Email

SMTP to Exchange Online

SMTP is still needed by certain applications and devices, such as printers, which don’t support Modern Authentication and instead require legacy authentication to talk to a SMTP server.

You are able to use Exchange Online as an SMTP server, but this can be tricky to set up if you’ve hardened your environment by requiring Multi-factor authentication through Security Defaults or Conditional Access.

Microsoft have good documentation on “How to set up a multifunction device or application to send email using Microsoft 365 or Office 365” with the recommended approach to use SMTP, but you may need to poke some security holes through your environment.

Assuming you can get out through your firewalls on port 587 or 25 for SMTP, you’ll need to turn off Azure AD Security Defaults if you have them on. If you do this, understand what you’re turning off and rebuild those same settings in Conditional Access. If you have them off, then you should have Conditional Access policies already.

Personally, I have a ‘Block Legacy Authentication’ conditional access policy which as it says, blocks legacy authentication. For an account I want to send emails from via SMTP, I add it as an exception to this policy.

I then have a second policy ‘Allow Legacy Authentication Internal Only’ which I then target this user at, which still blocks legacy auth unless it’s coming from a trusted IP address. These two rules together then block all users from legacy auth, except the ones on the second policy, and then only if they’re coming from inside my network. The goal of this is to prevent anyone externally using spray attacks against accounts to gain a username and password – although they couldn’t log in anywhere beyond SMTP due to MFA policies, they could still start sending emails that would be from a legitimate email address.

If you have IPs restricted on Exchange Online connectors, that does not appear to affect SMTP auth and you shouldn’t need to add your internal IPs there.

The account you want to use for SMTP sending must have a mailbox license, I use ‘Exchange Online Plan 1’ for one of the cheaper options that is pure mailbox. The SMTP settings are listed here.

You also need to allow SMTP auth across your organisation (not ideal), or on a per account basis (much better security wise, plus it overrides the org default – so you can disable at org level and allow at account level). Microsoft Docs covers this in detail but the command (which requires connecting to Exchange Online via PowerShell first) to allow on a single mailbox is:

Set-CASMailbox -Identity [email protected] -SmtpClientAuthenticationDisabled $false

Once these policies and licenses is in place, you can test. The easiest way I found was a 1 liner PowerShell command. You must use the source mailbox’s account as the from address:

Send-MailMessage –From [email protected] –To [email protected] –Subject "Test Email" –Body "Test SMTP Service from Powershell on Port 587" -SmtpServer smtp.office365.com -UseSsl -Port 587 -credential $madeupvariable

When testing, I found that after changing the Conditional Access rules to let a specific account go through as legacy auth took several minutes. Azure AD logs also take several minutes to show auth attempts, so don’t rush and change too many things at once trying to do this.

Ideally, nobody would be using SMTP – but in the real world we still have to, so the above will at least keep login records in Azure AD, and limit it to trusted IPs, certain accounts, or any other Conditional Access rules you can come up with to reduce the risk of allowing this.

Synology DiskStation Microsoft 365 Backup Review

Synology sent me a new DiskStation to review after I’d acquired an older one myself to look at it’s ability to back up Microsoft 365 data (the updated name for Office 365). Being a Microsoft MVP in Office Apps and Services category, so I was very interested to see how it worked.

After reading up on and seeing that it was a completely free piece of software available as part of owning a DiskStation, I was hoping this would be a good solution at an incredibly low price – buy your DiskStation and disks, some time to set it up, and you’re done. To me, that’s already a very appealing offering, along with Synology having a good reputation for maintaining and supporting their hardware several years on – which was proved by the 7 year old DS1813+ I set up a few months ago.

I’ve left the new Intel-based DiskStation 1618+ – Quad Core CPU and 4GB RAM (expandable) running for about a month now, backing up my Microsoft 365 tenant’s data. I ticked ALL the options to see how it went. This tenant is just for me, so the data set is smaller than most tenants – but I do run a few live things through it like email and OneDrive. There’s also a little SharePoint Online data from Micrsoft 365 Groups and Teams I’ve played around with.

Here’s what the dashboard looks like now:

Some useful information there around what’s being backed up and how big it is. You might notice there’s a few errors on the summary. I drilled into those and each was because ‘The Microsoft Server is busy’, and a few minutes later it would try again successfully.

This is likely because I used a backup option to get incremental changes, rather than at a set time. Maybe I’m hitting it too much and getting blocked occasionally.


I know I’ve gotten ahead of myself here, so let’s go back to how to set this up. Assuming you have yourself a Synology DiskStation of some sort that supports ‘Active Backup for Office 365‘ – and which models are those? Here’s the list:

  • 20 series:FS6400, FS3600, FS3400, RS820RP+, RS820+, DS920+, DS720+, DS620slim, DS420+, SA3600, SA3400, SA3200D
  • 19 series:RS1619xs+, RS1219+, DS2419+, DS1819+, DS1019+, DVA3219
  • 18 series:FS1018, RS3618xs, RS2818RP+, RS2418RP+, RS2418+, RS818RP+, RS818+, DS3018xs, DS1618+, DS918+, DS718+, DS418play, DS218+
  • 17 series:FS3017, FS2017, RS18017xs+, RS4017xs+, RS3617xs+, RS3617RPxs, RS3617xs, DS3617xs, DS1817+, DS1517+
  • 16 series:RS18016xs+, RS2416RP+, RS2416+, DS916+, DS716+, DS716+II, DS416play, DS216+, DS216+II
  • 15 series:RS815RP+, RS815+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, DS415+
  • 14 series:RS3614xs+, RS3614RPxs, RS3614xs, RS2414RP+, RS2414+, RS814RP+, RS814+
  • 13 series:RS10613xs+, RS3413xs+, DS2413+, DS1813+, DS1513+, DS713+
  • 12 series:RS3412RPxs, RS3412xs, RS2212RP+, RS2212+, RS812RP+, RS812+, DS3612xs, DS1812+, DS1512+, DS712+, DS412+
  • 11 series:RS3411RPxs, RS3411xs, RS2211RP+, RS2211+, DS3611xs, DS2411+, DS1511+, DS411+, DS411+II

From the DiskStation desktop, open Package Center and follow these steps:

This was a very easy setup to do – I took screenshots of every step involved, but it barely needs an explanation for anyone who’s an admin of a Microsoft 365 Tenant.

The program will then go off and start backing up what you told it. The ‘Activities’ section of Active Backup for Office 365 will show any backups running, and you can also use the inbuilt ‘Resource Monitor’ to see upload/download speeds, disk utilization etc.

It’s also worth noting that the backup you created has an ‘account discovery’ option where it’ll find any new accounts created and automatically add them to the backup, which is great for not having to change backup settings each time you have a new user start.


Running a backup is great, but how do you restore the data? There’s a second app you’ll need, ‘Active Backup for Office 365 Portal’. Launching this will take you to a web interface where admins can browse all data, and users can browse just their own (user access can be disabled if you prefer).

On this web interface, you can then find the file(s) you want to restore, and restore them. You also get a nice timeline down the bottom so you can move backwards and forwards to see a snapshot of a certain time.

Although Mail, Calendar, Contact, and Site (SharePoint) support searching across all backups for names and contents, at the time of writing this isn’t possible for OneDrive backups. It’s worth being aware of this – if someone requests a file restore you’ll need to know exactly when from. I don’t see this as too much of an issue though, as OneDrive has great version control natively, and an automatic recycle bin – so you’d probably rely on the native solution for finding a file, but still it’s worth knowing this existing limitation.

That was the only slight negative I could find while testing. Everything else just worked, was quick to browse and restore, and incremental backups appeared to be on the DiskStation within several seconds after creating a new file in OneDrive.

Again, this is an incredibly cheap Office 365 backup solution. Some may question if you need to back up Office 365 at all. You could set up infinite retention against all content, so why take a backup? To me it’s a definite grey area, and partly depends how much you value the data. Microsoft may never lose your data, but will it be available 100% of the time? What if that important document is in your OneDrive and hadn’t synced down, and there was an outage? We’ve seen a few outages lately, including ones that have broken authentication – your data is still there, but you can’t get to it. In that scenario, having a local copy of something time sensitive could be worth it. Considering the relative low cost of buying a Synolgoy DiskStation – your disks are probably going to cost more than the unit itself, I consider it a pretty easy sell.

Removing Unwanted SMTP Records From Exchange Hybrid

I’m still new to Exchange Online and Office 365 mailbox management, but got stuck on this scenario for a bit.

After testing an E-mail Address Policy, I wanted to remove what the policy had done. I’d already discovered that taking an address off a policy itself doesn’t remove it from the accounts, and run this simple script to remove the unwanted SMTP record off each account. However, accounts that had been migrated to Office 365 didn’t change and still had the unwanted SMTP record.

I checked on Exchange Online itself, and the address I’d added hadn’t flowed through. I believe this was because it was using a domain that Office 365 didn’t know about – but that also meant that I had no records to change at that end. I could however go into the mailbox itself via the Exchange console and remove the unwanted record.

It turns out, that I had to use the ‘Get-RemoteMailbox’ and ‘Set-RemoteMailbox’ command in place of the ‘Get-Mailbox’ command. Although I was working with Exchange PowerShell on-premises, the mailbox type is “RemoteUserMailbox’. ‘Get-Mailbox’ against any migrated item will not find those objects that live in the cloud.

 

If you want to see which Exchange objects have a particular SMTP record in Exchange 2010, regardless of what mailbox type they are or where it lives, there’s an easy way.

Make sure the ‘Recipient Configuration’ tree option in the Exchange Console is selected, and filter with E-Mail Addresses > Contains > your unwanted SMTP record:

This will make sure all object types (including groups, contacts etc) don’t have the unwanted SMTP record.

Stellar Exchange Tookit Review

Stellar Data Recovery reached out to me to see if I was interested in reviewing their product. I only accept these when I can see a personal interest in what the product does. The 5 key things this product does are:

1. Repair corrupt EDB files
2. Mailbox Extractor for Exchange Server
3. OST – PST conversion
4. Mailbox Extractor for Exchange Backup
5. Password Recovery for MS Exchange

Primarily I was interested in OST to PST conversion, as I’ve tried to do this before and had no luck with free solutions, and wanted to try a paid product that could solve the problem. (It’s also worth noting this isn’t cheap software. Also if you only want a more basic OST to PST converter, they sell that by itself for a lot less.)

I tested the Exchange Toolkit on an Outlook 2016 OST file I’d copied off another computer, that was 2GB in size. It does take a little while to process, but displays the results in a nice Outlookesque GUI:

There’s also a search function, which is handy if you’re just after a particular email from the OST.

If you need to export the results, there’s a bunch of useful options:

I was impressed with the options to export directly to Exchange Server and Office 365! But for me, I was happy with a PST. The resulting PST file was readable via Outlook 2016, so the product does exactly what it says on the virtual box.

Another part of the toolkit I looked at, was the Mailbox Extractor. Again, there’s several options, but I tried connecting to a live Exchange 2010 server to extract emails:

After connecting, again I was presented with an Outlook style of emails. I then realised there’s a few use cases for this tool that are handy to me personally; if I need to go into a mailbox to get something out, this is much easier than adding a second mailbox or profile. It also then lets me take out those emails in a variety of ways – for example, I can select a folder and then export all contents of that folder into several formats, such as PST, MSG, PDF, HTML and RTF. For HTML and PDF, it will create a file per email with the same subject name.

I can see the other functions of this product being useful for someone who’s often dealing with other companies’ data, old data that needs to be restored, or extracting out a mailbox from an online Exchange server. It’s an interesting array of tools, and I’ll try to report back on whether this tool does the job well or not.

Worth checking out these tools if you run into a scenario where you need them – sometimes there’s a freeware or open source solution, but often they don’t work, are old, unreliable or limited in functionality. Stellar Exchange Toolkit seems to do what it claims well, and I look forward to trying more features in the future.

Your Personal Information Has Been Leaked

Opinion: The below is all my personal opinion, and although any company examples I give are true, this cannot be taken as 100% guaranteed evidence of a data leak.

Yep, you read the heading correct. If you’ve been online and signed up to even a handful of services, chances are some of your data has been stolen.

Troy Hunt’s website https://haveibeenpwned.com/ hosts some details on many millions of records that have been leaked one way or another from companies such as Adobe, Sony and Yahoo. Those are just known leaks though, where the data has been made publically available one way or another, and is only a snippet of what’s really out there.

How do I know this with such conviction? I’ve signed up to a LOT of things over the years, and using my methodology, each signup has a unique email address.

That unique email address per service gives me a pretty quick insight into who’s somehow lost my data. On a daily basis, I can have a look around my Google Apps spam folder, and see what email addresses were used to send spam to.

Often I’ll see the same email 15-20 times, sent to different email addresses on my domain. That’s pretty clear these spammers are finding multiple chunks of breached data, because my different email addresses aren’t going to be registered to a single site.

Today’s spam had the local part of the email address (the bit before the @) in the subject too, so here you can see what these emails were sent to:

spam

I tend to see a mix of gibberish (such as asYOyuPq) and leaked emails. In this example chunk of spam, there’s Adobe – which I know was leaked as confirmed on haveibeenpwned, but there’s also plenty of other worrying ones. Penguin is from Penguin Books Australia, Dropbox is obvious, Coles, Dell, and others.

Looking down my list in the last few days, I can see others like fringebenefits – an Adelaide Fringe run discount tickets I signed up to a couple of years ago. Viator, a service I booked a tourist attraction on when visiting the US a few years ago.

Then there’s ebay – that one I don’t know so well, because email addresses get passed around when you buy and sell things through a platform. Maybe I contacted a seller and they had my email address because of that, and was lost from there.  Acertabletforum from a few years ago when I downloaded custom ROMS for an Acer Android tablet. Umart, from when I bought some PC components a few years ago too. 

At this stage, you might be wondering how I know the problem isn’t me. As I said, I’ve signed up for probably thousands of services over the years, and continually only see a subset of addresses that get spam. If I was leaking the data somehow, I should see a big mix of everything I’ve used, or at least everything up to a certain point in time. This is definitely not the case.

On top of all these email addresses, I have no idea what other data was leaked with them. My name, date of birth, first pet’s name, my home address? I can’t remember which services required which pieces of info, nor will most of these data leaks ever be publicly known – so I have no idea.

I don’t know what the answer is to all of this. I called out one company recently asking if they had a data breach, as I started to get spam on the email address I’d signed up to their online store with, which resulted in them calling my personal mobile phone, finding me on Facebook, naming my wife and son to me and threatening to send friends around to my place of residence, which he had obtained from my domain registrar details. This happened 2 years after I explicitly requested the company delete all my details, which I happened to blog about here.

It’s a pretty sorry state of affairs, and I don’t see anything getting better soon. If you want real privacy, use a fake name, a PO box, a pre-paid mobile phone and so on – because as soon as you hand your details out to someone, the world’s going to know about it.

Thanks to Troy Hunt for giving me the idea to write this up.