Using OAuth 2.0 with Exchange Online for sending outbound emails

It has become increasingly challenging to send emails from devices and application servers because many SMTP servers now require the use of OAuth 2.0, which legacy devices and applications cannot support. To bridge this gap, you can use Xeams. This page provides information on how to configure your devices and application servers to send emails to Xeams, which will then deliver those messages through your Exchange Online account.

Use Case

Consider the following scenario:

• You have an application server or a device, such as a printer, that generates emails. Assume the sender of this email is accounting@yourcompany.com, and the recipient is client@yahoo.com.
• You're using Microsoft Exchange Online to host your domain.
• This app runs on a network that is either behind a dynamic IP address or has outbound port 25 blocked, forcing you to send your emails through Microsoft's SMTP server.

Recent policy changes in Microsoft requires you to use OAuth 2.0, which is a more secure mechanism to authenticate users. As a result, legacy devices and application servers are unable to send emails.

Solution

Use the following solution to route such emails:

• Install Xeams inside the same LAN where your application server/device is located.
• Configure your application server/devices to send outbound emails to Xeams. This can be done without authentication since both Xeams and the application server are inside a trusted network.
• Xeams can authenticate with Microsoft's servers using OAuth 2.0 to deliver emails.

The following diagram shows the flow.

Prerequisites

You must complete the following tasks before proceeding:

• Downloaded and installed Xeams.
• You must be using Exchange Online for your primary email server. This option does not work with free accounts on Hotmail or Outlook.com.

Device/App Server Configuration

Most devices and application servers accept values for SMTP servers when they need to send outbound emails. If your device and Xeams are running on the same network, you can use the local IP address or hostname of the machine running Xeams for the SMTP server.

If needed, you can create users in Xeams and then specify those users for SMTP Authentication. Alternatively, you can allow certain IP addresses in Xeams to relay.

Xeams Configuration

You must configure the Smart Host (under Server Configuration) to route messages through Exchange Online. During configuration, you will be prompted for the following parameters:

1. Authentication Type - Select OAuth with Microsoft
2. User ID - Specify a valid email address, which will be used for authentication as well as the sender if the emails.
   
3. Click Save.
4. You will be redirected to Microsoft's login page. Complete the login step by following instructions on the screen.

Once completed, you will be able to send emails through Exchange online.

Configurating Send As

Microsoft's policy restricts you from specifying any email address but the one you put for the User ID field in Xeams.

No further action is required if you're okay with this limitation. However, if you need to send emails from other senders in your organization, you must configure Send As permission for that user. Follow instructions on this page for details.

You will receive the following error if this permission is not granted.

554 5.2.252 SendAsDenied; john.doe@yourcompany.onmicrosoft.com not allowed to send as janedoe@yourcompany.com; 
STOREDRV.Submission.Exception:SendAsDeniedException.MapiExceptionSendAsDenied; Failed to process message due to a permanent exception with message...