Email configuration for Office 365

And, didn’t document Use TLS, which should also be selected as “Use TLS”. That is what I get when I create “helpful” posts late night/early morning hours. Sorry.

@pauld, I don’t think those domain entries are important as they look. Let my “Spoil” my entries with fictitious entries and see the results in a moment, I will let you know shortly.

FWIW, I changed:

My Hostname, My Origin, My Domain to all be “coocooforcocopuffs.com

Results of postconf -n
> alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = coocooforcocopuffs.com
myhostname = coocooforcocopuffs.com
myorigin = coocooforcocopuffs.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost = smtp.office365.com:587
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550

Email Header (partial) from email that was sent out with these changes:
> Received: from DM5PR08MB3610.namprd08.prod.outlook.com (10.164.155.16) by

 DM5PR08MB3610.namprd08.prod.outlook.com (10.164.155.16) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7 via Mailbox Transport; Sun, 24 Sep 2017 22:31:07 +0000
Received: from DM5PR08MB2604.namprd08.prod.outlook.com (10.173.221.16) by
 DM5PR08MB3610.namprd08.prod.outlook.com (10.164.155.16) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7; Sun, 24 Sep 2017 22:31:06 +0000
Authentication-Results: MyRealDomain.com; dkim=none (message not signed)
 header.d=none;MyRealDomain.com; dmarc=none action=none
 header.from=MyRealDomain.com;
Received: from coocooforcocopuffs.com (My.Real.IP.Address) by
 DM5PR08MB2604.namprd08.prod.outlook.com (10.173.221.16) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.77.7; Sun, 24 Sep 2017 22:31:05 +0000
Received: by coocooforcocopuffs.com (Postfix, from userid 995)
	id 945C818538142; Sun, 24 Sep 2017 18:31:02 -0400 (EDT)

So, I would say that My Hostname, My Origin, My Domain, depending on the servers your transit through, may not be so critical, and may not prevent your emails from going through. Just an interesting test to help narrow down possibilities.

@pauld - If you don’t have a domain associated to your ip address, how are you going to create an SPF record for your domain?

Hi!

This is easy to take care of…

You could but that truly depends on what you want to do…

If it is solely for home use you could use a fake domain name internally but make sure it doesn’t get out this way because it is quite likely to be blocked if a mail server validates the domain…

Those email address remaps both @waldrondigital and @mattbratt referred to will take care of remapping the fake email addresses to one or multiple ones…

As for using godaddy, I got everything I had there out of there years ago… I am personnally not a fan of theirs…

If this is an home server and you want to send mail directly from it (ie not using office 365 or your ISP servers) you open yet another can of worms…

  • Your IP should definitely preferably be static (which it is for you fortunately). If if it not I would relay all your emails through your ISP’s mail servers (by setting “relayhost”).
  • Your IP should have proper reverse-DNS (ie a PTR record) with matching forward DNS preferably matching your hostname or at least HELO/EHLO…
  • You have to make sure it’s not blacklisted in some way…
  • You have to make sure you are allowed to send email for that domain which means it has to have no SPF record or a record that includes your IP.

Now even though you have a static IP at home your provider might or might not let you change things such as PTR (or do it for you) and it is possible that huge ranges of their IP addresses might be blacklisted…

For a VPS I use as primary MX for personal emails I had to join Microsoft’s Junk Email Reporting Program (https://postmaster.live.com/snds/JMRP.aspx) because a very large portion of my VPS ISP IP range had been blacklisted… Before I did that I could not send emails to hotmail/live.com, etc… (ie anything hosted there…).

Essentially, I had to digitally sign some sort of contract with Microsoft for personal use… :cold_sweat:

As for having the PTR of my mail server changed (and match hostname, etc… to it) I did it for both my VPS and for the mail server I have at home. The VPS I am not surprised since the same “product” can be bought for business use but fo myr residential ISP I might have been lucky I think my ISP changed it for me.

(Well, up to a certain point… They are very geek friendly… You can get subnets for home use (I have a /29).

Now I have a question…

Will the FreePBX system you are setuping for business use and is temporarily at you home or is this solely an home server?

If it is an home server, what do you want to use office 365 for? Is this the service normally used for business emails? Personally, I would not recommend mixing business and home stuff…

For home use, unless you want to get into more complex stuff, I would use your ISP’s email address for those email address remaps and point the relayhost to the SMTP server your ISP told you to use to send emails the old fashion way (ie no webmail)…

However, if that server will eventually be used at work and is only temporarily home and office 365 is what you use at work then we definitely need to get that working… Please give us some logs…

Good luck and have a nice day!

Nick

Hi!

As long as they are remapped to something legit by the generic maps you should be mostly OK…

For outbound, assuming an email address that is already in FQDN form (ie complete…) the hostname will be sent as the HELO/EHLO when the mail server (MTA) talks to the other mail server (MTA).

Now, assuming you had a good reason not to have the hostname set to something “nice” toy can actually override the HELO/HELO with smtp_helo_name.

myorigin IIRC is mostly used to transform email address with only a user part into a complete email address…

mydomain sets plenty of stuff but those remaps should take care of what could be visible I think…

It’s the email address remaps you and @waldrondigital borrowed from the wiki which end up producing legit enough to be sent outside, without them you risk being blocked even when a relayhost…

If you don’t use a relayhost then, as I said above, you are opening a can of worms…

I could be wrong but I think the office 365 email address he initially wanted to use is his job email address…

(As I said above if it is a server for home I don’t think it’s a good idea…)

Now if he no longer wants to go the office 365 way (and stop using his job email address as I think he wanted to do) he could just as well use his ISP personal email address and their servers (as relayhost) to send emails. If they have a SPF record it will be OK since the emails will come from their servers).

If however he wants to use his own domain (and doesn’t want it to be hosted on office 365) I would recommend he did not put a SPF record because there won’t be much to be gained by it and it might cause problems.

SPF records are normally not mandatory, it’s just Microsoft that makes them mandatory for office 365…

I could definitely be wrong about what he initially wanted to do but it definitely sounds like the office 365 hosted domain is the one used for work and the FreePBX system he is settuping is currently home but I don’t know if it is temporary or permanent…

Have a nice day!

Nick

I have been messing with things enough that I may have introduced issues that may be tough to track down. I’m going to start over with a clean system image and follow your directions again from a fresh build. I’ll let you know how it goes in a bit here.

Thanks for the clarification NIC. Here is some more information to help clarify the situation. I have a small office (15 phones) with a static public IP going to it. I have the same from my home where I am setting up the FreePBX system with the intent of taking it to the office when I am done. I created a new domain name in GoDaddy that I can point to either my home IP or the Office IP as needed. The FreePBX will be set up with a static internal private IP Address. I have full control of our GoDaddy domains, our Ofice 365 administration, our router, etc. I really don’t care how we get FreePBX email set up. just want it to be able to send out email like our current FreePBX we have running on a Raspberry PI. I would like to go with the easiest to maintain and simplest approach.

I just want to make sure it is clear that I don’t have a preference how I set things up. I know you guys are a lot smarter than me so I am simply looking for recommendations on the best way to make it simple, reliable and maintainable.

Hi!

If you had an existing domain name (which I am pretty sure you did for office 365) then you could have just created entries under it…

Let’s say your domain is example.com

You might have a web site reachable with example.com and www.example.com.

That means that you have two DNS entries for that (A, CNAME or more than likely a mix of both).

You also have externally accessible emails which are handled by office 365…

This is handled by one (or more) entries listing the Mail eXchangers for your domain. These are DNS MX records and they contain the name of the server(s) which receive email for you…

If you need SPF (or DKIM) for that domain this is a specific case… These are put into DNS TXT records something which was initially just meant to associate any kind of free form text to a DNS entry and can still be used for that… There was supposed to be a specific DNS SPF record but it was deprecated quite a while ago…

You also have multiple DNS NS records which list the name servers of your domain, the servers which are queried when a DNS entry needs to be resolved.

Now nothing stops you from creating additional entries, one for your work static IP and one for your home static IP… The could be destroyed at any time later if they end up no longer being needed and the IP address they point to could be changed…

Since you have static IP addresses these would normally be A records, a type of DNS record that maps an host name to an IP address…

Since this will end up being used at work it should, preferably, use the same thing you use internally which is office 365…

:scream:

It is definitely a very good idea to replace this…

I have multiple Pi’s but I would not trust them for that usage…

Sounds to me going the office 365 way is best since this is already what you use internally…

We are most definitely not…

We are just more familiar with something you are not currently as familiar as we are with (and I am sure @mattbratt is a lot more familiar with the Microsoft technology aspect of this than I am).

I played a looooot with Postfix and DNSes quite a few years ago especially when I was taking care of this at work. There are actually still traces of this on your system… :wink:

The first times I setted these up where at home just like you are doing right now… My home setup is like a scaled down version of a business setup with PBX (of course :wink:), mail server, primary and secondary DNS, real DMZ, etc…

There is actually an inside joke about this at work… Something like if our systems are down and we need to relocate it would be to my home… :stuck_out_tongue_winking_eye:

This is the best way to familiarize yourself with new things…

Everyone can learn about those things if they have both the time and interest…

I consider myself a Jack of All Trades and (unfortunately) a Master of None

re: Profile - Marbled - FreePBX Community Forums (3rd line… at least that’s where it seems to be for other users…)

There is no way I can be as good at something as someone who truly specializes in it but then you are not using me wisely if you want to use me to somehow replace that person…

As I said it’s just a matter of time and interest… I love learning new things but not to the point of saying that I am a specialist in them… To be a specialist would require me to dedicate myself solely to those things which is not something I am interested to do…

What I specialize in is everything and nothing… :wink:

So, like I said above it is definitely not a matter of being smarter, it’s just a matter of having both the time and have the interest to learn new things…

If you have both I am sure you will be the ones showing us new things eventually…

I have to go now…

For now please try to follow @mattbratt updated doc and if it still doesn’t work please post some logs…

Good luck and have a nice day!

Nick

OK. I followed your guide rather meticulously on a fresh installed and updated version 14 FreePBX system. It appears that FreePBX is not trying to send the email out of its internal server. The following is the logs (with sensitive info edited) since trying to send an email address:

Sep 25 16:49:39 freepbx postfix/pickup[17679]: D6E986294521: uid=995 from=
Sep 25 16:49:39 freepbx postfix/cleanup[17901]: D6E986294521: message-id=20170925164939.D6E986294521@myOffice365Domain
Sep 25 16:49:39 freepbx postfix/qmgr[17680]: D6E986294521: from=asterisk@myOffice365Domain, size=494, nrcpt=1 (queue active)
Sep 25 16:49:39 freepbx postfix/local[17903]: D6E986294521: to=sentToUser@myOffice365Domain, relay=local, delay=0.06, delays=0.03/0.02/0/0.01, dsn=5.1.1, status=bounced (unknown user: “sentToUser”)
Sep 25 16:49:39 freepbx postfix/cleanup[17901]: E21556294522: message-id=20170925164939.E21556294522@myOffice365Domain
Sep 25 16:49:39 freepbx postfix/qmgr[17680]: E21556294522: from=<>, size=2241, nrcpt=1 (queue active)
Sep 25 16:49:39 freepbx postfix/bounce[17904]: D6E986294521: sender non-delivery notification: E21556294522
Sep 25 16:49:39 freepbx postfix/qmgr[17680]: D6E986294521: removed
Sep 25 16:49:39 freepbx postfix/local[17903]: E21556294522: to=asterisk@myOffice365Domain, relay=local, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Sep 25 16:49:39 freepbx postfix/qmgr[17680]: E21556294522: removed

I also noticed that the guide doesn’t specify if I should have “Allow Plaintext”, “Allow Anonymous”, “Require Both”, or “Disable Security” under “SASL Security Options”. It defaults to “Require Both”.

OK, I think it believes it his the final destination for the email and since that email address doesn’t exist locally it bounces it…

What is mydestination set to in main.cf and are myhostname and mydomain different?

Did you set mydomain to the name of the domain hosted on office 365 or to the new one you bought?

Good luck and have a nice day!

Nick

PS: replace sensitive info with something like [email protected], removing it entirely gets confusing…

It is trying to deliver locally here…

Whatever you set things to makes it think it is the final destination for that email, that it should not be relayed further…

Good luck and have a nice day!

Nick

You are exactly right. I did a test message to my gmail account and I got it. We are making real progress now! Here is what mydestination is set to in main.cf:
mydestination = $myhostname, localhost.$mydomain, localhost

I set the “mydomain”, “my origin”, and “myhostname” to myOffice365domain.com

Please set myhostname to something like pbx.myOffice365domain.com

Having it set to the same thing as mydomain is what is causing problems with what is in mydestination…

That mydestination is telling it to consider emails addressed directly to the server as locally deliverable and since you set it to the same thing as the domain you want to send it to (I think, I am not entirely sure since we are not using the real informations) it never tries to deliver them outside and tries to deliver them locally…

Good luck and have a nice day!

Nick

It worked! You are my hero! How do I go about buying you a beer? (or soda, if beer isn’t your thing)
I flagged your original link to the guide as the solution. I would maybe add to it the suggestion to select “Plain Text” for “SASL Security Option” since that is the only one that worked for me. Does this mean that my email data is not sent encrypted?

1 Like

Hi!

I am glad…

:blush:

Actually you flagged Matthew tutorial which is itself based on other tutorials like the one I referred you to which is itself based on the wiki… :wink:

:laughing:

You are referring to @mattbratt tutorial here…

What do you get is you set it to “no plaint text”…

Minimally it means that your credentials are not sent encrypted since I believe it translates into this:

noplaintext Don’t use mechanisms that transmit unencrypted username and password information.

from http://www.postfix.org/SASL_README.html#client_sasl_policy

Since it works when plain text is allowed it would mean the username and password are most likely sent unencrypted…

Good luck and have a nice day!

Nick

1 Like

From reading up on this it looks like they are not further encrypted but are sent over TLS if it is used so a moot point in this case…

And from googling around it looks like it’s a restriction on office 365 side, not a misconfiguration on your part…

Have a nice day,

Nick

1 Like

I changed the solution to you telling me to change my hostname. It was really the tutorial that got me 98% there. If the selection of '“Allow Plain Text” and adding “PBX” to myhostname were added, the tutorial would be about perfect. Thanks again for all your help!

1 Like

Hi Paul!

You definitely don’t have to do that… I was just pointing out the there seemed to be a mix up between Matthew and me there…

If you truly want to set one of my posts as solution I believe you can set more than one solution per thread but you don’t have to…

Definitely a good idea since it looks like office 365 doesn’t allow a better mechanism…

Actually if it mentioned it should say is to not set myhostname and mydomain to the same thing when mydomain is actually the name of the office 365 domain you want to have your emails relayed to…

Honestly the fix should probably be in System Admin Pro because if it allows this I think it should be fixed to disallow it because with the current defaults this will cause a problem just like it did for you…

If someone truly wants to set it to the same thing (which could be legit in some situations) (s)he should have to do it directly in Postfix’s configuration files… By default I think System Admin Pro should only allow relatively safe settings and not allow more advanced configurations.

Have a nice day!

Nick