Postfix SMTP relay to Office 365 - Single and Multiple SMTP Servers

Postfix is a powerful opensource mail server with a lot of customization options available built-in. I recently had a requirement to set up an Organization-wide mail server to perform SMTP relay to Office365 and allow our Java, JS, Python applications to send emails from different office365 email ids based on the Subject (or) the sender details.

Before we think about the multiple email IDs and sender-based relay in postfix. Let us cover the basic setup and send our test emails.

I am going to split this article into four parts or subtopics

  1. Configuring Postfix SMTP relay to Office 365 and testing it with Single email ID/Domain
  2. Configuration Postfix SMTP relay for multiple domains and sender-based relay
  3. Troubleshooting SMTP relay and Fixing Email Delivery Problems
  4. Check your email Score (or) Spam test result

Before we proceed with these three steps I would like to take you on a quick tour around the three different connection methodologies you can have with Office365. Knowing which one you are using would help you to fix the problems faster when you run into one.

 

Three types of Integration supported by Office365.

If you browse through the internet you would find numerous articles with different methods to set up SMTP relay from POSTFIX or to connect your application or device and relay your mails. So I am listing out the three different types of integrations we can do with Office365 to send emails.

1. SMTP client submission

The client should be connected to the Server "smtp.office365.com" on port 587 and in this approach, we can send emails to internal and external recipients

Shows how a multifunction printer connects to Microsoft 365 or Office 365 using SMTP client submission.
Image Credits to Microsoft

2. Direct send

In this method, we are connected to our Organization Mail Server hostname (MX) whose name ends with "mail.protection.outlook.com"

In my case, gritfy-com.mail.protection.outlook.com is my mail server. to find out your organization's mail server MX record use https://mxtoolbox.com/

With this method, email cannot be sent to recipients outside your organization

Shows how a multifunction printer uses your Microsoft 365 or Office 365 MX endpoint to send email directly to recipients in your organization only.

3. Office 365 SMTP relay ( Discussed in this Post )

In this method, we are connected to our Organization Mail Server hostname (MX) whose name ends with "mail.protection.outlook.com"

There is a connector set up in Office 365 for emails sent from your organization's mail server. In our case it is postfix.

In this method, we can send mail to external recipients as well as internal organization.

Shows how a multifunction printer connects to Microsoft 365 or Office 365 using SMTP relay.

Simple SMTP relay with Postfix Office365

As shown in the preceding method 3, we are going to set up an SMTP relay with Connectors in Office365 and Postfix to send emails to internal and external recipients.

Let us start from installing the postfix mail server in your Linux host.  you have to choose your appropriate package manager like yum or apt-get

Installing postfix mail server

In my case, it is CentOS so I am going with yum

yum install postfix

Update the Postfix configuration

If you goto the /etc/postfix directory and list the files, you would find a set of configuration files already present and we are going to update some of the configurations to make the SMTP relay work through the office365

Updating Relay Host in postfix configuration

the first file we are going to make changes is main.cf file and you have to find and update the parameter named relay_host= if it is commented, Uncomment it

You are going to use your Organization MX Server endpoint in there with the port number 25, In my case it is

relayhost = [gritfy-com.mail.protection.outlook.com]:25

Updating SMTP Outbound Relay configuration

In the same main.cf file add the following lines at the end of the file, The configuration is to enable a Security using sasl_passwd file where we would be defining our email and password. We can also configure the outbound mail to be encrypted with TLS using smtp_tls_security_level option but in this post, we are going without TLS

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous	 	 
smtp_tls_security_level = may	 	 
header_size_limit = 409600

So we have defined the password_maps file within the main.cf file but have not created it yet. so our next step is to create one and it should be on the /etc/postfix directory with the name sasl_passwd

 

Creating sasl_passwd file with Authentication info

Create a new file named sasl_passwd under /etc/postfix and enter your Office365 account details.

It is recommended that this account does not have admin privileges as the sasl_passwd file would contain this password as cleartext.

Here is the content of my sasl_passwd file for your reference.

[gritfy-com.mail.protection.outlook.com]:25 [email protected]:SecurePassword

Postfix reads the login info from the Database file so it is necessary that we should convert this file to a *.db format. In order to do that

you can use the command

postmap /etc/postfix/sasl_passwd

upon the successful execution of this command, you can see a new file would be created in the same name with .db extension

By default, these files would have the global read permissions which let all logged-in user to the server read the files. to prevent it, you can consider setting up some file permissions like shown below. this would enable only owners to read and write the file and restrict all others

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Now we have configured the postfix mail server but since we are using the SMTP relay method of Office365 integration, we need to create our Office365 connector which requires Office365 Admin privileges.

Creating  Connector in Office365

To create a connector in Office365 you need to have Global Admin or Exchange Admin role.

Login to Office365 Exchange Admin page and under mail flow option you would find an option named connectors click on it to create a new connector

Once you have clicked on the Connectors, you would be prompted few details where you need to either choose the Connector to allow the clients based on the Certificate or by the IP.

In this post, we are going with the IP method where Office365 Connector would allow the client applications like Postfix to send emails when they are from a specific public IP address.

So if you are implementing this in your Organization it is advised that you have a static public IP enabled for your Linux server. for AWS users it is even simple, as you can allocate an Elastic IP for your instance where you are setting this up.

Take a look at this Screen record of me doing the same setup.

Office 365 Relay Postfix

 

Updating SPF record with your public IP ( to avoid your email ending as SPAM )

All the steps we have done till now is enough to get your email going out from Postfix relay.

We should do one more thing to save our emails getting ended up into the SPAM folder.

If you are in the AWS world, you can do it easily in Route53. if you are in public providers like GoDaddy and Bluehost you need to find their own technical documentation on how to add this new SPF record.

Basically our objective here is to add our public ipv4 IP to the SPF record. It would look something like this, you can keep adding many ipv4 records as you add more

v=spf1 ip4:49.205.79.85 include:spf.protection.outlook.com -all

To create SPF records in the right syntax you can use SPF record generator

To validate your SPF record you can use this mxtoolbox supertool

 

Whitelist your Server URL in the office365

Also, you need to whitelist your Server IP for the Office365 to accept your connection request on port 25 and to honour your mail submission

Exchange Admin Center -> Connection Filter -> Add Allowed IP Address

If your IP is not whitelisted, You might see some errors like given below.

Jul 30 22:35:57 mwiapp01 postfix/smtp[18821]: AC8A74078131: 
to=<[email protected]>, 
relay=gritfy-com.mail.protection.outlook.com[104.47.100.36]:25, 
delay=5.9, delays=0.09/0.05/4.1/1.6, dsn=5.7.750, 
status=bounced (host gritfy-com.mail.protection.outlook.com[104.47.100.36] 
said: 550 5.7.750 Service unavailable. 
Client blocked from sending from unregistered domains. 
For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653. AS(800051) 
[MA1IND01FT006.eop-IND01.prod.protection.outlook.com] (in reply to end of DATA command))

 

Restart Postfix and Send some email to test it

Now go back to the server and restart your postfix using your systemctl or service command and after validating the services are started. you can send yourself a test email to validate your setup

echo "Some Email to Test"|mailx -s "Test Email" -r [email protected] [email protected]

If everything went well you should see your mail status=sent in your maillog usually located in /var/log/maillog

Jul 30 22:44:32 mwiapp01 postfix/smtp[19253]: 60DAF4078131: 
to=<[email protected]>, 
relay=gritfy-com.mail.protection.outlook.com[104.47.100.36]:25, 
delay=7.2, delays=0.05/0.03/4/3.1, dsn=2.6.0, 
status=sent (250 2.6.0 <5f234d49.DY75T7s4TYaD7ECn%[email protected]> 
[InternalId=23136988825661, Hostname=MA1PR01MB3468.INDPRD01.PROD.OUTLOOK.COM] 8682 bytes in 0.311, 27.186 KB/sec Queued mail for delivery)
Jul 30 22:44:32 mwiapp01 postfix/qmgr[3774]: 60DAF4078131: removed

 

Multiple Domains and Sender Based Relay PostFIX  Office365

You can have more than one relays in Postfix and configure postfix to choose the relay configuration and credentials based on the sender email ID

For example, If you want to send emails from two different users on the same domain you can do that

[email protected]
[email protected]

or if you want to send emails from two different domains and email IDs you can do that too with postfix

[email protected]
[email protected]

 

So How to achieve sender based SMTP relay in postfix

If you are trying to use two different Office365 accounts you need to do all the same steps we did earlier, Since this post is about Office365 and postfix let me presume that the other account hosted by Office365 too.

So you need to redo these steps on the other Email Domain as well. in my case it is middlewareinventory.com as I have already done these steps for grify.com

  1. Create a Connector in Corresponding Office365 and allow the IP of your Server
  2. Whitelist your IP in Exchange Connection Filter
  3. Update your SPF record and add your Server IP where your Postfix is running

I presume that you have done these steps flawlessly Let us skip to the postfix configuration section

Update the main.cf configuration of Postfix to Support Sender based relay

If you are following along from the Single SMTP relay and to this multiple smtp relay you need to update few values, If you are directly setting up sender based relay you can just copy and paste these values in your /etc/postfix/main.cf file at the bottom

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd_maps
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000
inet_protocols = all
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_by_sender

If you look at the configuration there are two files (maps) we need to create and place it on the server. First, let us create the /etc/postfix/relay_by_sender file which is needed for the sender dependent relay in Postfix

Create a relay_by_sender file for Postfix and Keep the Mail Server (MX) details

Within the relay_by_sender file we need to paste the following content. Make sure you update these values with your mail server smart host (mail server) details.

[email protected] [gritfy-com.mail.protection.outlook.com]:25
[email protected] [devopsjunction.mail.protection.outlook.com]:25

Once you have saved the file in /etc/postfix/relay_by_sender now you need to create a DB file for postfix to use it. using the postmap command

postmap /etc/postfix/relay_by_sender

Create the Sasl_Passwd_maps file with relays and credentials

Now we need to provide credentials for both of these relays we have created. so create a file under /etc/postfix with the name sasl_passwd_maps

[gritfy-com.mail.protection.outlook.com]:25 [email protected]:MysecretPassword
[devopsjunction.mail.protection.outlook.com]:25 [email protected]:Password

and just like you did earlier you have to create the db file using postmap

postmap /etc/postfix/sasl_passwd_maps

 

Reload or the Restart the Postfix server and test the relays

Now you have made necessary changes for your sender based relays to work. So go ahead and restart/reload your postfix server

service postfix reload(or)
service postfix restart

Send some test emails to validate if the mails are passing through the right relays

To test the first sender with gritfy.com. Mention the sender address with -r while sending your email.

echo "Some Email to Test"|mailx -s "Test Email" -r [email protected] [email protected]

To test the second sender with devopsjunction.com, update the sender address after -r and hit it

echo "Some Email to Test"|mailx -s "Test Email" -r [email protected] [email protected]

to know which relay the email is going through and to see if it has been sent to the recipient or not. use the maillog usually located at /var/log/maillog

Jul 31 00:58:35 mwiapp01 postfix/smtp[26151]: 28D5A4078131: 
to=<[email protected]>, 
relay=gritfy-com.mail.protection.outlook.com[104.47.100.36]:25, 
delay=7.8, delays=0.06/0.05/4.2/3.5, dsn=2.6.0, 
status=sent (250 2.6.0 <5f236cb4.kaTYiINfdbNN2Gyr%[email protected]> [InternalId=22905060593379, Hostname=MAXPR01MB4031.INDPRD01.PROD.OUTLOOK.COM] 8684 bytes in 0.610, 13.883 KB/sec Queued mail for delivery)
Jul 31 00:58:35 mwiapp01 postfix/qmgr[25474]: 28D5A4078131: removed

So we have successfully testing Single and Multiple Sender Relay with Office365 and Postfix

Now I want to give a few links for you to help you with your SMTP relay troubleshooting and to fix your setup issues.

Troubleshooting SMTP relay issues

There are few errors I have faced during the implementation of this setup and I found some articles on the internet to help me. I am listing them here for your reference.

This type of SMTP relay is little complex but highly customizable and programmable and since you are connecting directly to MX server or Smart Host of Office365. There are lot of restrictions to identify and to ensure that you are not a Spammer.

Like IP restrictions and blocks etc and the other issue could be SPF and IP whitelisting. So make sure you do everything discussed in this post without missing still if you are having issues, here are few links I can refer to you

  1.  Microsoft article on Troubleshooting the SMTP relay
  2.  Five possible root causes for Relay access denied and how to fix it
  3.  IP blacklist checker and Email Delivery Problem finder

 

Testing the Score of your SMTP setup or Spam Test Result

I highly recommend testing your SMTP setup by sending email to the dynamic email ID generated by https://www.mail-tester.com/

Visit the web page and copy the dynamic email ID shown on the screen and once the email is sent. Check your score. It would list out your configuration issues and Spammyness of your email with possible fixes

Postfix Office365 relay

 

I have prepared this article in a hope that it serves as a Single page of reference when you want to set up Postfix Office365 SMTP relay and troubleshoot it.  Hope it helps.

Ask me questions using comments

Cheers
Sarav AK (சரவணன் அ க)

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

Loading