In the “old” days of on premise Exchange servers we would always have to set up email relay connectors in order to allow the Exchange server to accept and forward (relay) email from devices on the LAN. You know the drill, you have a device that needs to email status messages or you have a copier or scanner that has to be able to forward email and you have to set an “email host” on the device.
We had to set up the email relay otherwise Exchange would reject the device email as it wasn’t coming from a “trusted” source. There were a few steps to follow and all of it was to ensure your Exchange server wasn’t in a position to be “compromised” by some one out on the ‘Net with nefarious intent (as in your email server became an unintended SPAM sender).
Exchange Online in Office 365 has a similar option that can be configured so that you can safely use O365 as your “email relay” for your various devices that require an email host. There are a couple of different methods available to you for the configuration but I’m going to concentrate on the “easiest” method which allows for direct sending from your devices. Because this is the simplest method there is an expectation that you will do your part to ensure you have locked down email sending to only “authorised” or “approved” devices (more about this in a bit).
OK, what are the steps that you need to follow? Let’s look at the example of connecting an HP LaserJet MFP device to O365 in order to allow it to “scan to email”. The steps involved should pretty much translate to any other device that woks in a similar fashion.
The LaserJet admin page shows the following for SMTP info:
There is also a section on the screen for SMTP Authentication but for the method I’m describing authentication won’t be required at O365.
Your E-Mail Address is the address you will assign to the device to identify emails coming from it, you should make it meaningful so something like salesMFP@company.com.
Display Name is just that, what name do you want displayed.
SMTP Server is the name shown in your MX record for your O365 server connection. In general it will be something like company-com.mail.protection.outlook.com. It is important that you enter the correct FQDN here. If you are unsure use a tool like mxtoolbox.com to verify your MX record.
SMTP Port should be left at 25, the standard SMTP port.
When this is set you need to log in to the Office 365 admin portal then select Exchange Admin Center. In the Exchange Admin Center look for mail flow then click on connectors:
In this case there have not been any connectors set up previously, click on the + to start the process.
Make your selections as shown above then click Next.
Supply a name and a description. Make sure you tick the Turn it on box. You do not need to check the second box, it is only required when sending from an on-prem Exchange server. Click Next.
This is the critical screen. You need to make the selection shown in the red box then you need to click on the + sign as you will be entering the static IP of the WAN connection at the location where the devices reside. What you are doing here is telling Office 365 that email traffic from that IP address (or addresses) is okay to pass through the system and be forwarded on to the addressees. This can be a security hole IF you don’t perform the lockdown process that I will describe a bit later in this post.
Now that you have the connector configured you next have to modify your SPF record to include the IP address that you have referenced in the Connector configuration. To do this you need to add the IP as IP4:XX.XX.XX.XX into your SPF record and publish it. If you do NOT modify the SPF record O365 is liable to tag emails from your devices as SPAM even though you have identified the IP address correctly in your Connector! You will need to wait until the updated SPF is fully published before you can test sending from your devices.
At this point you should be able to successfully send email from devices behind the identified WAN IP address. However, to ensure you have NOT opened up a security hole you should LOCK DOWN your firewall so that only properly identified and permitted devices are allowed to send SMTP traffic outbound from your LAN. This is a best practice regardless of whether or not you are configuring O365 SMTP connectors but it is definitely required when you have configured a Connector in the manner described in this post. Your firewall should only allow outbound SMTP connections from devices that need to send email, all other devices should be blocked from doing so. This ensures that you are not leaving a hole open for rogue programs (malware et al) to blast crap out via email.
This is an example from one of my Sonicwall firewalls:
The rules in the red box are the “allows”, the DENY rule that follows blocks from any other device.