How To: Authenticated SMTP When Security Defaults/Modern Authentication Are Enabled

Background

Many legacy applications use authenticated SMTP to send email notifications. Since most organizations use Exchange Online as their email provider, leveraging it as a mail relay for service accounts is helpful and convenient. About five or so years ago, Microsoft began enabling Security Defaults for all new tenants and, shortly after, began deprecating Basic Authentication in Exchange.

While it’s possible to utilize smtp.office365.com as a relay for appliances such as printers and scanners, this may or may not be feasible in a particular use case, as was my situation. After many hours of research, trial, and error, I’d finally worked through all the pieces to get authenticated SMTP working with Security Defaults and Modern Authentication enabled.

Prerequisites

You’ll need to ensure the following is configured for the account you want to use:

  • MFA is enabled for the target user account in the Microsoft Entra admin center
  • The SmtpClientAuthenticationDisabled property (Exchange Online PowerShell) is set to $false (meaning that authenticated SMTP is enabled for this user)
  • Generate and record an App Password for the user
  • Disable POP3 and IMAP to prevent TLS downgrade attacks (optional, but highly recommended)

Putting it All Together

Instead of targeting smtp.office365.com on port 587 as our mail relay, we’ll use [YourTenantID].protection.outlook.com on port 25 with the StartTLS property (required).

We can use PowerShell to test this:

Send-MailMessage -SmtpServer [YourTenantID].protection.outlook.com -UseSsl -Port 25 -From me@mydomain.com -To you@yourdomain.com -Subject "Test Email" -Body "Testing, 1, 2, 3?"

Yes, I know the Sent-MailMessage cmdlet is obsolete and doesn’t guarantee secure connections to SMTP servers, but in this case, we’re only using it to test our settings and connectivity.

If it works, we know that any remaining fault lies with the application configuration and/or the environment it resides in, not your Microsoft 365 setup.

Retrieving a copy of all Emails Sent To or Received From a Specific Domain in Exchange 2007

I recently received a request to locate and create a copy of every email sent to or received from a specific domain. Exchange 2010 possesses some inherent litigation hold and compliance management tools that could do this for you, and I even found a VB script for Exchange 2003, there was not much information out there for Exchange 2007.

Here’s what I did…

Step 1: Ensure that your account has “FullAccess” permissions to all mailboxes in your Exchange Database by running this command in Exchange Management Shell:

get-Mailbox -Database "[Database Name]" | Add-MailboxPermission -User [Your Admin Acocunt] -AccessRights FullAccess -InheritanceType All

Step 2: This hefty commandlet tells Exchange to search every mailbox in the database for a messages received from a specific domain, excluding the target mailbox as you can’t export a mailbox to itself:

Get-Mailbox -Database "[Database Name]" |?{$_.Name -ne '[Username of the Target Mailbox]'} | Export-Mailbox -TargetMailbox [Username of the Target Mailbox] -TargetFolder [Name of Folder] -senderKeywords:'*[domain name]'

Step 3: The last command does the same as the above, but looks for any emails sent to a specific domain:

Get-Mailbox -Database "[Database Name]" |?{$_.Name -ne '[Username of the Target Mailbox]'} | Export-Mailbox -TargetMailbox [Username of the Target Mailbox] -TargetFolder [Name of Folder] -recipientKeywords:'*[domain name]'

Once done, you can open the target mailbox in Outlook and save it to a PST. So there you have it!