Difference between revisions of "SMTP Settings"
| [unchecked revision] | [checked revision] |
Ltalaschus (talk | contribs) |
|||
| (13 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | __NOTOC__ | |
| − | [[ | + | To be able to send emails, MailStore Server requires SMTP access data. MailStore sends notifications by email if [[Product Updates|product updates]] are available or if the automatic creation of a new [[Storage_Locations|archive store]] failed. Furthermore, email copies for the [[Accessing_the_Archive_with_MailStore_Web_Access#Restoring_Email|restore from MailStore Web Access]] can be sent via SMTP. |
Under ''Administrative Tools > Miscellaneous > SMTP Settings'' you can specify the SMTP settings. | Under ''Administrative Tools > Miscellaneous > SMTP Settings'' you can specify the SMTP settings. | ||
| − | + | You can choose between standard authentication for any SMTP server and OAuth2 for Microsoft 365. | |
| − | * | + | |
| − | * Under ''Server'', enter the host name of the SMTP server or its IP address. By default, MailStore uses port | + | === Standard authentication === |
| − | * In the field ''Protocol'', select ''SMTP'' for an unencrypted connection to the SMTP server. For an encrypted connection, select ''SMTP-TLS'' or ''SMTP-SSL''. | + | |
| + | This type is used for SMTP servers that support PLAIN and LOGIN authentication or do not require authentication. | ||
| + | |||
| + | [[File:tech_smtpsettings_01.png|center|550px]] | ||
| + | |||
| + | * Select the type ''Standard''. | ||
| + | * Under ''Server'', enter the host name of the SMTP server or its IP address. | ||
| + | * By default, MailStore uses port 587. If you want to use a different port, enter port number in the ''Port'' field. | ||
| + | * In the field ''Protocol'', select ''SMTP'' for an unencrypted connection to the SMTP server. For an encrypted connection, select ''SMTP-TLS'' or ''SMTP-SSL''. {{Option_Accept_all_certificates}} | ||
* Especially SMTP servers which are accessible through the internet require a login (SMTP authentication). Check the corresponding checkbox and enter the appropriate access data. In most cases, the POP3 access data of any user on the email server can be used. | * Especially SMTP servers which are accessible through the internet require a login (SMTP authentication). Check the corresponding checkbox and enter the appropriate access data. In most cases, the POP3 access data of any user on the email server can be used. | ||
| + | |||
| + | === Microsoft 365 and Microsoft 365 (21 Vianet) === | ||
| + | |||
| + | These types are used by Microsoft 365 SMTP servers and use OAuth2 for authentication. | ||
| + | |||
| + | [[File:tech_smtpsettings_02.png|center|550px]] | ||
| + | |||
| + | * Select the type ''Microsoft 365'' or ''Microsoft 365 (21 Vianet)'', depending on where your tenant is hosted. | ||
| + | * Authentication requires an Entra ID app registration, a service principal, and a mailbox. | ||
| + | * Creating the app registration is described in [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication|this article]]. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration. | ||
| + | * In particular, make sure that you have enabled or activated the SMTP.SendAsApp permission when configuring the API permissions in the SMTP area. | ||
| + | * The PowerShell module ''ExchangeOnlineManagement'' is required to set the permission. The presence of the module can be checked with the following command. | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-Module ExchangeOnlineManagement -ListAvailable</source> | ||
| + | * If the output is empty, the module can be installed with the following command: | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Install-Module -Name ExchangeOnlineManagement</source> | ||
| + | * If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command: | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Update-Module -Name ExchangeOnlineManagement</source> | ||
| + | * Then the module can be loaded: | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Import-module ExchangeOnlineManagement</source> | ||
| + | * Connect with your client, use a user who has ''Role Management'' permissions: | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Connect-ExchangeOnline -Organization <tenantID></source> | ||
| + | * Creating the app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page]. | ||
| + | * Now create a service principal for this Enterprise App: | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"</source> | ||
| + | * The service principal must now be granted permission to send emails on behalf of a user. This user's email address must later be specified as the sender in the MailStore SMTP settings: | ||
| + | *;<p class=msnote>'''Important Note:''' All emails restored using this mailbox will also be saved as a copy in the mailbox's ''Sent Items'' folder. Therefore, we recommend using a dedicated shared mailbox that only authorized employees have access to.</p> | ||
| + | |||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID> -AccessRights FullAccess</source> | ||
| + | * Additionally, make sure that SMTP is allowed for this user: | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Set-CASMailbox -Identity "[email protected]" -SmtpClientAuthenticationDisabled $false</source> | ||
| + | * Click the … in the ''Credentials'' section and select your ''Credentials''. | ||
| + | |||
| + | === General settings === | ||
* Under ''Sender'', enter the ''Display Name'' and the ''Email Address'' of the email sender. Many SMTP servers require an existing email address to be entered. The display name can be chosen freely; ideally the name indicates that the email was sent by MailStore Server. | * Under ''Sender'', enter the ''Display Name'' and the ''Email Address'' of the email sender. Many SMTP servers require an existing email address to be entered. The display name can be chosen freely; ideally the name indicates that the email was sent by MailStore Server. | ||
| − | * Under ''Recipient for Notifications'', enter the email address of the recipient for administrative notifications of MailStore Server. | + | * Under ''Recipient for Notifications'', enter the email address of the recipient for administrative notifications of MailStore Server. To specify multiple recipients, enter them comma-separated. |
* Once all settings have been specified, MailStore Server can be instructed to send a test email to the email address entered for notifications; simply click on ''Apply and Test''. If an error message appears or the recipient specified does not receive the email, the following hints for troubleshooting may be helpful. | * Once all settings have been specified, MailStore Server can be instructed to send a test email to the email address entered for notifications; simply click on ''Apply and Test''. If an error message appears or the recipient specified does not receive the email, the following hints for troubleshooting may be helpful. | ||
== Troubleshooting == | == Troubleshooting == | ||
* If no error occurs upon sending but the email does not arrive, please check the spam or junk mail folder of the mailbox. Perhaps the email was filtered out. | * If no error occurs upon sending but the email does not arrive, please check the spam or junk mail folder of the mailbox. Perhaps the email was filtered out. | ||
| − | * If an error message appears because of an invalid certificate ("Server's certificate was rejected by the verifier because of an unknown certificate authority."), check '' | + | * If an error message appears because of an invalid certificate ("Server's certificate was rejected by the verifier because of an unknown certificate authority."), check ''Accept all certificates'' and try again. |
* If an error message appears indicating that ''"One or more recipients rejected"'', the SMTP server probably requires authentication. Enter the appropriate access data as described above. | * If an error message appears indicating that ''"One or more recipients rejected"'', the SMTP server probably requires authentication. Enter the appropriate access data as described above. | ||
* If an error message appears because of invalid access data (''"Incorrect authentication data"''or ''"Authentication failed"''), verify the data entered. In most cases, the access data match those of the corresponding POP3 server. | * If an error message appears because of invalid access data (''"Incorrect authentication data"''or ''"Authentication failed"''), verify the data entered. In most cases, the access data match those of the corresponding POP3 server. | ||
* If further error messages appear or other problems arise, please check your entries for possible mistakes. | * If further error messages appear or other problems arise, please check your entries for possible mistakes. | ||
| + | * If you are using Microsoft 365 and sending message fails you can use the following PowerShell commands to verify your settings: | ||
| + | *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false"> | ||
| + | # check whether the service principle has been created | ||
| + | Get-ServicePrincipal | Format-List | ||
| + | |||
| + | # check whether the service principle has access on the mailbox | ||
| + | Get-MailboxPermission -Identity "[email protected]" | ||
| + | # check whether SMTP is enabled for that user, the output should be "False" | ||
| + | Get-CASMailbox -Identity "[email protected]" | Format-List SmtpClientAuthenticationDisabled</source> | ||
| + | * If you are using Microsoft 365 and excuting the command ''New-ServicePrincipal'' fails with the error ''The term 'New-ServicePrincipal' is not recognized as a name of a cmdlet, function, script file, or executable program.'', then the user used to connect does not have proper permissions in the tenant. ''Role Management'' permissions are required. | ||
[[de:SMTP-Einstellungen]] | [[de:SMTP-Einstellungen]] | ||
[[en:SMTP Settings]] | [[en:SMTP Settings]] | ||
Latest revision as of 12:17, 5 September 2025
To be able to send emails, MailStore Server requires SMTP access data. MailStore sends notifications by email if product updates are available or if the automatic creation of a new archive store failed. Furthermore, email copies for the restore from MailStore Web Access can be sent via SMTP.
Under Administrative Tools > Miscellaneous > SMTP Settings you can specify the SMTP settings.
You can choose between standard authentication for any SMTP server and OAuth2 for Microsoft 365.
Standard authentication
This type is used for SMTP servers that support PLAIN and LOGIN authentication or do not require authentication.
- Select the type Standard.
- Under Server, enter the host name of the SMTP server or its IP address.
- By default, MailStore uses port 587. If you want to use a different port, enter port number in the Port field.
- In the field Protocol, select SMTP for an unencrypted connection to the SMTP server. For an encrypted connection, select SMTP-TLS or SMTP-SSL. If the certificate provided by the remote host cannot be verified (e.g. self-signed or signed by an unknown certificate authority), enable the option Accept all certificates to allow MailStore to establish a connection. As this option leads to an insecure configuration, warnings may appear in the summary and/or the dashboard.
- Especially SMTP servers which are accessible through the internet require a login (SMTP authentication). Check the corresponding checkbox and enter the appropriate access data. In most cases, the POP3 access data of any user on the email server can be used.
Microsoft 365 and Microsoft 365 (21 Vianet)
These types are used by Microsoft 365 SMTP servers and use OAuth2 for authentication.
- Select the type Microsoft 365 or Microsoft 365 (21 Vianet), depending on where your tenant is hosted.
- Authentication requires an Entra ID app registration, a service principal, and a mailbox.
- Creating the app registration is described in this article. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration.
- In particular, make sure that you have enabled or activated the SMTP.SendAsApp permission when configuring the API permissions in the SMTP area.
- The PowerShell module ExchangeOnlineManagement is required to set the permission. The presence of the module can be checked with the following command.
Get-Module ExchangeOnlineManagement -ListAvailable
- If the output is empty, the module can be installed with the following command:
Install-Module -Name ExchangeOnlineManagement
- If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command:
Update-Module -Name ExchangeOnlineManagement
- Then the module can be loaded:
Import-module ExchangeOnlineManagement
- Connect with your client, use a user who has Role Management permissions:
Connect-ExchangeOnline -Organization <tenantID>
- Creating the app registration also resulted in the creation of an Enterprise App with its own ObjectID in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at this page.
- Now create a service principal for this Enterprise App:
New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"
- The service principal must now be granted permission to send emails on behalf of a user. This user's email address must later be specified as the sender in the MailStore SMTP settings:
Important Note: All emails restored using this mailbox will also be saved as a copy in the mailbox's Sent Items folder. Therefore, we recommend using a dedicated shared mailbox that only authorized employees have access to.
Add-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID> -AccessRights FullAccess
- Additionally, make sure that SMTP is allowed for this user:
Set-CASMailbox -Identity "[email protected]" -SmtpClientAuthenticationDisabled $false
- Click the … in the Credentials section and select your Credentials.
General settings
- Under Sender, enter the Display Name and the Email Address of the email sender. Many SMTP servers require an existing email address to be entered. The display name can be chosen freely; ideally the name indicates that the email was sent by MailStore Server.
- Under Recipient for Notifications, enter the email address of the recipient for administrative notifications of MailStore Server. To specify multiple recipients, enter them comma-separated.
- Once all settings have been specified, MailStore Server can be instructed to send a test email to the email address entered for notifications; simply click on Apply and Test. If an error message appears or the recipient specified does not receive the email, the following hints for troubleshooting may be helpful.
Troubleshooting
- If no error occurs upon sending but the email does not arrive, please check the spam or junk mail folder of the mailbox. Perhaps the email was filtered out.
- If an error message appears because of an invalid certificate ("Server's certificate was rejected by the verifier because of an unknown certificate authority."), check Accept all certificates and try again.
- If an error message appears indicating that "One or more recipients rejected", the SMTP server probably requires authentication. Enter the appropriate access data as described above.
- If an error message appears because of invalid access data ("Incorrect authentication data"or "Authentication failed"), verify the data entered. In most cases, the access data match those of the corresponding POP3 server.
- If further error messages appear or other problems arise, please check your entries for possible mistakes.
- If you are using Microsoft 365 and sending message fails you can use the following PowerShell commands to verify your settings:
# check whether the service principle has been created Get-ServicePrincipal | Format-List # check whether the service principle has access on the mailbox Get-MailboxPermission -Identity "[email protected]" # check whether SMTP is enabled for that user, the output should be "False" Get-CASMailbox -Identity "[email protected]" | Format-List SmtpClientAuthenticationDisabled
- If you are using Microsoft 365 and excuting the command New-ServicePrincipal fails with the error The term 'New-ServicePrincipal' is not recognized as a name of a cmdlet, function, script file, or executable program., then the user used to connect does not have proper permissions in the tenant. Role Management permissions are required.
