Georgia Finance

Sep 18 2018

How to Configure an Internal SMTP Relay Server for Office 365

#hosted #smtp #server


How to Configure an Internal SMTP Relay Server for Office 365

Saturday, October 26, 2013

Most organizations have internal application servers and appliances that send emails to users or groups. Examples include copier/scanners and application servers, such as backup servers that notify admins of a completed or failed backup job.

If the organization has Exchange on-prem you would normally configure an internal relay receive connector in Exchange and configure the internal resources to send emails to Exchange. But what do you do when you’ve migrated all your mailboxes to Office 365 and have decommissioned your Exchange servers?

The solution is to install an IIS SMTP relay server in your internal network, configure it to accept email from specific IP addresses, and forward emails to Office 365. You can also configure the SMTP relay for external domains, if necessary.

Here’s how to do it:

  • Install the SMTP Server feature and its dependencies to a new or existing Windows server. This will be your relay server and your firewall needs to allow it to send SMTP traffic (TCP port 25) outbound to the Internet. I typically use the DirSync server, if there is one.

Adding the SMTP Server feature and its dependencies to Windows Server 2012

  • Open Internet Information Services (IIS) 6.0 Manager to configure the SMTP relay.
  • Configure the properties of [SMTP Virtual Server #1] as follows:
    • On the Access tab:
      • Authentication: Only Anonymous access is checked.
      • Relay: Only the list below. Add IP addresses or ranges of servers allowed to relay.
      • Note – It’s important to only allow IP addresses you trust to relay through this server. Any IP address you enter here will be allowed to send emails on behalf of your domain.
    • On the Messages tab:
      • Adjust message size limits. The default message size limit is 2048 KB (2 MB). You may want to change it to 10240 KB (10 MB) or more to allow for larger messages from copier/scanners, etc.
    • On the Delivery Tab:
      • Outbound Security: Anonymous access only and no TLS encryption.
      • Outbound Connections: Port 25
      • Advanced: Leave the Smart Host field blank
  • Add new remote domains:
    • Right-click Domains New Domain and add the domain(s) hosted in Exchange Online.
    • If the relay server is allowed to relay emails to other external domains add a new *.com remote domain. Repeat for *.org, *.net, etc. as necessary.

    Add Office 365 and other remote domains if required for external relay

    • For properties of each domain hosted in Exchange Online:
      • Use to get the EOP endpoint (MX record) for your tenant. For example, .
      • Check Allow incoming mail to be relayed to this domain
      • Forward all mail to this smart host: The EOP endpoint you identified above (i.e. )
      • Outbound Security: Check Anonymous access and TLS encryption
    • For properties of all other remote domains (if any):
      • Check Allow incoming mail to be relayed to this domain
      • Outbound Security: Check Anonymous access and do not check TLS encryption.
  • Restart IIS. Be aware that whenever you restart IIS, the SMTP virtual server usually stays stopped start it.

Now we need to configure Exchange Online to accept emails from the new relay server. Recent changes in EOP email security require that you verify the relay server by specifying the SSL certificate or public IP address used by the relay server.

  • Sign-in to the Exchange Online Admin Center with your admin account
  • Navigate to Mail Flow Connectors and add a new connector
  • On Select your mail flow scenario. select:
    • From: Your organization’s email server
    • To: Office 365
  • Name the new connector “Relay from On-Premises ” and click Next
  • On How should Office 365 identify email from your email server? you have two choices:
    1. If you have installed a valid third-party SSL certificate from a trusted CA on your SMTP relay server you can enter the Subject Name for the cert (i.e., or * for a wildcard cert) on the new connector.
    2. If your SMTP relay server has a static public IP address you can enter that IP address. You can use a service like to get your current IP address. Note that if this IP address ever changes, you’ll need to update the connector in Exchange Online.
  • Confirm the new connector’s setting and click Save .
  • Note that it can take up to 15 minutes for this connector and settings to propagate throughout EOP.

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *