Email configuration for Office 365

Commercial Modules
6

Hi!

What @waldrondigital posted essentially comes from

https://wiki.freepbx.org/display/PPS/Setup+Postfix+Manually

It’s just people don’t realize this is something they, at least currently, have to do that for office 365…

Microsoft servers are in their rights to to refuse to process emails with incorrect/unknown domains (or emall addresses which have not been given proper permissions, ie the “Send as”)…

(As mail admins say, their servers, their rules…)

Anyway, for unknown domains if office 365 didn’t block those they would most likely end up being blocked by the receiving servers.

(My MX for my domains and the ones I setup in the past certainly would…)

Honestly, as far as I am concerned, System Admin Pro should probably set up all these remappings by itself when you tell it you are relaying through office 365 servers (and maybe for other servers as well since it’s not actually acceptable anywhere to send mails from unknown domains) and give it the permission to do it…

On a dedicated system it’s not much of a problem for System Admin Pro to alter Postfix’s configuration in such a way but if that system does more than FreePBX/Asterisk duty then I would be hesitant to have this done automatically, it might corrupt an otherwise working setup…

Have a nice day!

Nick

7

I hope this can help: Steps to getting FreePBX to work with Office 365 email

Thanks.

8

Nice. I could seriously use a beginning to end how to guide. A definitive guide would have saved me, and I’m sure many others countless hours of frustration. I’ll be on the lookout for it.

9

Yep! Read the post just above yours in this thread, I have just posted my write up.

10

Thank you for putting the writeup together. I completed all the step on your write up.

I am now getting:

Sep 24 00:10:09 freepbx postfix/smtp[6482]: AB2F462ABF38: SASL authentication failed; cannot authenticate to server smtp.office365.com[40.100.162.178]: no mechanism available
Sep 24 00:10:09 freepbx postfix/smtp[6477]: warning: SASL authentication failure: No worthy mechs found
Sep 24 00:10:09 freepbx postfix/smtp[6477]: C0E8F62ABF3B: to=[email protected], relay=smtp.office365.com[40.97.115.50]:587, delay=503, delays=501/0.04/2.1/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.office365.com[40.97.115.50]: no mechanism available)

Any ideas?

11

Check your /etc/postfix/main.cf

Do you have

smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_use_tls = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
relayhost = smtp.office365.com:587
myhostname = yourhostname.WhatEverItIs.com
mydomain = yourhostname.WhatEverItIs.com
myorigin = yourhostname.WhatEverItIs.com

The Commercial System Admin module should set this for you if you used the recommendations in my other post:

12

Close. I have
smtp_sasl_security_options = noplaintext, noanonymous
rather than
smtp_sasl_security_options =

I also have the:
inet_protocols = ipv4

Just to make sure I undestand. The “yourhostname.WhatEverItIs.com” is the hostname hosted by Office365 for my email, right?

13

It looks like my local system is trying to handle the email and never passes it on. I’m getting:
status=bounced (unknown user: “MyUserName”)
I am also not seeing “smtp.office365.com” anywhere is the logs.

It seems like when I set my hostname, origin, and domain to something like “freepbx.sagoma.local”, it at least tries to pass the email onto “smtp.office365.com

14

Hi!

Please type

postconf -n

at the command line and post the results back…

That will give us all the parameters which have been modified from the default ones…

Edit out your domain name but always in a consistent manner (you could replace it with “example.com” for example…)…

Good luck and have a nice day!

Nick

15

Here are the results of postconf -n (I replaced my domain with MY OFFICE365 DOMAIN

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = MY OFFICE365 DOMAIN
myhostname = MY OFFICE365 DOMAIN
myorigin = MY OFFICE365 DOMAIN
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost = smtp.office365.com:587
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550

16

Hi!

This means that, by default, your system uses fake email addresses and identifies itself to other system (both in it’s HELO/EHLO greeting and headers) as something which doesn’t exist…

Definitely not something legit, which could have your emails blocked eventually by either Microsoft or another server to which you would like to relay…

Have a nice day!

Nick

17

You may have noticed:

smtp_sasl_security_options =

Thats probably because I changed it to allow anonymous to it matches what you initially said it should be. It didn’t make any difference in the logs however.

Thanks for the time you are putting into helping me figure this out.

paul

18

Ok… I fiddled with it a bunch more with office 365 connectors, powershell user settings, etc and I am getting nowhere. I’m ready to punt on Office365 email integration.

I have a static IP going into the office (and my home where I am setting this up) but no domain name associated with it. Do I want to create a domain name in GoDaddy for my IP, and use that domain name to set up the built in mail server in freepbx? Pro’s? Cons? Am I thinking straight? Are there other options that make more sense?

19

Hi!

Can you post the relevant part of your logs?

Edit out your domain but replace it with something like example.com (or at least something that looks like a real hostname, without spaces like what you replaced it earlier…)…

By thr way, does what you see in hash:/etc/postfix/sasl_passwd makes sense? It should be your credentials IIRC…

Good luck and have a nice day!

Nick

20

I noticed that I skipped documenting the SASL Security Options in the System Admin module on the Email Setup.

I have SASL Security Options selected as “Disable Security”.

I will go ahead and update the instructions in the original post.

21

And, didn’t document Use TLS, which should also be selected as “Use TLS”. That is what I get when I create “helpful” posts late night/early morning hours. Sorry.

22

@pauld, I don’t think those domain entries are important as they look. Let my “Spoil” my entries with fictitious entries and see the results in a moment, I will let you know shortly.

23

FWIW, I changed:

My Hostname, My Origin, My Domain to all be “coocooforcocopuffs.com

Results of postconf -n
> alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = coocooforcocopuffs.com
myhostname = coocooforcocopuffs.com
myorigin = coocooforcocopuffs.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost = smtp.office365.com:587
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550

Email Header (partial) from email that was sent out with these changes:
> Received: from DM5PR08MB3610.namprd08.prod.outlook.com (10.164.155.16) by

 DM5PR08MB3610.namprd08.prod.outlook.com (10.164.155.16) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7 via Mailbox Transport; Sun, 24 Sep 2017 22:31:07 +0000
Received: from DM5PR08MB2604.namprd08.prod.outlook.com (10.173.221.16) by
 DM5PR08MB3610.namprd08.prod.outlook.com (10.164.155.16) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7; Sun, 24 Sep 2017 22:31:06 +0000
Authentication-Results: MyRealDomain.com; dkim=none (message not signed)
 header.d=none;MyRealDomain.com; dmarc=none action=none
 header.from=MyRealDomain.com;
Received: from coocooforcocopuffs.com (My.Real.IP.Address) by
 DM5PR08MB2604.namprd08.prod.outlook.com (10.173.221.16) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7; Sun, 24 Sep 2017 22:31:05 +0000
Received: by coocooforcocopuffs.com (Postfix, from userid 995)
	id 945C818538142; Sun, 24 Sep 2017 18:31:02 -0400 (EDT)

So, I would say that My Hostname, My Origin, My Domain, depending on the servers your transit through, may not be so critical, and may not prevent your emails from going through. Just an interesting test to help narrow down possibilities.

24

@pauld - If you don’t have a domain associated to your ip address, how are you going to create an SPF record for your domain?

25

Hi!

This is easy to take care of…

You could but that truly depends on what you want to do…

If it is solely for home use you could use a fake domain name internally but make sure it doesn’t get out this way because it is quite likely to be blocked if a mail server validates the domain…

Those email address remaps both @waldrondigital and @mattbratt referred to will take care of remapping the fake email addresses to one or multiple ones…

As for using godaddy, I got everything I had there out of there years ago… I am personnally not a fan of theirs…

If this is an home server and you want to send mail directly from it (ie not using office 365 or your ISP servers) you open yet another can of worms…

  • Your IP should definitely preferably be static (which it is for you fortunately). If if it not I would relay all your emails through your ISP’s mail servers (by setting “relayhost”).
  • Your IP should have proper reverse-DNS (ie a PTR record) with matching forward DNS preferably matching your hostname or at least HELO/EHLO…
  • You have to make sure it’s not blacklisted in some way…
  • You have to make sure you are allowed to send email for that domain which means it has to have no SPF record or a record that includes your IP.

Now even though you have a static IP at home your provider might or might not let you change things such as PTR (or do it for you) and it is possible that huge ranges of their IP addresses might be blacklisted…

For a VPS I use as primary MX for personal emails I had to join Microsoft’s Junk Email Reporting Program (https://postmaster.live.com/snds/JMRP.aspx) because a very large portion of my VPS ISP IP range had been blacklisted… Before I did that I could not send emails to hotmail/live.com, etc… (ie anything hosted there…).

Essentially, I had to digitally sign some sort of contract with Microsoft for personal use… :cold_sweat:

As for having the PTR of my mail server changed (and match hostname, etc… to it) I did it for both my VPS and for the mail server I have at home. The VPS I am not surprised since the same “product” can be bought for business use but fo myr residential ISP I might have been lucky I think my ISP changed it for me.

(Well, up to a certain point… They are very geek friendly… You can get subnets for home use (I have a /29).

Now I have a question…

Will the FreePBX system you are setuping for business use and is temporarily at you home or is this solely an home server?

If it is an home server, what do you want to use office 365 for? Is this the service normally used for business emails? Personally, I would not recommend mixing business and home stuff…

For home use, unless you want to get into more complex stuff, I would use your ISP’s email address for those email address remaps and point the relayhost to the SMTP server your ISP told you to use to send emails the old fashion way (ie no webmail)…

However, if that server will eventually be used at work and is only temporarily home and office 365 is what you use at work then we definitely need to get that working… Please give us some logs…

Good luck and have a nice day!

Nick