Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring a Proper SMTP Relay for Exchange On-Prem and Exchange Online Jeff Guillet, MVP | MCSM | CISSP.

Published byJoella Barber Modified over 8 years ago

Similar presentations

Presentation on theme: "Configuring a Proper SMTP Relay for Exchange On-Prem and Exchange Online Jeff Guillet, MVP | MCSM | CISSP."— Presentation transcript:

1 Configuring a Proper SMTP Relay for Exchange On-Prem and Exchange Online Jeff Guillet, MVP | MCSM | CISSP

2 CONFIGURING A PROPER SMTP RELAY Overview How to setup and configure an SMTP relay properly, both on- prem and for Office 365 SMTP relays allow on-prem appliances and application servers to send emails and alerts to internal and/or external users Proper configuration helps protect your organization and SMTP namespaces #ITDevConnections

3 CONFIGURING A PROPER SMTP RELAY Types of SMTP Relays Internal Relays – Internal emails to internal users External Relays – Internal emails to internal/external users Open Relays – External emails that relay to other SMTP domains = BAD #ITDevConnections

4 CONFIGURING A PROPER SMTP RELAY On-Prem Only Customers Use on-prem Exchange servers for relay – Opportunistic TLS Use RRDNS or MX records for HA. Don't load balance. Other options: – Dedicated IIS server (usually non-TLS) – SMTP gateway (usually non-TLS) Set-TransportConfig -InternalSMTPServers #ITDevConnections

5 CONFIGURING A PROPER SMTP RELAY Relay via On-Prem Exchange #ITDevConnections More control Single relay source Allows external No spam filtering Opportunistic TLS 1.0+ Uses TCP 25

6 CONFIGURING A PROPER SMTP RELAY Hybrid Customers Use Exchange hybrid/management server – TLS by default Use RRDNS or MX records for HA. Don't load balance. Other options: – Dedicated IIS server (usually non-TLS) – SMTP gateway (usually non-TLS) – Direct to O365 (more on this later) Set-TransportConfig –InternalSMTPServers #ITDevConnections

7 CONFIGURING A PROPER SMTP RELAY Relay via Hybrid Server #ITDevConnections More control Single relay source Allows external Bypasses header firewall No spam filtering Uses TLS 1.0+ Uses TCP 25

8 CONFIGURING A PROPER SMTP RELAY Cloud-Only Customers Create an SMTP Relay – Exchange Server (Edge or Hybrid) – Dedicated IIS server (usually non-TLS) – SMTP gateway (usually non-TLS) – Or…. Direct to O365 (more on this later) Use RRDNS or MX records for HA. Don't load balance. #ITDevConnections

9 CONFIGURING A PROPER SMTP RELAY Configuring Relay Services 1.Configure relay namespace in internal DNS (relay.contoso.com) 2.Configure the relay – Exchange Receive/Send Connectors – SMTP gateway – IIS server 3.Identify devices and app servers that relay 4.Reconfigure devices and app servers #ITDevConnections

10 CONFIGURING A PROPER SMTP RELAY Configuring IIS Relay Server Works with any Windows Server Install SMTP Server feature and IIS 6.0 Manager Install SSL certificate Configure SMTP Server properties (IPs, auth, limits, TLS) Add remote domain for smtp.office365.com Restart IIS and SMTP Server Detailed steps at http://www.expta.com/2013/10/how-to- configure-internal-smtp-relay.htmlhttp://www.expta.com/2013/10/how-to- configure-internal-smtp-relay.html #ITDevConnections

11 CONFIGURING A PROPER SMTP RELAY Relay Directly to Office 365 Best for small orgs Requires no on-prem relay Configure on-prem devices to use the tenant target address (i.e. - contoso.mail.oe.outlook.com) Important Notes: – Firewall must allow TCP 25 or 587 outbound from all devices – Devices are treated as anonymous senders unless authenticated to send through a mailbox – Does not use TLS #ITDevConnections

12 CONFIGURING A PROPER SMTP RELAY Relay via Client Submission #ITDevConnections Less control Multiple relay sources Allows external Requires TLS 1.0+ No spam filtering Uses TCP 587 (or 25)

13 CONFIGURING A PROPER SMTP RELAY Relay via Direct Send #ITDevConnections Less control Multiple relay sources Internal only No TLS Subject spam filtering Uses TCP 25 Should add IP to SPF record

14 CONFIGURING A PROPER SMTP RELAY Office 365 Relay Limits O365 was designed for and meant for actual people, not mass mailing software/services – Limited to 30 messages per minute, and 10,000 recipients per day (https://technet.microsoft.com/en- us/library/exchange-online-limits.aspx#MessageLimits)https://technet.microsoft.com/en- us/library/exchange-online-limits.aspx#MessageLimits For transactional, marketing, or any other bulk email, use a third-party service #ITDevConnections

15 CONFIGURING A PROPER SMTP RELAY Determine SMTP Talkers Download and install LogParser 2.2 (http://www.microsoft.com/en- us/download/details.aspx?id=24659)http://www.microsoft.com/en- us/download/details.aspx?id=24659 Exchange 2007: – Set Logs=C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive\*.log Exchange 2010/2013: – Set Logs= %ExchangeInstallPath%\TransportRoles\Logs\ProtocolLog\SmtpReceive\*.log Exchange 2016: – Set Logs=%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log Execute from Elevated CMD prompt (not PowerShell): – "%ProgramFiles(x86)%\Log Parser 2.2\LogParser.exe" "SELECT EXTRACT_PREFIX(remote-endpoint,0,':') as IP,REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,':')) as Name,Count(*) as Hits from '%Logs%' WHERE data LIKE '%EHLO%' GROUP BY IP ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1" #ITDevConnections

16 DEMO

17 CONFIGURING A PROPER SMTP RELAY TLS Connections What is TLS? Required for Client Submission relay and Hybrid TLS Requirements – Resolvable FQDN namespace – Third-party SSL certificate Must be valid and trusted Name must match namespace CRL must be reachable #ITDevConnections

18 CONFIGURING A PROPER SMTP RELAY Overview of Connectors Receive Connectors – Frontend Receive Connectors – Client facing – Hub Transport Receive Connectors - Backend – Scoping – IPs allowed to use the connector – Security – Authentication methods – Optional external relay permissions: Get-ReceiveConnector “External Relay E15MB1" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient Send Connectors – DNS delivery – Smart hosting #ITDevConnections

19 CONFIGURING A PROPER SMTP RELAY SMTP Banners Set SMTP banners on all Receive Connectors – Get-ReceiveConnector | % {Set-ReceiveConnector $_.Identity -Banner "220 $_"} #ITDevConnections

20 CONFIGURING A PROPER SMTP RELAY Testing the Relay Telnet Client PowerShell – Send-MailMessage -From " " -to " " - Subject "PowerShell Relay Test" -Body "Testing 1-2-3" -SmtpServer ex16a CMD line utilities like POSTIE #ITDevConnections

21 CONFIGURING A PROPER SMTP RELAY Blacklisting Avoid at all costs Protect your corporate domain SMTP namespace and IPs – Use dedicated public IP for relaying – Use EOP for relaying – Use 3 rd party for relaying – Use dedicated relay namespace – Configure SPF / DKIM Add SMTP relay IP address to your SPF record, if necessary SPF records and DKIM – One and only one SPF record – No more than 10 lookups including referrals – SPF: records are deprecated, use TXT: records – Ignore the O365 Portal’s "important" recommendations Test O365 relaying to confirm IP is not blocked – Telnet test – How to remove #ITDevConnections

22 CONFIGURING A PROPER SMTP RELAY Recommendations Use Exchange servers for SMTP relays – Cloud/hybrid users – use your hybrid or management server Use SMTP Talkers script to identify devices that relay Use dedicated Receive Connectors for Internal and External relays Configure internal IP ranges as internal SMTP servers Scope relay connectors to IPs or ranges Set SMTP Banners and use Telnet for testing Always test your SMTP relays Protect your SMTP namespace #ITDevConnections

23 Rate This Session Now! Rate with Mobile App: Select the session from the Agenda or Speakers menus Select the Actions tab Click Rate Session Rate with Website: Register at www.devconnections.com/logintoratesession Go to www.devconnections.com/ratesession Select this session from the list and rate it Tell Us What You Thought of This Session Be Entered to WIN Prizes! #ITDevConnections

Download ppt "Configuring a Proper SMTP Relay for Exchange On-Prem and Exchange Online Jeff Guillet, MVP | MCSM | CISSP."

Similar presentations

Email Deliverability @ Eloqua Providing Industry-Leading Email Management Tools.

Eloqua Providing Industry-Leading Management Tools.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Microsoft Ignite /16/2017 1:30 PM

Microsoft Ignite /16/2017 1:30 PM
Microsoft Ignite /16/2017 1:31 PM

Microsoft Ignite /16/2017 1:31 PM
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Office 365 SMTP Relay June 2013. Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.

Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.

IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Configuring Hybrid Exchange the Easy Way

Configuring Hybrid Exchange the Easy Way
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Archiving in the Cloud with Exchange Online Archiving BHARAT SUNEJA SR TECHNICAL WRITER | EXCHANGE MICROSOFT CORPORATION EXL301.

Archiving in the Cloud with Exchange Online Archiving BHARAT SUNEJA SR TECHNICAL WRITER | EXCHANGE MICROSOFT CORPORATION EXL301.
TechEd 2013 4/20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Introduction 4 FeatureSimpleHybrid Mail routing between on-premises and cloud (recipients on either side) Mail routing with shared namespace (if desired)

Introduction 4 FeatureSimpleHybrid Mail routing between on-premises and cloud (recipients on either side) Mail routing with shared namespace (if desired)
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.

1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
Securing Exchange Server 2003. Session Goals: Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools.

Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving email–borne viruses.

SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving –borne viruses.

Similar presentations

Ads by Google