Solved: Re: ISE and SMTP to Office365

Arne Bier · ‎03-08-2020

Hello

I have not installed ISE 2.7 yet but I believe that it allows authenticated SMTP - has anyone out there got it working with Office365?

Is it a general best practice to create a service account in O365 to allow ISE (or any on-prem device) to send mails ?

We're still on ISE 2.4 because it's stable (warm and fuzzy) but I would like ISE to be able to send emails - we don't have an on-prem SMTP server and I don't want the hassle of building such a solution just for emails (low prio).

Arne

Francesco Molino · ‎03-09-2020

Hi

Yes i have it configured use authentication and TLS connection.
I did some tests with my customer and it worked fine.
I always ask to create a dedicated account but can't confirm if it's a service account as I don't manage myself the O365 side.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-09-2020

Hi

Yes i have it configured use authentication and TLS connection.
I did some tests with my customer and it worked fine.
I always ask to create a dedicated account but can't confirm if it's a service account as I don't manage myself the O365 side.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Arne Bier · ‎03-09-2020

I did some more research and for Office365 there are some options/complications to allow this to work. In our case we could not use smtp://smtp.office365.com - since we have some security options configured, it turns out that I had to specify a different SMTP server, as shown in the dummy example below - I did a query for my mail domain and the MX record tells you which SMTP server(s) to use:

C:\Windows\system32>nslookup -q=mx somedomain.com.au

somedomain.com.au    MX preference = 5, mail exchanger = some-domain.mail.protection.outlook.com

I used port 25 and didn't use authentication or encryption - I was able to send an email to my gmail address as a test (by sending an email notification of a sponsored guest account - the test functionality in the Guest Portal didn't work for me at all) - ISE is still lacking a proper "Send a Test Email" feature, which should be on the same page as the SMTP config.

Francesco Molino · ‎03-10-2020

I agree. We can test the connection with o365 smtp and then generate alerts or use the guest portal to test emails

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jai_chandra2001 · ‎05-20-2021

This worked like a charm. Customer was under the impression that SMTP was through 0365 but it wasnt. Also like you mentioned there is no way to configure relay or any tracking on O365.

Scott Gillies · ‎07-20-2020

Hi

I am not an O365 expert but as I understood ISE does not support service account authentication with an external/cloud SMTP server.

Are you using API calls from ISE?

Could you provide some detail on how you resolved this ?

Many thanks.

Arne Bier · ‎07-20-2020

Hi Scott

[Edit: 6 Aug 2020 - It turns out that if you want to send emails from ISE to Office/Microsoft365 then it's possible even in versions older than 2.7 - the key thing is to check your mx records in DNS and if you have a secure mx record, then simply paste that into the ISE SMTP field - I tested it just now in ISE 2.4 and it works great! Even using TCP/25 ]

ISE 2.7 is the first version of ISE that has better SMTP support. You can configure an external mail agent for auth and encryption, and you can specify the TCP port.

In my case I used ISE 2.7 patch 1 (which I had to delete because it constantly crashed on me) and then configured the SMTP server for the CORRECT office 365 mail address as per our MX record. You cannot send emails to smtp.outlook.com - use nslookup to find the MX record - in our case we have an MX record that points to the correct Mail Exchanger. e.g.

C:\Windows\system32>nslookup -q=mx somedomain.com.au

somedomain.com.au    MX preference = 5, mail exchanger = some-domain.mail.protection.outlook.com

I didn't use API's for this. I tested the sending of emails by configuring an alarm (e.g. Configuration Changed) to send an email when an ISE config change occured. That's a nice test, because you can find it easily and also change the FROM field.

thomashowe · ‎08-24-2023

All,

When I test the SMTP Gateway on my ISE Deployment using smtp.office365.com I am getting a SSL Error, see attached screen shot. Now when I researched this, I found a Cisco ISE PDF Created by one of the TAC Engineers that covers this same error on page 8 of 10, see attached PDF called "ISE v3 Configure SMTP.pdf"

This is what the PDF says:

Problem: Test connection shows: "Could not connect to SMTP Server, SSL Error. Please check
the trusted certificates".

Solution: Import Root CA Certificate of the SMTP server in the ISE Trusted Certificates and if TLS
support is configured on the port.

The question I have is this: How or where can I get the Root CA for smtp.office365.com??? Or is this an ISE Trusted Certificate that I need to create or import from Cisco?