Using an SSL Certificate for SMTP Authentication with Microsoft

Microsoft offers the following methods for relaying messages from MFP devices or on-premises application servers. The methods are described in detail on this page.

• Method 1 - Client SMTP Submission. This method requires OAuth 2.0 authentication. Refer to this page for details on how to do this.
• Method 2 - SMTP Relay. This is done by either specifying your public IP address or using an SSL certificate for authentication. This page talks about this method and how to use an SSL certificate in Xeams when relaying outbound or internal emails to Microsoft.
• Method 3 - Direct Send. This method requires you to authorize your public IP address to send emails for your domain by adding it to your SPF record and assigning a DKIM key. Refer to Xeams if you want to use this method.

This page discusses the steps to use Method #2 mentioned above with Syncrify.

What is a client-side certificate?

When sending emails to any SMTP server, Syncrify acts as an SMTP client, which connects to the SMTP server hosted by Microsoft (or any other provider). Normally, it's the server that presents its SSL certificate to the client. If the server is trusted, the client then sends its email to that server. Some SMTP servers, such as Microsoft, can check the SSL certificate used by the client and allow relaying if the certificate is trusted. This page explains how to add a client-side SSL certificate in Syncrify to use when sending outbound emails, so Microsoft can authenticate your organization and accept emails originating from Syncrify.

A trusted certificate has three components:

1. It must belong to the domain used by the sender. For example, if the sender's email address is administrator@yourcompany.com, the SSL certificate must be for yourcompany.com.
2. It must be signed by a trusted certificate authority (CA), such as Let's Encrypt, Comodo, or other similar organizations.
3. The expiration date must be in the future.

Obtaining a certificate

The easiest way is to export the certificate from your corporate website. For example, if your domain name is yourcompany.com, you will most likely have a website like https://yourcompany.com. If yes, export the certificate from this website, which results in a *.pfx file. During the export, you will also have to specify a password. You will need this PFX file and the password when using it in Syncrify. Refer to How to export an existing SSL certificate from an IIS server for instructions.

If you don't have an existing website, you must create a new certificate using the instructions on this page.

Using a client-side certificate in Syncrify

• Log in to your Syncrify web interface as the administrator.
• Click Configuration
• Select an SSL Certificate for the Authentication Type field.
• Click the Upload Certificate button to specify a password and upload the certificate.
• Once the certificate is uploaded, you see its expiration and the associated hostnames it validates.