Blog Post

Exchange Team Blog
4 MIN READ

Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Apr 15, 2024
Update 6/11/2025: We updated the timeline of this deprecation mentioned in this post. Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) gra...
Updated Jun 12, 2025
Version 4.0
announcements
exchange online
security
transport
davidsain's avatar
davidsain
Copper Contributor
Aug 05, 2024

We have a lot of customers that use MFPs to scan documents and email them to themselves. Microsoft hasn't been very clear on this subject. A lot of people think that Microsoft has stopped supporting App Passwords. They have only stopped supporting App Passwords for IMAP/POP protocols (thus far).


On this page Microsoft shares how to setup SMTP AUTH client submission:

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365

Basic Auth with SMTP AUTH client submission will no longer work after September 2025.

Direct Send and SMTP Relay are options, however ALL broadband and dial-up ISPs (and other) IP addresses are automatically on the Policy Block List.  When one telnets into an Exchange instance to relay email (using mail from/rcpt to) for the first time, they see a message with a link to delist themselves at Spamhaus. This delisting is valid for either 1 year or the first time spam is sent, whereupon they will be listed again and the only way to find out is by doing a telnet test. If a customer has a DHCP public IP, this isn't an option (and there are many small-town ISPs that don't do static assignment or reservation. VMware's VeloCloud uses DHCP addresses also).



The way I see it is:

1. Create an Exchange P1 license user, such as mailto:email address removed for privacy reasons.
2. Login as the user and setup MFA.  Document the secret (we use ITGlue so can pull the token at any time out of our documentation).
3. Setup (and document) the app password one intends on using for scan to email.

4. Login and setup MFP to scan to email, using port 587 (because 25 is often blocked by cable and other providers - CenturyLink is one and their support often has a difficult time understanding what this is).
5. Keep Calm and Scan On.

 


With the end of Basic Auth, IF I use an App Password instead of user's credentials, is that still considered Basic Auth or is this a way to keep functioning with the changes coming down the road?