IIS Relay to O365 with Modern Authentication enabled

%3CLINGO-SUB%20id%3D%22lingo-sub-303425%22%20slang%3D%22en-US%22%3EIIS%20Relay%20to%20O365%20with%20Modern%20Authentication%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-303425%22%20slang%3D%22en-US%22%3E%3CP%3EI%20turned%20on%20Modern%20Authentication%20on%20our%20tenant%20this%20weekend%20in%20preparation%20for%20MFA%2C%20since%20then%20I%20can%20no%20longer%20relay%20email%20from%20copiers%2C%20etc.%20through%20the%20IIS%20relay%20with%20authentication%2C%20I%20do%20have%20it%20working%20with%20a%20connector%20(IP)%20and%20no%20authentication%20but%20it%20doesn't%20seem%20to%20be%20as%20reliable%20in%20mail%20actually%20getting%20delivered%20(hitting%20spam%20filters).%3C%2FP%3E%3CP%3EWe%20do%20use%20ADFS%20also%20but%20nothing%20was%20changed%20there%20yet.%3C%2FP%3E%3CP%3EI%20followed%20this%20document%20when%20setting%20it%20up%20and%20I've%20done%20the%20same%20on%20a%20test%20server%20with%20no%20luck.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fmail-flow-best-practices%2Fhow-to-configure-iis-for-relay-with-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fmail-flow-best-practices%2Fhow-to-configure-iis-for-relay-with-office-365%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20can%20use%20Thunderbird%20with%20the%20same%20credentials%20and%20the%20messages%20are%20sent%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIIS%20SMTP%20logs%3A%3C%2FP%3E%3CP%3E2018-12-18%2016%3A01%3A14%20172.25.124.134%20%5B172.25.124.134%5D%20SMTPSVC1%20TEST-SRV2016A%20%3CRELAYIP%3E%200%20EHLO%20-%20%2B%5B%3CLOCALIP%3E%5D%20250%200%20203%2021%200%20SMTP%20-%20-%20-%20-%3CBR%20%2F%3E2018-12-18%2016%3A01%3A14%20172.25.124.134%20%5B172.25.124.134%5D%20SMTPSVC1%20TEST-SRV2016A%20%3CRELAYIP%3E%200%20MAIL%20-%20%2BFROM%3A%3CBJACKSON%3E.com%26gt%3B%20250%200%2044%2054%200%20SMTP%20-%20-%20-%20-%3CBR%20%2F%3E2018-12-18%2016%3A01%3A14%20172.25.124.134%20%5B172.25.124.134%5D%20SMTPSVC1%20TEST-SRV2016A%20%3CRELAYIP%3E%200%20RCPT%20-%20%2BTO%3A%3CBJACKSON%3E.com%26gt%3B%20250%200%2032%2029%200%20SMTP%20-%20-%20-%20-%3CBR%20%2F%3E2018-12-18%2016%3A01%3A14%20172.25.124.134%20%5B172.25.124.134%5D%20SMTPSVC1%20TEST-SRV2016A%20%3CRELAYIP%3E%200%20DATA%20-%20%2B%26lt%3B23bae685-2c48-fcac-f9f8-4e9953f3f0ca%40%3CDOMAIN%3E.com%26gt%3B%20250%200%20133%20423%200%20SMTP%20-%20-%20-%20-%3CBR%20%2F%3E2018-12-18%2016%3A01%3A14%20172.25.124.134%20%5B172.25.124.134%5D%20SMTPSVC1%20TEST-SRV2016A%20%3CRELAYIP%3E%200%20QUIT%20-%20%5B%3CLOCALIP%3E%5D%20240%2078%2073%204%200%20SMTP%20-%20-%20-%20-%3C%2FLOCALIP%3E%3C%2FRELAYIP%3E%3C%2FDOMAIN%3E%3C%2FRELAYIP%3E%3C%2FBJACKSON%3E%3C%2FRELAYIP%3E%3C%2FBJACKSON%3E%3C%2FRELAYIP%3E%3C%2FLOCALIP%3E%3C%2FRELAYIP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20at%20a%20loss%20what%20to%20try%20next%2C%20any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-303425%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-303678%22%20slang%3D%22en-US%22%3ERe%3A%20IIS%20Relay%20to%20O365%20with%20Modern%20Authentication%20enabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-303678%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20I%20finally%20have%20it%20working.%20I%20created%20an%20In%20Cloud%20user%20with%20the%20.onmicrosoft.com%20address%2C%20assigned%20an%20exchange%20license%2C%20and%20setup%20the%20send%20as%20delegation%20for%20the%20accounts%20sending%20as%2C%20and%20it%20works%20as%20it%20did%20before%20I%20enabled%20Modern%20Authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I turned on Modern Authentication on our tenant this weekend in preparation for MFA, since then I can no longer relay email from copiers, etc. through the IIS relay with authentication, I do have it working with a connector (IP) and no authentication but it doesn't seem to be as reliable in mail actually getting delivered (hitting spam filters).

We do use ADFS also but nothing was changed there yet.

I followed this document when setting it up and I've done the same on a test server with no luck.

https://docs.microsoft.com/en-us/Exchange/mail-flow-best-practices/how-to-configure-iis-for-relay-wi...

I can use Thunderbird with the same credentials and the messages are sent as expected.

 

IIS SMTP logs:

2018-12-18 16:01:14 172.25.124.134 [172.25.124.134] SMTPSVC1 TEST-SRV2016A <relayIP> 0 EHLO - +[<localIP>] 250 0 203 21 0 SMTP - - - -
2018-12-18 16:01:14 172.25.124.134 [172.25.124.134] SMTPSVC1 TEST-SRV2016A <relayIP> 0 MAIL - +FROM:<bjackson@<domain>.com> 250 0 44 54 0 SMTP - - - -
2018-12-18 16:01:14 172.25.124.134 [172.25.124.134] SMTPSVC1 TEST-SRV2016A <relayIP> 0 RCPT - +TO:<bjackson@<domain>.com> 250 0 32 29 0 SMTP - - - -
2018-12-18 16:01:14 172.25.124.134 [172.25.124.134] SMTPSVC1 TEST-SRV2016A <relayIP> 0 DATA - +<23bae685-2c48-fcac-f9f8-4e9953f3f0ca@<domain>.com> 250 0 133 423 0 SMTP - - - -
2018-12-18 16:01:14 172.25.124.134 [172.25.124.134] SMTPSVC1 TEST-SRV2016A <relayIP> 0 QUIT - [<localIP>] 240 78 73 4 0 SMTP - - - -

 

I'm at a loss what to try next, any ideas?

1 Reply
Highlighted

I think I finally have it working. I created an In Cloud user with the .onmicrosoft.com address, assigned an exchange license, and setup the send as delegation for the accounts sending as, and it works as it did before I enabled Modern Authentication.