Securing Authenticated SMTP in Exchange Online

Published Apr 09 2020 09:00 AM 44.1K Views

The SMTP AUTH protocol is used to submit millions of emails every day. The majority of the clients connecting to Exchange Online like this are devices such as multi-function printers or some piece of software that send automated emails. Email clients such as Outlook rarely use this protocol anymore and instead make use of other protocols secured with Modern Authentication (OAuth).

SMTP AUTH (also known as authenticated SMTP client submission) is a legacy internet protocol which does not support OAuth by design. All clients have ever needed to send messages was a username and password, and these credentials are all too often obtained and used by attackers. As we have previously indicated we are working on adding support for OAuth with SMTP AUTH, but we also know that many clients have yet to add support for OAuth. For that reason Basic Authentication will need to be supported in Exchange Online for the foreseeable future, though it is still very wise to turn off SMTP AUTH in Office 365 tenants when possible.

We previously added a setting to make it possible for tenants to disable SMTP AUTH for their entire organization. Additionally, we ensured that each mailbox has a setting to override the tenant setting and enable SMTP AUTH. These two settings will provide administrators with the granularity required to allow most mailboxes to have SMTP AUTH disabled, and a few select mailboxes to have it enabled. You can find out more about these settings here.

To reduce what attackers can do with compromised user credentials, we are also taking steps to disable SMTP AUTH by default in Exchange Online. Firstly we have already started rolling out a change to disable it for new Office 365 tenants. This means Exchange administrators of newly created tenants will need to enable SMTP AUTH for any mailbox that requires it, using the per-mailbox setting we provide.

The next step will be to disable SMTP AUTH for existing tenants who do not make use of the SMTP AUTH protocol for sending any messages. Affected customers will receive targeted Message Center posts if they are affected by this in the next few months. Finally, the last group of customers are those who have some mailboxes using SMTP AUTH. We will work to have the disable setting for their tenant set while enabling the mailbox setting to continue their usage of SMTP AUTH. There is no ETA yet for this work.

Exchange administrators are free to take proactive steps to disable SMTP AUTH for all mailboxes that do not require it. Customers with on-premises Exchange servers can also disable SMTP AUTH for all their hosted mailboxes and, instead, only allow sending using SMTP AUTH for those on-premises servers when the device or client is on their own network. This blocks attackers on the internet from trying to use Exchange Online to send from one of your hosted mailboxes. 

Note: New tenant administrators should note that Security Defaults may also be turned on for their organization. This policy enforces a higher default security configuration and includes enforcing multi-factor authentication and disabling basic authentication for the entire tenant. As it does not allow exceptions, it is not an option for organizations that need to use SMTP AUTH for a few mailboxes. You can find out more about Security Defaults and how to disable it, if necessary, here.

We hope you found this update useful, please feel free to leave comments and feedback below.

Sean Stevenson

8 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1296818%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1296818%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3BThanks%20for%20clarifying%20this%20plan.%20We%20hope%20that%20all%20our%20devices%20and%20apps%20using%20SMTP%20AUTH%20today%20will%20add%20support%20OAuth%20with%20SMTP%20AUTH.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20we%20do%20see%20many%20old%20devices%20and%20apps%20that%20probably%20never%20get%20support%20for%20anything%20else%20than%20just%20SMTP%20AUTH.%20Is%20the%20plan%20long%20term%20(1-5%20years%3F)%20to%20completely%20turn%20off%20SMTP%20AUTH%20for%20all%20mailboxes%20(even%20our%20exceptions)%3F%20Just%20trying%20to%20check%20if%20we%20need%20to%20start%20planning%20to%20spinning%20up%20our%20own%20on-premises%20SMTP%20gatways%20on%20our%20local%20network%20for%20these%20old%20legacy%20devices%20and%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1297141%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1297141%22%20slang%3D%22en-US%22%3E%3CP%3EFunnily%20enough%20even%20though%20its%20highly%20used%2C%20its%20the%20recommended%20approach%20-%20obviously%20given%20the%20third%20party%20application%20or%20device%20allows%20it.%3CBR%20%2F%3EThe%20approach%20to%20introduce%20Modern%20Auth%20for%20SMTP%20Client%20submission%20will%20be%20-%20its%20more%20or%20less%20if%20the%20third%20party%20systems%20will%20allow%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1300080%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1300080%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20clarifying%20that%20there%20is%20a%20per-mailbox%20setting%20available%20for%20smtp%20legacy%20auth%2C%20I%20can't%20remember%20having%20seen%20that%20in%20the%20umpteen%20change%20notification%20email%20that%20Office%20365%20has%20been%20sending%20out.%20This%20makes%20it%20reasonable%20to%20turn%20it%20off%2C%20but%20still%20allow%20firewalls%2C%20scanners%20and%20whatnot%20to%20send%20email.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20couple%20of%20suggestions%20on%20things%20you%20could%20provide%20to%20make%20it%20easier%20for%20administrators%20to%20improve%20security%3A%3C%2FP%3E%3CP%3E-%20Provide%20a%20way%20to%20disallow%20login%20on%20device%20accounts%2C%20and%20only%20allow%20app%20passwords%20for%20smtp%20authentication.%20An%20administrator%20should%20be%20able%20to%20create%20a%20new%20app%20password%20without%20logging%20in%20as%20the%20device%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Provide%20an%20installable%20smtp%20proxy%20that%20accepts%20lan%20smtp%20and%20sends%20them%20out%20to%20Office%20365%20using%20OAuth.%20As%20a%20docker%20container%20or%20similar.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1293154%22%20slang%3D%22en-US%22%3ESecuring%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1293154%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20SMTP%20AUTH%20protocol%20is%20used%20to%20submit%20millions%20of%20emails%20every%20day.%20The%20majority%20of%20the%20clients%20connecting%20to%20Exchange%20Online%20like%20this%20are%20devices%20such%20as%20multi-function%20printers%20or%20some%20piece%20of%20software%20that%20send%20automated%20emails.%20Email%20clients%20such%20as%20Outlook%20rarely%20use%20this%20protocol%20anymore%20and%20instead%20make%20use%20of%20other%20protocols%20secured%20with%20Modern%20Authentication%20(OAuth).%3C%2FP%3E%0A%3CP%3ESMTP%20AUTH%20(also%20known%20as%20authenticated%20SMTP%20client%20submission)%20is%20a%20legacy%20internet%20protocol%20which%20does%20not%20support%20OAuth%20by%20design.%20All%20clients%20have%20ever%20needed%20to%20send%20messages%20was%20a%20username%20and%20password%2C%20and%20these%20credentials%20are%20all%20too%20often%20obtained%20and%20used%20by%20attackers.%20As%20we%20have%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-auth-and-exchange-online-february-2020-update%2Fba-p%2F1191282%22%20target%3D%22_blank%22%3Epreviously%20indicated%3C%2FA%3E%20we%20are%20working%20on%20adding%20support%20for%20OAuth%20with%20SMTP%20AUTH%2C%20but%20we%20also%20know%20that%20many%20clients%20have%20yet%20to%20add%20support%20for%20OAuth.%20For%20that%20reason%20Basic%20Authentication%20will%20need%20to%20be%20supported%20in%20Exchange%20Online%20for%20the%20foreseeable%20future%2C%20though%20it%20is%20still%20very%20wise%20to%20turn%20off%20SMTP%20AUTH%20in%20Office%20365%20tenants%20when%20possible.%3C%2FP%3E%0A%3CP%3EWe%20previously%20added%20a%20setting%20to%20make%20it%20possible%20for%20tenants%20to%20disable%20SMTP%20AUTH%20for%20their%20entire%20organization.%20Additionally%2C%20we%20ensured%20that%20each%20mailbox%20has%20a%20setting%20to%20override%20the%20tenant%20setting%20and%20enable%20SMTP%20AUTH.%20These%20two%20settings%20will%20provide%20administrators%20with%20the%20granularity%20required%20to%20allow%20most%20mailboxes%20to%20have%20SMTP%20AUTH%20disabled%2C%20and%20a%20few%20select%20mailboxes%20to%20have%20it%20enabled.%20You%20can%20find%20out%20more%20about%20these%20settings%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fauthenticated-client-smtp-submission%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3ETo%20reduce%20what%20attackers%20can%20do%20with%20compromised%20user%20credentials%2C%20we%20are%20also%20taking%20steps%20to%20disable%20SMTP%20AUTH%20by%20default%20in%20Exchange%20Online.%20Firstly%20we%20have%20already%20started%20rolling%20out%20a%20change%20to%20disable%20it%20for%20new%20Office%20365%20tenants.%20This%20means%20Exchange%20administrators%20of%20newly%20created%20tenants%20will%20need%20to%20enable%20SMTP%20AUTH%20for%20any%20mailbox%20that%20requires%20it%2C%20using%20the%20per-mailbox%20setting%20we%20provide.%3C%2FP%3E%0A%3CP%3EThe%20next%20step%20will%20be%20to%20disable%20SMTP%20AUTH%20for%20existing%20tenants%20who%20do%20not%20make%20use%20of%20the%20SMTP%20AUTH%20protocol%20for%20sending%20any%20messages.%20Affected%20customers%20will%20receive%20targeted%20Message%20Center%20posts%20if%20they%20are%20affected%20by%20this%20in%20the%20next%20few%20months.%20Finally%2C%20the%20last%20group%20of%20customers%20are%20those%20who%20have%20some%20mailboxes%20using%20SMTP%20AUTH.%20We%20will%20work%20to%20have%20the%20disable%20setting%20for%20their%20tenant%20set%20while%20enabling%20the%20mailbox%20setting%20to%20continue%20their%20usage%20of%20SMTP%20AUTH.%20There%20is%20no%20ETA%20yet%20for%20this%20work.%3C%2FP%3E%0A%3CP%3EExchange%20administrators%20are%20free%20to%20take%20proactive%20steps%20to%20disable%20SMTP%20AUTH%20for%20all%20mailboxes%20that%20do%20not%20require%20it.%20Customers%20with%20on-premises%20Exchange%20servers%20can%20also%20disable%20SMTP%20AUTH%20for%20all%20their%20hosted%20mailboxes%20and%2C%20instead%2C%20only%20allow%20sending%20using%20SMTP%20AUTH%20for%20those%20on-premises%20servers%20when%20the%20device%20or%20client%20is%20on%20their%20own%20network.%20This%20blocks%20attackers%20on%20the%20internet%20from%20trying%20to%20use%20Exchange%20Online%20to%20send%20from%20one%20of%20your%20hosted%20mailboxes.%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22note%22%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20New%20tenant%20administrators%20should%20note%20that%20Security%20Defaults%20may%20also%20be%20turned%20on%20for%20their%20organization.%20This%20policy%20enforces%20a%20higher%20default%20security%20configuration%20and%20includes%20enforcing%20multi-factor%20authentication%20and%20disabling%20basic%20authentication%20for%20the%20entire%20tenant.%20As%20it%20does%20not%20allow%20exceptions%2C%20it%20is%20not%20an%20option%20for%20organizations%20that%20need%20to%20use%20SMTP%20AUTH%20for%20a%20few%20mailboxes.%20You%20can%20find%20out%20more%20about%20Security%20Defaults%20and%20how%20to%20disable%20it%2C%20if%20necessary%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EWe%20hope%20you%20found%20this%20update%20useful%2C%20please%20feel%20free%20to%20leave%20comments%20and%20feedback%20below.%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF6600%22%3ESean%20Stevenson%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1293154%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20SMTP%20AUTH%20protocol%20is%20used%20to%20submit%20millions%20of%20emails%20every%20day.%20Basic%20Authentication%20for%20SMTP%20Auth%20will%20be%20supported%20in%20Exchange%20Online%20for%20the%20foreseeable%20future%2C%20though%20it%20is%20still%20very%20wise%20to%20turn%20off%20SMTP%20AUTH%20in%20Office%20365%20tenants%20when%20possible.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1293154%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eall%20posts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etransport%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1324569%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1324569%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20another%20option%20for%20securing%20the%20tenant%2C%20by%20creating%20authentication%20policies%20(1%20which%20blocks%20basic%20auth%20for%20SMTP%20and%201%20which%20allows%20basic%20auth%20for%20SMTP)%2C%20assigning%20the%20general%20user%20population%20the%20block%20auth%20policy%20and%20the%20exception%20users%20the%20allow%20auth%20policy%2C%20how%20does%20the%20disabling%20SMTP%20auth%20in%20the%20transport%20config%2C%20with%20per%20mailbox%20exceptions%2C%20differ%20and%20does%20it%20achieve%20the%20same%20outcome%3F%20(Basic%20Auth%20limited).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1409594%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409594%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3E%26nbsp%3BThere%20are%20no%20plans%20to%20turn%20it%20off%20any%20time%20soon%2C%20and%20our%20hands%20are%20tied%20until%20usage%20dramatically%20decreases.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41663%22%20target%3D%22_blank%22%3E%40Fredrik%20Fors%C3%A9ll%3C%2FA%3E%26nbsp%3B%20Good%20suggestions.%20We'll%20keep%20those%20in%20mind.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34642%22%20target%3D%22_blank%22%3E%40Matthew%20Levy%3C%2FA%3E%26nbsp%3BIt%20does%20achieve%20the%20same%20outcome.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1422457%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1422457%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20we%20disable%20this%20at%20the%20org%20level%2C%20does%20that%20affect%20on-prem%20mailboxes%3F%26nbsp%3B%20Currently%2C%20all%20of%20our%20users%20are%20in%20Exchange%20Online%2C%20but%20we%20have%20a%20small%20on-prem%20footprint%20for%20some%20service%20mailboxes%20etc.%20where%20apps%20are%20configured%20to%20use%20SMTP%2FIMAP%20to%20send%20and%20retrieve%20mail.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20in%20the%20scenario%20where%20an%20MFP%20allows%20users%20to%20scan%20to%20email%2C%20would%20we%20need%20to%20keep%20SMTP%20AUTH%20enabled%20on%20all%20user%20mailboxes%2C%20or%20just%20the%20mailbox%20used%20by%20the%20MFP%20device%20as%20the%20sender%20address%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1422460%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1422460%22%20slang%3D%22en-US%22%3E%3CP%3EActually%2C%20I%20should%20clarify%20that%20the%20MFP%20devices%20mentioned%20are%20configured%20to%20use%20an%20on-prem%20Exchange%20Server%20receive%20connector.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1777346%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20Authenticated%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1777346%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20for%20an%20Administrator%20to%20enable%20SMTP%20only%20for%20OAUTH2%20in%20Office365%20but%20leave%20it%20disabled%20for%20AUTH%20(basic%20authentication)%20protocols%3F%20If%20so%2C%20how%3F%20I%20am%20happy%20to%20provide%20more%20information%20and%20clarify%20as%20needed.%20Also%2C%20if%20there%20is%20a%20better%2C%20more%20appropriate%20forum%20to%20post%20in%2C%20please%20let%20me%20know.%20Thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Apr 14 2020 02:27 PM
Updated by: