Pfsense Smtp Office 365

Posted on
  1. Office 365 Enable Smtp
  2. Pfsense Smtp Office 365 Shared Email Settings

This page will guide you through the steps of publishing Microsoft Exchange web services on Pfsense's last version 2.1.5. Export Office 365 users from specific domain and change their passwords. Office 365 Mail flow in Hybrid doesn’t work after you white list office365 IPs on your SMTP gateway. Describes a problem that blocks Outlook from accessing your Exchange Server mailbox. The connection status is shown as 'Disconnected' in this case. A workaround is provided. Setting up a Signature or Disclaimer for a specific domain users on Office 365 Exchange Online. In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email.

Rate this post

Several months ago, I released a tool (the Office 365 Proxy Pac Gen) to generate a Proxy Automatic Configuration file that can be used to bypass local proxy servers for Office 365 services. I also wrote a blog (Office 365 PAC file) on using the tool. I’ve received a lot of personal feedback on it, and wanted to expand on how to use the configuration file in production to manage desktops.

As I stated in my blog posting, bypassing the proxy requires two elements:

– A list of URLs/domains that the browser knows to not send to the proxy environment
– Firewall access rules configured to allow outbound access to the IP addresses corresponding to the domains found in the proxy bypass list

That sounds well and good; so how do you configure your desktop environment to take advantage of this proxy automatic configuration file? There are two basic ways that this can be accomplished.

– GPO that specifies the location of the .PAC file (which will typically only be useful for Internet Explorer or Edge browsers, unless separate administrative templates have been configured for Firefox or Chome
– WPAD (Web Proxy Autodiscover Protocol

First things first. In order for your clients to pick up a configuration file at all, there has to be a web server hosting the file. The configuration is relatively straightforward if you’re setting up IIS.

Email
  1. Install IIS. Yes, it’s pretty easy. If you’ve never done it before, here’s the cliff notes on the various IIS versions.
    1. IIS 7.x (Windows 2008 R2) – https://technet.microsoft.com/en-us/library/ee692294%28v=ws.10%29.aspx
    2. IIS 8.x (Windows 2012/R2) – http://www.iis.net/learn/get-started/whats-new-in-iis-8/installing-iis-8-on-windows-server-2012
  2. Configure the appropriate MIME types (at this point, we’re going to configure a MIME type for both WPAD.DAT and the proxyautoconfig.pac file–it’s the same file, but delivered via different methods.
    1. Launch an elevated PowerShell prompt.
    2. Run the following cmdlets:
      C:Windowssystem32inetsrvappcmd.exe set config /section:staticContent /-“[fileExtension=’.pac’]”
      C:Windowssystem32inetsrvappcmd.exe set config /section:staticContent /+”[fileExtension=’.pac’,mimeType=’application/x-ns-proxy-autoconfig’]”
      C:Windowssystem32inetsrvappcmd.exe set config /section:staticContent /-“[fileExtension=’.dat’]”
      C:Windowssystem32inetsrvappcmd.exe set config /section:staticContent /+”[fileExtension=’.dat’,mimeType=’application/x-ns-proxy-autoconfig’]”
  3. Place two copies of the PAC file in the root of the virtual directory for the default web site. You can schedule the Office 365 Proxy PAC generator PowerShell script on the web server to create the files. Name one “proxyconfig.pac” (or whatever, as long as the extension is .PAC). Name the other “wpad.dat” (this one is particular and must be named that). Here’s an easy way to keep the PAC and WPAD files updated:
    1. Download the Office 365 PAC file generator and save it to C:Scripts (for example) on the webserver hosting the PAC/WPAD files.
    2. Create a batch file called “C:ScriptsPacSchedule.bat” with the following data (replacing the address of the proxy server with your own):C:Windowssystem32WindowsPowerShellv1.0powershell.exe c:scriptsOffice365ProxyPac.ps1 -ProxyServer ‘192.168.0.1:8080’ -OutputFile ‘C:InetPubwwwrootProxyautoconfig.pac’
      C:Windowssystem32WindowsPowerShellv1.0powershell.exe c:scriptsOffice365ProxyPac.ps1 -ProxyServer ‘192.168.0.1:8080’ -OutputFile ‘C:InetPubwwwrootwpad.dat’
    3. Run it to test.
    4. Create the scheduled task. You can do this via the Task Scheduler GUI or from a PowerShell commandline:
      $action = New-ScheduledTaskAction -Execute ‘C:scriptsPacSchedule.bat’
      $trigger = New-ScheduledTaskTrigger -Daily -At 9am
      Register-ScheduledTask -Action $action -Trigger $trigger -Taskname “PAC Scheduled download” -User ‘forestclabadmin’ -Password ‘Password1’

For WPAD deployments, the client machine Configure a DNS A record for “wpad.domain.com” (where ‘domain.com’ is your LAN’s DNS zone) to point to the IP address of the virtual server.

  1. Launch DNS Management Console.
  2. Navigate to the forward lookup zone for your domain.
  3. Right-click > New Host > enter wpad as the hostname and the web server hosting the PAC and WPAD.DAT files in the IP address window, and click Add Host.
  4. Check to see if the DNS blocklist is configured. You can use either DnsCmd (native Windows command line utility) or the PowerShell cmdlet Get-DnsServerGlobalQueryBlockList.
    1. DnsCmd method:
      dnscmd /info /enableglobalqueryblocklist
    2. PowerShell Get-DnsServerGlobalQueryBlockList method:
      Get-DnsServerGlobalQueryBlocklist
  5. If a “1” is returned, the block list is enabled. If it is enabled, you should check to see if WPAD is on the block list. If you have a default installation of Windows 2008 R2 or later and WPAD was not *previously* configured in your environment, WPAD will be on the block list.
    1. DnsCmd method:
      dnscmd /info /globalqueryblocklist
    2. PowerShell Get-DnsServerGlobalQueryBlockList method:
      Get-DnsServerGlobalQueryBlockList
  6. As you can see, WPAD is on the blocklist At this point, you can either disable the DNS blocklist or exclude WPAD from the blocklist.
    1. To exclude WPAD:
      1. DnsCmd method:
        dnscmd /config /globalqueryblocklist isatap
        (Note: isatap was already included in the block list; DnsCmd overwrites the current values with whatever you specify, so you need to write out all the names that are currently blocked and want to remain blocked)
        The DnsCmd method isn’t my favorite, especially if you have a large number of items in the block list. If you have a default setup, it only has Isatap and WPAD, so it’s not a huge deal. Fortunately, there’s a nifty PowerShell way to do it as well.
      2. PowerShell method:
        [array]$blocklist = (Get-DnsServerGlobalQueryBlocklist).List
        $blocklist = $blocklist -ne “wpad”
        Set-DnsServerGlobalQueryBlockList -List $blocklist
    2. To disable the DNS Blocklist:
      1. DnsCmd method:
        dnscmd /config /enableglobalqueryblocklist 0
      2. PowerShell method:
        Set-DnsServerGlobalQueryBlockList -Enable $False

Now that the the web server and DNS records have been configured, we need to configure the DHCP server to distribute the appropriate option (252).

  1. Launch DHCP Administration Console.
  2. Select IPv4, right-click, and then select Set Predefined Options.
  3. Click the Add button, and then fill out the appropriate values and click OK:
    Name:wpad
    Data type:string
    Code: 252
  4. In the String value box, type http://wpad.domain.com/wpad.dat (replacing domain.com with your domain).
  5. Click OK.
  6. Right-Click Server Options, click Add, select Option 252 from the list, and click OK.

Office 365 Enable Smtp

Once that’s done, you can use a GPO or Group Policy preference to configure Windows hosts running IE to use WPAD or the specified PAC file. Firefox, Chrome, Safari and other browsers should have WPAD discovery on by default.

For more information on how proxy works under the hood, be sure to check out Eric’s blog at https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration.

SYMPTOMS

Messages are going to the badmail folder.

CAUSE

1. A message is not fully received by the MailEnable SMTP service. The last line of the MAI file in the Bad MailMessages directory will indicate the error that caused this.
2. The post office connector cannot deliver a message to a users inbox. This would happen only in rare cases where a user is deleted just after a message has been accepted by an external connector, but before it has been delivered. It can also occur is the users inbox directory is not a valid path.
3. When a delivery delay or failure notification has the recipient and sender the Postmaster address the same. This would indicates that the bad mail sender address configured in the SMTP properties is not a valid email address.
4. When the total length of the recipients for an email is too long for the amount of individual email addresses. Basically a check for an invalid recipient string. Might occur if the command file was generated externally to MailEnable (i.e. external program is creating files for MailEnable to send, but has not configured the command file correctly).
5. If a command file is found in the SMTP outbound, but there is no message contents file. This can happen if external programs are creating the command file before the message file directly in the SMTP outbound directory (i.e. MailEnable reads the command file to send email, but the message file has not been created yet).
6. If a delivery delay/failure notification message has expired in the queue.
7. A delivery delay/failure notification message has a permanent error.
8. A variety of List Server errors can put messages in Bad Mail.

MORE INFORMATION

Pfsense Smtp Office 365 Shared Email Settings

How to diagnose outgoing mail problems and delivery delay notifications:Article ME020148

How to control how often users are sent message delay notifications:Article ME020191

How do messages end up in the BadMail Directory?Article ME020169