Forum Discussion
SMTP Client Authentication on Exchange 2016? (SMTP Relay)
Hello all,
Is it possible to setup SMTP Relay on Exchange 2016 to allow authentication from applications outside of our network?
For example, let's say we have an ERP software that's installed on a server that is located on a new site that is outside of our network. The server in question isn't joined to our domain yet (recently acquired company).
They no longer have an Exchange server. Can our Exchange server be used as their SMTP server to send out invoices? I know this would work with Exchange Online/Office 365 as it allows you to enable SMTP AUTH for specific mailboxes. But I'm not so sure if this would work with an on-premise Exchange server.
PS. I tried creating an SMTP Relay on our on-premise Exchange and whitelisted the site's IP Address. We're trying to authenticate using our webmail address. We get error 10060.
Any help would be appreciated.
Thanks.
4 Replies
Your on-premises Exchange Server provides the ability to accept authenticated SMTP messages by default. When you take your ERP software solution as an example, you can follow these steps for the external application:
- Create a new user mailbox for the ERP application and ensure that the email address and the display name align with your requirements for sending emails
- Allow inbound traffic on TCP 587 to your on-premises Exchange servers
This approach uses the default client submission port TCP 587, which is designed to allow users to deliver authenticated SMTP messages to the Exchange organization for further processing - Configure your ERP solution to use TCP 587 + TLS when sending emails, use the credentials used in step 1 for authentication
In this example, I identify the ERP application as an SMTP client that wants to deliver an email message, and not as a server. Therefore, I use the Client Frontend connector on TCP 587 instead of the Default Frontend connector on TCP 25.
Whitelisting a remote IP address poses a risk for using the Exchange server as an open relay by IP spoofing.
Links
- Mail flow and the transport pipeline (contains a diagram without TCP ports)
- Exchange 2016 + 2019 Mail Flow with Ports (contains the mail flow diagram with TCP ports)
ThomasStensitzki-MVP - is a SMTP Client Auth possible w/AD-only user? There should be no mailbox on the Exchange.
As seen: https://serverfault.com/questions/804230/ad-user-authentication-to-exchange-2016
Read you!
hRy
Hello hbilke,
That is a good question. I haven't tried this approach.
Exchange Online requires a valid sender address from your tenant. The allowed sender for the used email address is either the mailbox user itself or a user that has send-as permission for the sender address.
Exchange Online allows only for EXO licensed users as send-as or send-on-behalf users. Therefore, I assume that the answer to your question is no.
-Thomas
ThomasStensitzki-MVP Sounds good, Thomas. Thank you very much for your advice. I will revisit those settings and give that a try as per your instructions.
Cheers 🙂
