Using OAuth 2.0 with Exchange Online for sending outbound emails

It has become increasingly challenging to send emails from devices and application servers because many SMTP servers now require the use of OAuth 2.0, which legacy devices and applications cannot support. To bridge this gap, you can use Xeams. This page provides information on how to configure your devices and application servers to send emails to Xeams, which will then deliver those messages through your Exchange Online account.

Relaying To Exchange Online (Office 365)

Microsoft offers the following methods for relaying messages from MFP devices or on-premises application servers. These methods are described in detail on this page.

  • Method 1 - Client SMTP Submission. This method requires OAuth 2.0 authentication. This page talks about this method.
  • Method 2 - SMTP Relay. This is done by either specifying your public IP address or using an SSL certificate for authentication. Refer to this page for instructions if you want to a client-side SSL certificate for authentication.
  • Method 3 - Direct Send. This method requires you to authorize your public IP address to send emails for your domain by adding it to your SPF record and assigning a DKIM key. In this case, Xeams will perform an MX lookup for the recipient's domain and will send the messages to their respective SMTP servers. In other words, emails destined for your domain will be sent to Microsoft, but messages for other domains will never go to Microsoft; they will be sent to the actual SMTP server that handles the domain.
Xeams supports all three methods mentioned above. You pick the one that is easiest and most practical for your organization.

The remainder of this page talks about Method 1: Using OAuth 2.0 for authentication.

Use Case

Consider the following scenario:

  • You have an application server or a device, such as a printer, that generates emails. Assume the sender of this email is accounting@yourcompany.com, and the recipient is client@yahoo.com.
  • You're using Microsoft Exchange Online to host your domain.
  • This app runs on a network that is either behind a dynamic IP address or has outbound port 25 blocked, forcing you to send your emails through Microsoft's SMTP server.

Recent policy changes in Microsoft requires you to use OAuth 2.0, which is a more secure mechanism to authenticate users. As a result, legacy devices and application servers are unable to send emails.

Solution

Use the following solution to route such emails:

  • Install Xeams inside the same LAN where your application server/device is located.
  • Configure your application server/devices to send outbound emails to Xeams. This can be done without authentication since both Xeams and the application server are inside a trusted network.
  • Xeams can authenticate with Microsoft's servers using OAuth 2.0 to deliver emails.

The following diagram shows the flow.

Prerequisites

You must complete the following tasks before proceeding:

  • Downloaded and installed Xeams.
  • You must be using Exchange Online for your primary email server. This option does not work with free accounts on Hotmail or Outlook.com.

Device/App Server Configuration

Most devices and application servers accept values for SMTP servers when they need to send outbound emails. If your device and Xeams are running on the same network, you can use the local IP address or hostname of the machine running Xeams for the SMTP server.

If needed, you can create users in Xeams and then specify those users for SMTP Authentication. Alternatively, you can allow certain IP addresses in Xeams to relay.

Xeams Configuration

You must configure the Smart Host (under Server Configuration) to route messages through Exchange Online. During configuration, you will be prompted for the following parameters:

  1. Authentication Type - Select OAuth with Microsoft
  2. User ID - Specify a valid email address, which will be used for authentication as well as the sender if the emails.
  3. Click Save.
  4. You will be redirected to Microsoft's login page. Complete the login step by following instructions on the screen.

Once completed, you will be able to send emails through Exchange online.

Configurating Send As

Microsoft's policy restricts you from specifying any email address but the one you put for the User ID field in Xeams.

No further action is required if you're okay with this limitation. However, if you need to send emails from other senders in your organization, you must configure Send As permission for that user. Follow instructions on this page for details.

You will receive the following error if this permission is not granted.

554 5.2.252 SendAsDenied; john.doe@yourcompany.onmicrosoft.com not allowed to send as janedoe@yourcompany.com; 
STOREDRV.Submission.Exception:SendAsDeniedException.MapiExceptionSendAsDenied; Failed to process message due to a permanent exception with message...