SOLVED

Can't send SMTP mail after setting Default Security in Office 365

Copper Contributor

After I activated the 'Default Security' in Office 365, the multifunctionals can't scan-to-mail .

I get error 

SmtpCmdResp: 535 5.7.3 Authentication unsuccessful [LO2P265CA0457.GBRP265.PROD.OUTLOOK.COM]
--readSmtpResponse
SMTP authentication failed after sending password.
Check your username/password or your SMTP server's auth settings

 

Settings:   smtp_host: smtp.office365.com
smtp_port: 587

Before activating Default Security there was no problem.

 

 

19 Replies

Well you might have bothered to read the documentation on Security defaults first to avoid such issues :) Among other things, they block basic auth for SMTP, which I suppose is what your devices use. You can either disable Security defaults, create a similar CA policy with exceptions added for the devices, or use some smart host/relay to route those messages.

@Vasil Michev 

Nah, i'm more the 'let's see what this button does' type of guy :)

MS is expert in producing large quantity's of text with very little info.  Especially if English is not your native language it's sometimes very difficult to follow.

Do you think there is a way to **bleep** a little hole in the default security , just to allow one mailaccount to send mail via SMTP ?

That depends on what licensing you have. Security defaults on their own don't allow much customizability, it's a plain on/off switch for all features as a single package. But if you have AAD Premium licenses, you can create a policy that matches the Security defaults restrictions, with few added exceptions as needed.

@MarcVHB While I am not aware of what devices you are using I can tell you that I used this documentation to set up a HP MFP X585 and a Canon MF735CDW.

We use a shared mailbox with a password set on the mailbox to do Authenticated SMTP.

@Forrest Hoffman 

 

I use Kyocera devices.  SMTP used to work, until I activated Default Security.
For new Office 365 tenants, Default Security is now standard set to 'on' , so new Office 365 users won't be able to send SMTP mails with multifunctional devices.

I was hoping there would be a simple way just for one user (or shared mailbox) to send SMTP mail.

@MarcVHB Right, you would need use a mailbox that has a username and password unfortunately. 

@MarcVHB 

I just enabled Security Defaults in our Office 365 tenant as well the other day and also have the same problem (from an app that uses SMTP). I disabled Security Defaults but the app still can't send through SMTP anymore. Even tried disabling MFA = still not working.

 

Did you get a resolution to your issue in the end?

 

@BinhTang 

No, at the moment i use the smtp server of my internet provider.

Not the way it shoud we, but it works.

 

I know this is an old thread, but I'm having the same problem as @BinhTang . For half my tenants smtp does not work even with Default Security disabled. I found there is some kind of Azure security that disable Legacy SMTP and that ovverides the settings in the Admin panel. So I think once the tenants are created with the default Security settings or if you enable it, you're screwed since you can't go back and change those settings in Azure if you don't have it. I opened a ticket with Microsoft and so far they have not been able to solve my problem.

Today I had the problem again with a new Office 365 tenant. He couldn't send smtp mails. It looks like MS is activating the Default Security for new tenant now. Lukely, after disabling the Default Security smtp sending was working.

@MarcVHB My problem is that even after disabling Default Security it still doesn't work.  I have like 10 of my tenants with that problem, and an other 10 which are working fine.

Same here, old tenant using a non TLS conector to relay email to internal and external email addresses , filtered by Fixed Public IP Address, as supported by Microsoft works perfectly, no Security Defaults or annoying MFA ACTIVE.
New tenant, came with Security Defaults active by default (thanks Microsoft), which I have disabled in Azure Portal, doesn't work with the same exact connector configuration! We use this for our multifunctional printers to scan documents.... Spend 1 hour yesterday with Microsoft on the phone, they check both tenants, checked pretty much what i have already checked and reach no conclusion.... They told me that tenant was dehydrated, they would do something on the background and that they would get back in touch today!
2 Days fighting this stupid problem when I have other important things to do!

@LusoAdmin What I found out for new tenants:

Disable the default security settings

Enable the MFA on all users, one by one

Wait some minutes

Disable MFA for all users, one by one

And:  tadaaa , SMTP works again .

@MarcVHB thanks for the tip, I'll test it for sure and let you know if it worked. This tenant was created just for this purpose, it only have one account ;)
This is the kind of tips and workarounds you expect Microsoft support to know.
Thanks
best response confirmed by MarcVHB (Copper Contributor)
Solution

@LusoAdmin Hey there.  I'll put the solution here because as far as I can tell, everyone should also have that problem now.  It took 1 week with the Microsoft support to finally find the solution.  Just like I thought, because now the default security is enabled when you create a new tenant, even if you disable it, smtp somehow stays disabled and that overrides the settings in your admin panel.

 

All you have to do is enable it in Powershell.  To connect with Powershell, first you have to execute this:

 

Connect-MsolService
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

 

 

Then you enter your admin credentials.  After that, you can check the "smtp disabled" flag, it should be set to "true":

 

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

 

To enable smtp and get things working again, you enter this command:

 

Set-TransportConfig -SmtpClientAuthenticationDisabled $false

 

Worked for all my tenants.  I hope this helps you too!

 

@ssimard You , my friend, are my savior. I've been battling this issue for 2 days, messing with every setting I could find in O365 and Azure AD, and this simple PowerShell solved my issue instantly.

@ssimard Thank you for this info.
Does this work with Security Defaults on or did you also have to disable Security Defaults and leave it off for your tenants?

@PhilipD4Good Glad I could help you guys.  Security Default is disabled for all my tenants, so I don't know if you could leave it on.

@Vasil Michev 

How can I create such an Conditional Access Policy for enabling SMTP again?

1 best response

Accepted Solutions
best response confirmed by MarcVHB (Copper Contributor)
Solution

@LusoAdmin Hey there.  I'll put the solution here because as far as I can tell, everyone should also have that problem now.  It took 1 week with the Microsoft support to finally find the solution.  Just like I thought, because now the default security is enabled when you create a new tenant, even if you disable it, smtp somehow stays disabled and that overrides the settings in your admin panel.

 

All you have to do is enable it in Powershell.  To connect with Powershell, first you have to execute this:

 

Connect-MsolService
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

 

 

Then you enter your admin credentials.  After that, you can check the "smtp disabled" flag, it should be set to "true":

 

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

 

To enable smtp and get things working again, you enter this command:

 

Set-TransportConfig -SmtpClientAuthenticationDisabled $false

 

Worked for all my tenants.  I hope this helps you too!

 

View solution in original post