• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
How to use Microsoft Sysmon, Azure Sentinel to log security events

Azure SMTP Restrictions & Resolution with SMTP Relay Services

December 15, 2020
Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

February 24, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

February 24, 2021
Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

February 23, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

February 23, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

February 22, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

February 22, 2021
8×8 makes raft of updates to platform

Indonesian Mobile Operator Selects NTT for Microsoft Security Project

February 22, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

NTT completes Microsoft security project for Indonesian mobile operator

February 19, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Data insights without limit, security without compromise

February 18, 2021
8×8 makes raft of updates to platform

What Is Object Storage?

February 17, 2021
Microsoft To Open Azure Cloud Data Center Region In Spain

EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

February 17, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Azure Firewall Premium now in preview

February 17, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Wednesday, February 24, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    Innovative solutions for IT workers at home

    ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

    A moment of reckoning: the need for a strong and global cybersecurity response

    ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

    Innovative solutions for IT workers at home

    SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

    8×8 makes raft of updates to platform

    Indonesian Mobile Operator Selects NTT for Microsoft Security Project

    Microsoft To Build New Azure Cloud Data Centers In Greece

    NTT completes Microsoft security project for Indonesian mobile operator

    A moment of reckoning: the need for a strong and global cybersecurity response

    Data insights without limit, security without compromise

    8×8 makes raft of updates to platform

    What Is Object Storage?

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Firewall Premium now in preview

    Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

    Global Industrial Cybersecurity Market By Offering Type, By Security Type, By End User, By Region, Industry Analysis and Forecast, 2020 – 2026

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    How to use Microsoft Sysmon, Azure Sentinel to log security events

    OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

    Microsoft To Open Azure Cloud Data Center Region In Spain

    EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Engineer at VillageMD

    Innovative solutions for IT workers at home

    How to Sync On-Premise Active Directory Passwords with Office 365 and Google Apps in Real-Time

    Microsoft Azure Forms Collaboration to Enhance AI in Healthcare

    Azure Defender is now available for all IoT and OT devices

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Google and Microsoft ID Group Targeting Security Researchers

    Innovative solutions for IT workers at home

    Microsoft Releases Application Guard for Office, Plus Azure Security Center and Azure Defender for IoT Products

    Microsoft spins off security, compliance bits from Microsoft 365’s priciest plan for E3 customers

    Show your HR backups the back door

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    The Hack Roundup: Biden Orders Intel Assessment of Suspected Russian Malfeasance

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home Tech Apps

Azure SMTP Restrictions & Resolution with SMTP Relay Services

by AZURE SECURITY NEWS EDITOR
December 15, 2020
in Apps
0
How to use Microsoft Sysmon, Azure Sentinel to log security events
493
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

This post explains how Microsoft has strengthened Azure platform security against unauthenticated SMTP traffic to maintain Azure IP stack reputation and how 3rd party SMTP API can be used to overcome these restrictions.

Background info

Recently I have set up a Microsoft Exchange hybrid training lab in an Azure Computing environment for one of my clients. The client has registered Azure for a 30 days trial subscription. I have setup exchange server, setup MX and SPF records as appropriate checked entries on MXtoolbox and initiated email send/receive tests to and from the Internet.

I was able to receive emails from the external world but when I tried to send email to external users, they kept bouncing with an error that the recipient system is not accepting emails right now. My external emails were nothing more than my Gmail and Hotmail accounts. Yet those accounts were able to receive emails from the Internet except for mine.

I then ran a message trace and found that mail was not going out of my exchange server. I started the queue viewer and indeed, mail was stuck in the queue with the error message. To further test, from exchange server I tried to telnet on SMTP port 25 to google MX and my O365 exchange online – the telnet test failed.

This started to be a real pain for me to establish a fully functional hybrid lab. So I started searching the Internet and came across an article which says that Microsoft has banned outbound SMTP communication towards the Internet from Azure compute resources in trial subscriptions and hence I must use a 3rd party smart host to deliver emails from Azure compute resources to the external world.

Article: https://blogs.msdn.microsoft.com/mast/2017/11/15/enhanced-azure-security-for-sending-emails-november-2017-update/

Azure SMTP restrictions

Why has Azure stopped outbound emails (standard SMTP protocol) from Azure compute subscriptions?

When we say outbound emails, it applies to unauthenticated email delivery on TCP 25 to the external world through direct DNS MX lookups. The fact is that Microsoft offers Azure trial subscriptions worth 200$ for free and people all over the world take benefit of trial subscriptions to test/host their custom applications/servers. 

If any email transactions happen from these apps/servers without proper sender identity verification/authentication (SPF / DKIM) records, it leads to spoiling Azure data center public IP addresses blacklisting, Abuse or negative IP reputation. Since 15th November 2017, Microsoft has restricted outbound SMTP (TCP 25) communication to external world to specific subscriptions only. The purpose is to reduce/minimize negative IP reputation and eventually blacklist Microsoft Azure datacentre IP addresses.

Well, not all Azure subscriptions are blocked, SMTP blocking applies to new subscriptions registered post 15th Nov 2017. Enterprise customers are not affected by this blockage. Customers having a Pay-As-You-Go subscription can send a support request with a valid reason to Azure, and Microsoft conducts a few checks against the request and if the request is approved, they will then unblock SMTP restrictions.

Any new Azure trial subscriptions including MSDN, Azure Pass, Azure in Open, Education, BizSpark, registered post 15th Nov 2017 would by default be blocked for outbound SMTP delivery on port 25. There is no plan for allowing these subscriptions for direct outbound SMTP delivery to the external world. Any support request pertaining to this will not be entertained. These subscribers if needed must use 3rd party email gateways (Smart host) for outbound SMTP delivery. Further SMTP communication must have happened on either secure SMTP port (TLS 587) or other non-standard port such as TCP 2525. TCP 25 would be blocked permanently

Microsoft recommends Azure customers use 3rd party authenticated SMTP relay services with TLS support (TCP port 587 or 443) to send email from Azure VMs or Apps to the internet. These services are specialized in IP / domain reputation and reduce the possibility of blacklisting and email rejection by ISPs and organizations.

These 3rd party SMTP service providers also provide other benefits along with IP and domain reputation such as bulk messaging, transactional email services, marketing campaigns across messaging platforms. Use of these e-mail delivery services is not restricted in the entire Azure infrastructure, regardless of subscription type.

Resolution – Authenticated SMTP Relay Services

An SMTP Relay Service (often known as a Smart Host) is defined as an intermediary SMTP relay server between a sender’s email server and the recipient’s email server. The purpose is to either overcome a limitation by the sending email server or provide bulk email services.

Common reasons why companies consider using an SMTP Relay service:

  1. ISP blocked outbound SMTP 25 port or have set daily / hourly limit on SMTP transactions
  2. A sending SMTP server IP is getting blacklisted frequently
  3. A need to send bulk emails/mass mailing for advertising/marketing while at the same time, maintain IP / domain reputation (Avoid Blacklisting)

In our case, we need a smart host because of network port restrictions (1st point as listed above) imposed by Microsoft with the Azure network.

There are a number of 3rd party SMTP relay services available in Market such as SparkPost, MailGun, turboSMTP, ElasticEmail, ManDrill, SendGrid and so on, just to name a few. One of their service offerings is an SMTP API which allows you to relay emails to the external world on your behalf securely. 

All you need to do is to register a free account with them and subscribe for free (if offered) or a paid email plan and you need to authenticate/verify your custom SMTP domain with their email gateway which allows you to deliver emails from their gateway. These gateways listen on various SMTP protocols like 25, 587, 465 including few non-standard ports like 2525. ID and password would be required to connect to the SMTP services. The Password remains very complex as most of the time “API KEY” (encrypted text) is used as a password to avoid password guesses.

What we are looking here, how we can integrate Azure Subscription with such SMTP relay services. The available SMTP relay service should provide the qualities listed below:

  • Authenticated Connection
  • Greater spam control
  • TLS Support
  • Clean IP and domain reputation
  • Sender Domain authentication ability
    • DKIM authentication
    • SPF authentication
  • Message tracking
  • Maximum uptime
  • Bulk messaging facility
  • Wide range of SMTP protocol support (25, 587, 465, 443, 2525 etc)

Microsoft has provided us the option to integrate an Azure Subscription with SendGrid for free. Once integrated, you can configure the SendGrid SMTP API (Smart host functionality) within an Azure hosted app/server to deliver emails to the external world. Sendgrid offers you 1st 25000 email deliveries free of charge per month. If your requirement is more than 25K, you need to purchase sendgrid plans.

The process is very seamless and secure, works on TCP 587 OR 465 OR 2525, normally you can use TCP 587 if the client supports or you can use 2525. SPF and DKIM checks are managed by Smart Host provider in this case.

Below I have added step by step Azure subscription integration with Sendgrid. Steps are simple:

  1. Azure – Sendgrid Integration – Create a Sendgrid Account as an Azure resource From your Azure Subscription
  2. SMTP API (Smart Host) Configuration – Point applications/services / Exchange server to the Sendgrid host as a smart host relay by using an ID/password created by the Azure integration
  3. Test Email Flow – Test outbound email flow, Sendgrid will take care of SPF and DKIM authentication in this case.
  4. Domain Authentication – This will enable DKIM authentication for your domain. Domain authentication is optional and would be required if we wanted to build our SMTP domain reputation, however, If we have a DMARC record already in place, we must complete domain authentication with Sendgrid. Domain authentication with Sendgrid can be achieved by adding a few DNS records in our DNS zone. This step allows us to pass an existing/new DMARC record for our domain.
  5. Modify SPF Record – Add Sendgrid SPF host to our domain SPF record, this step is recommended for organizations who already have DMARC record created for there SMTP domain. Normally SMTP Relay service providers enforce this requirement as a mandatory prerequisite before they activate service for our domain.
  6. Validate Domain Authentication – Test email flow through Sendgrid and validate its authenticity

Azure – Sendgrid Integration

Microsoft has included SendGrid Email delivery with Azure Marketplace and we can add it as connector resource in the Azure portal. Login to Azure Portal with Global/tenant administrator.

Under the Azure management portal, under “All resources”, click Add and type Sendgrid Email Delivery under new and click search.

Click Create. This will land on Sendgrid registration page within the Azure portal itself.

Fill up name (username for SendGrid), Password, select Azure active subscription and define Azure Resource group to be used to create sendgrid connector. Under the pricing tier, select “Free tier” which provides you 25000 emails per month.

Further, In the same form, fill out the contact info and accept the legal agreement, wait for validation to be successful. Once validation is successful, click Create.

The connector is successfully created in the Azure resource group we selected during deployment. It generated long random characters as user ID (azure_xxx…@azure.com) which is hard to guess. It also provides an SMTP server DNS name to be used as a Smart Host. We can see this information on the connector properties page in the Azure Portal. Note that the Sendgrid account username is different from the username created for Azure purposes. 

In this case, “MaheshP” is the Sendgrid account username (located in the extreme top left in above screenshot) and the username created for Azure is located at the extreme right side of above screenshot. 

Both usernames share a common password which we set during connector creation in the Azure portal. Former is used to login to the Sendgrid management portal and the latter is used to authenticate against Sendgrid SMTP API services within Azure VMs and apps.

Now click on Manage. It will automatically take us to Sendgrid website landing page to initiate the email verification process. You will receive an email from SendGrid asking you to verify your account and login to your account. Please complete the account verification.

SMTP API (Smart Host) Configuration

We can use the user ID created by Azure – Sendgrid integration (azure_xxx…@azure.com) along with the password in Azure-hosted applications/servers to relay emails to the Sendgrid Gateway and it will accept those emails as authenticated and process further.

The process would be simple. Within applications/servers, configure the email relay section, add smtp.sendgrid.net as a Smart Host server along with the required port (587 TLS OR 2525 OR 465 SSL) as SMTP relay server. Provide the Azure generated ID and password as the authenticator.

I had already deployed Exchange server in Azure for my lab purpose, in order to send external emails, I needed to configure the above user ID with my Internet send connector on Exchange server.

Locate the send connector properties configured for the Internet and on the Network tab, add smtp.sendgrid.net as a smart host (SMTP relay server) and click Change to enter credentials.

Enter the User ID generated by Azure – Sendgrid connector along with the password, select Basic Authentication over TLS and click OK

Next step would be configuring the send connector to operate on a custom port as by default Exchange servers send connectors to operate on the default SMTP port (TCP 25) since TCP 25 is blocked by Azure, hence we will change it to 2525, a non-standard port.

First, we need to ensure that we can reach to smtp.sendgrid.net on TCP 2525

The Telnet session connected successfully, so now we need to configure the send connectors to use TCP 2525 for outbound email delivery.

Run “Get-SendConnector <Internet> | Set-SendConnector -Port 2525” against all internet facing send connectors.

We can see that the Sendgrid Host is added as a Smart Host entry under the available message queue with a ready status.

Test Email Flow

Now we are ready to test external email flow. Login to webmail with an on-premise Exchange server account and send a test email.

In the above example, the sender is user3@exchangelabs.in which is my on-premise native mailbox. user1@exchangelabs.in is my account migrated to O365 and Mahesh PM is nothing but my Gmail account.

My O365 account received email successfully.

My Gmail account also received email. You can notice “via sendgrid.me” in above screen shot.

Further, if you click on the dropdown, you can see, mailed and signed by sendgrid.net and sendgrid.me respectively.

Now from MXtoolbox, if we analyze the header, it looks like the screenshots below;

Further, if we check the received message header at the Gmail side, it is showing as SPF and DKIM authentication results are passed.

Reference:https://www.experts-exchange.com/articles/32747/Azure-SMTP-Restrictions-Resolution-with-SMTP-Relay-Services.html

Share197Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

How to use Microsoft Sysmon, Azure Sentinel to log security events

OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

by AZURE SECURITY NEWS EDITOR
February 22, 2021
0

Now more than ever, organizations are challenged with keeping their employees productive working remotely and interacting with their customers over...

A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

by AZURE SECURITY NEWS EDITOR
February 22, 2021
0

Microsoft is planning to end the integration of the Microsoft Defender for Endpoint security solution with the Azure Information Protection...

Microsoft To Open Azure Cloud Data Center Region In Spain

EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

by AZURE SECURITY NEWS EDITOR
February 17, 2021
0

Global Enterprise Key Management Solution Market Aligning with investor inclination and manufacturer preferences for heavy growth returns and growth sustainability despite...

A moment of reckoning: the need for a strong and global cybersecurity response

Azure Engineer at VillageMD

by AZURE SECURITY NEWS EDITOR
February 16, 2021
0

At VillageMD, we are committed to helping patients achieve greater health by delivering the most accessible and efficient healthcare in...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

February 24, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

February 24, 2021
Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

February 23, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In