can't have it come from something without the at your domain part because that doesn't authenticate it correctly we'll review this in the settings but just so that you're aware this is a very key part of the connector and it's something that you should pay attention to then we would create the connector and continue on and you would see it show up in the list and it everything would be good next we're going to go to an SPF record generator I'm not advocating the use of this site I just just happened to look up an SPF generator this was one that came up and I'm going to use it to show you the SPF record that we're looking at but I am not endorsing it whatsoever so treat it with caution as you would anything else on the internet an SPF record will generally look a lot like this you'll have a version equals spf1 and for 365 you'll have include spf. protection. Outlook - all this include tells uh anybody using this record that they should reference Microsoft's SPF records as well to get a list of all of Microsoft's servers that are valid dashall just means if it isn't in this list fail it in this case what you'll want to do is you'll want to add your additional static IP address address and we can do that in this case by adding our 1 12345678 right there if I regenerate this then we'll see that we now have ip41 2. 34.5 6.78 in the SPF record and that means now anything that comes directly from 365 is authorized but so is anything that comes from this server that's going to be important because Microsoft 365 itself also checks this record to make sure that this is actually authorized to be sending email the connector says it has to come from this address it has to come from the correct uh domain as well but the SPF record is another key part in this so you would take this entire value and you would upload this to a text record in your DNS server for your organization make sure that that's good make sure that it has propagated and it's view visible viewable whatever word you want to use and then you'll be able to go and set up your uh application or your photocopier now the server in this case will be your MX end point this will vary depending on what Microsoft itself tells you typically speaking you would end up with something like example- org instead of.org do mail. protection. outlook.com but that could be something different so just check your MX record and make sure that it is correct example dorg ma. protection. outlook.com would work for this port standard Port 25 often times you may not need to specify this because 25 is the default port for SMTP but if there is a port box obviously make sure it's set correctly TLS and start TLS must be enabled and it is actually required in order to use this this TLS version in this case must be version 1.2 or higher so where possible disable TLS 1.1 and lower to make sure that you're using 1.2 or higher email address any email address that uses one of your verified domains this email address doesn't need a mailbox this means that yes you can make up any email address you want as long as it ends in at example.org or at your domain it can be no reply at it can be doesn't exist at it can be photocopier at or whatever else you want it doesn't need a mailbox it doesn't have to be licensed it doesn't even have to exist it just has to end in your verified domain and then you'll be good to go that's as simple as it gets even though it requires going through exchange and changing an SPF record and everything else this is in my experience the easiest most reliable way to set up SMTP relay and so this is what I would suggest if you have to do it and that's basically it SMTP relay done and dusted if you've done this quite a few times it gets to be a very quick process uh the longest parts of it are typically checking to make sure that DNS has propagated but more importantly checking to make sure that you have the correct version of TLS enabled and all the other ones disabled where possible if you're working with a photocopier this can be a very problematic thing to try and figure out because a lot of photocopier providers if they're an office supplies company they may not know what TLS even is it's transport layer security but that's just between you and me um but they may not know what the version is they may not even know how to ask the manufacturer for the right version the manufacturer may not know right off the top of their head at least a tier one support person may not know this either it's really in network administrator territory so figuring out whether it even supports the required security standards can take a surprising amount of time but regardless once you have that information actually setting up SMTP relay is pretty Breezy honestly uh if I was to use a different word entirely from across the Atlantic I would say it's a dottle it's that easy it really is and again I've shown you how to do this for Microsoft 365 but the process is very similar for Google workspace or any of the other major mail providers so that's what I have for you today hopefully you found it interesting I am your next door netadmin we'll see you later

Info

Channel: NextDoorNetAdmin

Views: 707

Rating: undefined out of 5

Keywords:

Id: LbhOrr2iUmI

Channel Id: undefined

Length: 20min 40sec (1240 seconds)

Published: Mon Mar 04 2024