Office 365 SMTP Relay


Last Review: September 15, 2012
Product(s): Microsoft Office 365, Window Server 2008/2008 R2/2012, Internet Information Server 7/7.5/8

 Office 365 SMTP Relay is one of the more common questions we get at Matrixforce. There is an enormous amount of confusion around this topic:

  • If you have applications or devices that only need to send to people in your domain, then you don't need relay settings. Configure those applications or devices to send mail directly to your MX record. To prevent these messages from going to junk or quarantine, add the originating public IP addresses of these applications or devices to Forefront Online Protection for Exchange.

  • The standard Microsoft instructions for How to configure an SMTP relay for Office 365 have very stringent requirements: an Exchange Online mailbox account, port 587 outbound for SMTP, TLS enabled, and the from email address much match the same account used for relay. Matrixforce does NOT recommend this approach because of the:

    • Added monthly subscription cost for the relay service account.

    • Hassle and security risk of setting the account password to not expire.

    • Configuration required for an additional port 587 on your firewall and increasing on-premise attack plane.

    • Sending limit of 1,500 messages per day.

    • Fact that many applications don't support TLS or custom SMTP port of 587.

  • Installing a local SMTP server is the best approach for handling application and device relay with no: monthly cost, special ports or authentication, or limits - all while securely restricting relay access application or device IP address.

    1. Locate a Windows Server for SMTP relay and install Internet Information Server, SMTP, and Telnet client as necessary. Temporarily leave the SMTP virtual server unrestricted.

      • Install Web Server (IIS) role with SMTP. Click Start, Administrative Tools, and Server ManagerAdd Role Services Webserver (IIS) with IIS 6 Management Console features and ODBC Logging. Add Feature and enable SMTP Server.

      • To install the Telnet client, click Start, enter cmd, and type the following command:
        pkgmgr /iu:"TelnetClient"

    2. Verify or add a rule to your firewall for port 25 SMTP outbound from the SMTP virtual server. An inbound rule for SMTP is not required.

    3. Configure your application or device to send to the IP address of the SMTP virtual server. You can also test SMTP relay using Telnet and check the SMTP logs (Systemroot\System32\LogFiles\SMTP) for diagnostics. The following is an example telnet session:

      • telnet 25
        mail from:
        rcpt to:
        this is a test message.

    4. Add the public IP address (usually your firewall external IP address) of the local SMTP server and/or the local LAN domain name to the Office 365 Safe Senders list.

      • Sign in to as an administrator. Click Manage under Exchange, Mail control on the left, and Configure IP safelisting, perimeter messaging tracing, and e-mail policies on the right. 

      • Click Add under Inbound Connectors, enter a name and Sender IP Address of your firewall, and click Save.

    5. After successful relay, restrict access to the SMTP virtual server to only the IP addresses of the desired applications and devices.

      • Open the Internet Information Services 6 console, expand as necessary, right-click SMTP virtual server, and click Properties.

      • Click the Access tab and Relay button. Click Only the list below, Add the IP Addresses of the desired applications and devices, and click OK.

      • Click the Messages tab and you may want to increase the message size limit above 2MB and increase the number of recipients per message above 100.

      • Stop and Start the SMTP Virtual Server for the changes to take affect and test again to verify restrictions.

Helpful? Add us as your Office 365 Partner of Record 277554.

Related Links