Pfsense Office 365 Smtp

admin
Learning has never been so easy!

PfSense has already done this brilliantly by eliminating my need to manage bind, dhcpd, tftpd, and firewall rules. Adding 'mail relay' to that would be a big plus for me. Note that this is a simple relay - accept mail from the internal RFC1918 net, and send it to GMail. XX - Error: could not connect to the host 'smtp.office365.com':?? Found this threas which.

Office 365 requires TLS, but many devices don't support this for sending email alerts. My Unitrends appliance doesn't, my Vipre AV console doesn't, nor does my SonicWALL UTM. Once an SMTP relay is setup inside O365 your devices will be able to send alerts over port 25.

--edit 9/11/17 - MS has changed the O365 menus, so I've updated the steps to reflect the changes.

17 Steps total

Step 1: Find your public static IP

The O365 SMTP relay only works with a static IP so if your ISP has you configured with a dynamic one you're out of luck.

Two sample data in the add-in helps user to understand the data structures: Decision Tree Sample Data. Option Pricing model sample data. Both sample data have the same format. The data has 4 columns: ID: numeric identifier of the node. Label: the label of the node in the tree. ParentID: the parent node id in the tree. Size: the font size of the node. TreePlan Decision Tree Add-in for Excel For Mac Excel 2016-2019-365 and Windows Excel 2013-2016-2019-365. TreePlan helps you build a decision tree diagram in an Excel worksheet using dialog boxes. Decision trees are useful for analyzing sequential decision problems under uncertainty. Tools Palisade software is supported in these Windows environments hosted on the Mac: Windows XP through Windows 10 running using BootCamp. (See Apple's page Boot Camp Support.). PrecisionTree performs decision analysis in Microsoft Excel using decision trees and influence diagrams. Decision trees visually map out complex, multi-layer. We remain committed to serving Palisade’s clients during the COVID-19 pandemic.

Step 2: Log on to O365

Log on to O365 as an admin and select admin from the menu on the left.

Step 3: Select domains

On the left side of the screen select Setup, Domains.

Step 4: Choose a Domain from the list

If you have more than one, pick the one you want to use.

Step 5: Find your SMTP server

Under Required DNS settings, Exchange Online, you'll see an MX record - you want the Points To Address entry.

Step 6: Go to the Exchange Admin Center

In the upper right click on Admin, Exchange.

Step 7: Select mail flow

On the left side click on mail flow

Step 8: Select connectors

From the new menu in the middle of the screen click on connectors

Step 9: Add an inbound connector

Click on the plus sign under the Inbound Connectors heading

Step 10: Choose the connector type

You'll want to pick From Your organization's email server, To: Office 365

Step 11: Fill in the details

Give the connector a name so you can find it later and a detailed description if you want. Select the Turn On box if you want it to start working right away and uncheck the Retain box as it doesn't apply.

Step 12: Enter your static IP info

Select the 'By verifying that the IP..' box then click the + to enter your static IP(s).

Step 13: Confirm settings

You should now have an inbound connector listed, looking something like this. Make sure each listed item is correct and confirm the IP addresses are correct, then click Save.

Step 14: Firewall exceptions

If your firewall is blocking outbound port 25 (it should be!) don't forget to enter exceptions for any device that you want to be able to send email through the relay. This will vary from firewall to firewall so I can't really include steps here.

The attached image is from my SonicWALL after I created the rule.

Step 15: Add SMTP server to your device

These next steps are for a Unitrends appliance, but the basic idea applies to any device you want to send from - find the SMTP settings and use what you found in step 5.

Log on to your appliance then click on Settings, Clients, Networking, and Notification

Step 16: Select SMTP server

Click on SMTP server

Step 17: Fill in the details

Enter the address from step 5 in the SMTP server box.

To make sure everything works put an address in the Test Address box and then click on the 'If you want to test your SMTP' box.

Don't forget to click Confirm at the bottom!

You should now be able to use your new relay for any device or program that needs to send email from your network, but isn't capable of working with TLS.

If you want to read through all the details about the O365 relay setup, they are linked in the References section.

NOTE - You may also want to add the static IP (used in step 12) to the O365 SPAM white list, so your emails don't get flagged as SPAM.

Published: Nov 05, 2014 · Last Updated: Sep 11, 2017

References

  • Technet article, setup SMTP relay

23 Comments

  • Datil
    JustSayin Nov 5, 2014 at 05:14pm

    Excellent post, I am sure there are a few techs on the helpdesk at Unitrends who can use this.

  • Jalapeno
    Capt_Beard Nov 5, 2014 at 08:11pm

    If you have multiple external IPs, how do you know which one to use?

  • Pure Capsaicin
    DragonsRule Nov 5, 2014 at 08:16pm

    If your router sends out port 25 over any of them you would just enter each of them, one per line.

    I just updated the how-to to include that.

  • Mace
    Doughnut Nov 7, 2014 at 05:56am

    This is awesome Larry. I can't wait to try this out on some printers. Way easier than having to worry about managing separate accounts.

  • Jalapeno
    chriloga Jul 7, 2015 at 06:59pm

    God bless you for posting this! Fixed all kinds of issues since our Office365 migration.

  • Jalapeno
    Michael-volz Oct 21, 2015 at 02:50pm

    This works like a charm. Ended up using the method for an IIS SMTP relay service that uses TLS. Still works perfectly

  • Jalapeno
    Biagio68 Apr 27, 2016 at 01:15pm

    BLESS YOU! My devices don't use TLS and the technet article about workarounds was probably one of the most confusing I've had to read.

  • Pure Capsaicin
    DragonsRule Apr 27, 2016 at 01:29pm

    Glad it helped :)
    After slogging through the MS version I initially just made notes for myself, so I'd never have to read their site again.

  • Mace
    bbigford May 17, 2016 at 08:56pm

    We are now going down the O365 route, and getting off an Exchange 2007 server (migrating over to Exchange 2013). Nice write up. Might have to refer back to this at some point.

  • Pimiento
    Liam0121 Sep 7, 2016 at 12:28pm

    Hi Larry,
    I am following your guide to setup scan to email on Xerox Phaser 6180 printer and I do not seem to be having any success, do you recommend anything else at all that may assist?

  • Pure Capsaicin
    DragonsRule Sep 7, 2016 at 01:19pm

    Please create a post in the Printer Group or the O365 group so we can try to help you.

  • Cayenne
    Inegolluyum May 10, 2017 at 07:50pm

    Continued thanks for this!

    Six more words to go; done!

  • Pimiento
    grantpsd May 15, 2017 at 05:02am

    For some reason when I put in our IP address listed in the MX record I get an error when saving the connector as follows: ERROR: SenderIPAddress xxx.xxx.xxx.xxx cannot contain Micorsoft reserved IP Address for 'On Premise' type of connector.

    any ideas

  • Pure Capsaicin
    DragonsRule May 15, 2017 at 12:52pm

    Please create a post in the O365 group so we can help you with that error.

  • Pimiento
    josephjoseph3 Jan 25, 2018 at 03:02pm

    hi
    what can i do if i want to add 25 users and relay everyone with an ipv6

  • prev
  • 1
  • 2
  • next

This was a question for a large university in Arizona moving faculty, staff and students to Office 365.

Here are the ports from the deployment guide (note: these are subject to change so refer here to the latest Port and IP list):

*SMTP Relay with Exchange Online requires TCP port 587 and requires TLS. See TechNet for details on how to configure SMTP Relay with Exchange Online. Note: you will need to provide the SMTP server which is specific to the mailbox used for relay. See the TechNet article Set Up Outlook 2007 for IMAP or POP Access to Your E-Mail Account.

** POP3 access with Exchange Online requires TCP port 995 ) and requires SSL. See TechNet for details on how to configure POP3 with Exchange Online.

Can I lock it down to certain IP ranges, URLs/servers?

Yes, here are the IP ranges and URLs/Servers:

Office 365 portal

Microsoft online services sign in:

Exchange Online sign in and authentication:

207.46.150.128/25
157.55.59.128/25
*.microsoftonline.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.microsoftonlineimages.com
*.microsoftonlinesupport.net

Exchange Online servers: note: only need IP ranges for your geographic region

Americas

65.54.62.0/25
65.55.39.128/25
65.55.78.128/25
65.55.94.0/25
65.55.113.64/26
65.55.126.0/25
65.55.174.0/25
65.55.181.128/25
70.37.151.128/25
157.55.49.0/25
157.55.49.128/25
157.55.61.0/25
157.55.61.128/25
157.55.157.128/25
157.56.24.0/25
157.56.234.0/28
157.56.234.16/29
157.56.234.24/29
157.56.234.32/28
157.56.234.48/28
157.56.234.64/28
157.56.236.0/28
157.56.236.16/28
157.56.236.32/29
157.56.236.40/29
157.56.236.48/28
157.56.236.64/28
157.56.240.0/28
157.56.240.16/28
157.56.240.32/29
157.56.240.40/29
157.56.240.48/28
157.56.240.64/28
157.56.244.0/28
157.56.244.16/29
157.56.244.24/29
157.56.244.32/28
157.56.244.48/28
157.56.244.64/28
207.46.4.128/25
207.46.198.0/25
207.46.203.128/26

Europe

94.245.117.128/25
157.55.9.128/25
157.55.11.0/25
157.55.47.0/25
157.55.47.128/25
157.55.224.128/25
157.55.225.0/25
213.199.174.0/25
213.199.177.0/26

Asia-Pacific

111.221.23.128/25
111.221.66.0/25
111.221.69.128/25
207.46.58.128/25

Microsoft Federation Gateway – required for federated delegation and hybrid deployments

207.46.150.128/25
207.46.164.0/24
*.microsoftonline-p.com
*.live.com
*.microsoftonline.com
*.microsoftonlinesupport.net

FOPE URLs and IP addresses

  • 12.129.20.0/24
  • 12.129.199.61
  • 12.129.219.155
  • 63.241.222.0/24
  • 65.55.88.0/24
  • 94.245.120.64/26
  • 206.16.57.70
  • 207.46.51.64/26
  • 207.46.163.0/24
  • 213.199.154.0/24
  • 213.199.180.128/26
  • 216.32.180.0/24
  • 216.32.181.0/24

CIDR format

  • 12.129.20.0/24 = 12.129.20.1 - 12.129.20.254
  • 63.241.222.0/24 = 63.241.222.1 - 63.241.222.254
  • 65.55.88.0/24 = 65.55.88.1 - 65.55.88.254
  • 94.245.120.64/26 = 94.245.120.65 – 94.245.120.126
  • 207.46.51.64/26 = 207.46.51.65 - 207.46.51.126
  • 207.46.163.0/24 = 207.46.163.1 - 207.46.163.254
  • 213.199.154.0/24 = 213.199.154.1 - 213.199.154.254
  • 213.199.180.128/26 = 213.199.180.129 – 213.199.180.190
  • 216.32.180.0/24 = 216.32.180.1 - 216.32.180.254
  • 216.32.181.0/24 = 216.32.181.1 - 216.32.181.254

Lync Online URLs and Servers

IP Ranges

  • 111.221.17.128/27
  • 111.221.22.64/26
  • 111.221.23.0/25
  • 157.55.104.96/27
  • 157.55.229.128/27
  • 157.55.238.0/25
  • 157.55.40.128/25
  • 157.55.46.0/27
  • 157.55.46.64/26
  • 207.46.5.0/24
  • 207.46.57.0/25
  • 207.46.7.128/27
  • 65.54.54.128/25
  • 65.55.121.128/27
  • 65.55.127.0/24

Lync Online URLs

  • *.online.lync.com
  • *.onmicrosoft.com
  • *.infra.lync.com
  • *.lync.com