Email Notification to Exchange Online Connector

niclas_gingby · August 15, 2023, 6:56am

Infos:

Used Zammad version: 6.0.0-1686136655.9f6ee5a5.focal
Used Zammad installation type: package
Operating system: Ubuntu 20.04
Browser + version: Chrome and Edge latest

Expected behavior:

Adding email notification configuration pointing to a smtp connector i Exchange Online (Anonymous relay restricted by IP in O365)

Actual behavior:

Reply in Zammad GUI is:
550 5.7.64 TenantAttribution; Relay Access Denied [ValidationStatus of ‘’ is EmptyCertificate]

Steps to reproduce the behavior:

Using method 3 in this guide:
How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Learn

Add a connector in Exchange online and allow SMTP from the servers outgoing IP, then try adding the
smtp host in Zammad GUI under Emails - Notifications just using smtp host and port 25 and no user.

I’ve checked that I can use telnet to send/relay emails from the same outgoing IP so it seems that Zammad sends some additional info in the outgoing SMTP?

Please advice.

Sal · August 15, 2023, 3:12pm

Looks like your issue is the certificate that Exchange is looking for or the IP address Zammad is on is not the same in the relay.

Also, Method 3 is the most complicated of options and should only be used if 1 and 2 are not possible.

niclas_gingby · August 15, 2023, 3:31pm

Yes, I know that opt 3 is the “hardest” but in this case the only alternative as opt 1 isn’t possible due to modern auth and opt 2 only allows recpt in the same org. And alt 3 works as intended for other systems. Right now the workaround is to relay using postfix but just wanted to see if anyone else has solved this.

MrGeneration · August 15, 2023, 3:46pm

Do you have agents outside of your org?

Relay access denied usually hints on invalid sender addresses.
You may want to have a look into the notification sender setting.
https://admin-docs.zammad.org/en/latest/channels/email/settings.html

niclas_gingby · August 15, 2023, 4:19pm

No agents externally but as I understand for instance user password reset requests uses this channel also?
The email - settings sender address is set to a valid address domain.

MrGeneration · August 15, 2023, 4:48pm

Yes correct. If you want your customers to use Zammad and being able to reset their password, then you have to be able to send to external orgs.

Then there’s the issue.

niclas_gingby · August 16, 2023, 5:32am

Not sure if I follow “Then there’s the issue.” ?
It is set to a valid sender address on the correct domain ie. noreply@<mydomain.com> and I’ve verified sending through this connector using telnet from the same source IP towards O365 and with "mail from: " and that works as expected.

MrGeneration · September 13, 2023, 11:32am

Right sorry.
I can’t tell what the issue is.

Looks like it’s on Microsoft end.
Either some requirements to send through the connector are not fulfilled or the email from & to are not in allowed scopes.

Verifying this only works on e.g. telnet if you ensure to test the exact scenario Zammad is doing.
Maybe Zammad tried to notify a customer outside or your tennant which may not be allowed?