Workaround for BASIC authentication on Exchange Online

Microsoft's Exchange Online service deprecated BASIC authentication at the beginning of 2023. Unfortunately, many companies use legacy applications that need to send outbound emails, and modifying these applications is costly and cannot be done fast enough. This page discusses an alternate approach for sending outbound emails with little or no impact on your existing applications.

Existing Scenario

The following diagram displays a network diagram of email flow before Microsoft enforced this change. Let's assume the following is true:

  • You have a CRM application that needs to send outbound emails.
  • The sender (From value) can be several employees within your company.
  • The recipient (To, CC, BCC) can be any email address on the Internet, such as @gmail.com or @yahoo.com.
  • Before relaying messages to @gmail.com or @yahoo.com, this CRM application sends user id/password to Exchange Online, which then accepts the message for delivery

BeforeBasicAuth.png

This logic worked fine until early 2023 but not anymore because Microsoft has deprecated BASIC Authentication.

Workaround

A simple workaround to this problem is to configure your CRM application, so it sends its emails to another email server, such as Xeams, which can then deliver the message to the final recipient. The goal is to send outbound emails directly to the recipient's SMTP server, which will never require authentication.

The following network diagram displays how the emails flow once Xeams is introduced.

AfterBasicAuth.png

How this works

You will have to make the following changes in your environment for this to work:

  • Download and Install Xeams on a network with a static IP. Having a static IP address for your public-facing network interface is important for sending outbound emails. If you do not have a static IP address, consider installing Xeams on a Virtual Private Server (VPS) somewhere on the Internet. Click here for some tips.
  • Configure Xeams to create local users in Xeams representing the credentials used by your CRM application. Another alternative is to allow relaying from the IP address where your CRM server is running.
  • Configure your CRM application to send outbound emails through Xeams.
  • Modify the SPF record for your domain to include the public IP address where Xeams is running. For example:
    The SPF record before modification:
    v=spf1 include:spf.protection.outlook.com -all

    The SPF record after modification:
    v=spf1 include:spf.protection.outlook.com ip4:50.60.70.80 -all 
    The text above assumes your public IP address is 50.60.70.80.
  • Add a DKIM record in Xeams so your outbound emails are digitally signed.

Why will this work?

The key point in this design is that authentication is never used. Emails destined for foreign domains, like @gmail.com or @yahoo.com, will not go through Exchange Online. Instead, they will go directly to the destination server, which will not require authentication.

Exchange Online will still receive emails sent to internal users since the message will come from an IP address in your SPF record.