When migrating mailboxes to Microsoft 365, six challenges are addressed:
- Updating and managing client computer updates to support MS365 and OAUTH.
- The migration of users’ mailboxes from their PCs or MAC with data transfer.
- The migration of mobile devices and tablets (through an MDM or not).
- The migration of collaborative options: Distribution list, shared boxes, delegates.
- The migration of inbound and outbound SMTP flows with the Internet and partnership companies.
- The migration of SMTP access used by applications or scanners.
The last point is problematic and often underestimated. Several cases arrive and several solutions are possible. In this article, we’ll focus on one case in particular: a scanner or application that doesn’t support SMTP authentication.
One solution is to use the MX of your domain name. To find the MX in your Microsoft 365 domain, you can use the Get-MXRecordReport command:
By default, MX tenant is like “yourdomaine-fr.mail.protection.outlook.com”.
It is always possible for an application (if the Internet provider allows it) to connect to this SMTP server on port 25 without authentication:
By default if you try to send an email on behalf of an address in your domain to an existing mailbox in your domain, the mail will be accepted even if no mailbox exists for the sender address.
This can be seen as a double breach:
- Anyone on the Internet can send emails with the name of one of your addresses to one of your MS365 mailboxes.
- If a virus is present on one of your PCs, it will be able to send SMTP mails to all the mailboxes of your MS365 tenant quite simply.
To deal with the second breach, it is necessary to prohibit the fact that PCs can connect to Microsoft tcp port. This is the most common configuration. If this solution is used, only the scanners IP addresses will be allowed to connect to port 25 of Microsoft 365 servers. Regarding the first breach, by default, Microsoft will categorize the received email as a spam.
The SPAM level (SCL) will be at least 5, you can find this level of SPAM in the header of the mail received in the “junk emails” folder:
This level of 5 is justified by the fact that the SPF of your domain will generally only contains Microsoft 365 servers with the value: v=spf1 include:spf.protection.outlook.com ~all
With this configuration, only Microsoft servers (EOP = Exchange Online Protection) are legitimate to send emails with your domain name and it is for this reason that emails sent by a scanner or an application not authenticated on port 25 of your MX will be seen as spam.
If you look in details at the header of these emails you will find a softfail or a hardfail for the SPF test:
If you want these emails arrive in your user’s inbox, one solution is to declare in your domain’s SPF the public IP address that will be used by your scanners or your applications that do not support SMTP authentication.
You must specify as SPF: v = spf1 ip4: x.x.x.x include: spf.protection.outlook.com -all, with x.x.x.x the public IP address used by your scanners or applications that do not support SMTP authentication.
Once the SPF has been modified, scanners or applications that will connect to Microsoft MX on port 25 without authentication will be able to send legitimate emails in the name of an email address if your domain (even if no box has this email address) to mailboxes from your domain. The emails received will no longer be in the “junk email” folder and the SPAM level will be 1.
The validation of the SPF will be positive:
This configuration allows a scanner or an application that does not support SMTP authentication to send emails with MS365 to mailboxes of your tenant.
But of course, it will be impossible with this method (without authentication) to send emails to addresses outside your tenant because the “mail relay” will not be authorized by EOP without being authenticated.
This configuration can still be subject to reflection in terms of security: By default your users can receive emails from your tenant email addresses but from anyone on the Internet. The emails received will be accepted by Microsoft and placed in the “junk emails” folder.