SMTP Client Authentication on Exchange 2016? (SMTP Relay)

Copper Contributor

Hello all,

 

Is it possible to setup SMTP Relay on Exchange 2016 to allow authentication from applications outside of our network? 

 

For example, let's say we have an ERP software that's installed on a server that is located on a new site that is outside of our network. The server in question isn't joined to our domain yet (recently acquired company). 

 

They no longer have an Exchange server. Can our Exchange server be used as their SMTP server to send out invoices?  I know this would work with Exchange Online/Office 365 as it allows you to enable SMTP AUTH for specific mailboxes. But I'm not so sure if this would work with an on-premise Exchange server. 

 

PS. I tried creating an SMTP Relay on our on-premise Exchange and whitelisted the site's IP Address. We're trying to authenticate using our webmail address.  We get error 10060. 

 

Any help would be appreciated. 

 

Thanks.

4 Replies

@Machiavelli 

Your on-premises Exchange Server provides the ability to accept authenticated SMTP messages by default. When you take your ERP software solution as an example, you can follow these steps for the external application:

  1. Create a new user mailbox for the ERP application and ensure that the email address and the display name align with your requirements for sending emails 
  2. Allow inbound traffic on TCP 587 to your on-premises Exchange servers
    This approach uses the default client submission port TCP 587, which is designed to allow users to deliver authenticated SMTP messages to the Exchange organization for further processing
  3. Configure your ERP solution to use TCP 587 + TLS when sending emails, use the credentials used in step 1 for authentication

In this example, I identify the ERP application as an SMTP client that wants to deliver an email message, and not as a server. Therefore, I use the Client Frontend connector on TCP 587 instead of the Default Frontend connector on TCP 25. 

Whitelisting a remote IP address poses a risk for using the Exchange server as an open relay by IP spoofing.

 

Links

 

 

@Thomas Stensitzki Sounds good, Thomas. Thank you very much for your advice. I will revisit those settings and give that a try as per your instructions. 

 

Cheers :) 

@Thomas Stensitzki - is a SMTP Client Auth possible w/AD-only user? There should be no mailbox on the Exchange.

As seen: smtp - AD User Authentication to Exchange 2016 - Server Fault

 

Read you!

hRy

Hello @hbilke

That is a good question. I haven't tried this approach.

Exchange Online requires a valid sender address from your tenant. The allowed sender for the used email address is either the mailbox user itself or a user that has send-as permission for the sender address. 

Exchange Online allows only for EXO licensed users as send-as or send-on-behalf users. Therefore, I assume that the answer to your question is no. 

 

-Thomas