Facing Error: SASL authentication failed; Authentication unsuccessful after security default enabled=on. Is option3 (Office 365 SMTP relay) is best solution to solve this error? secondly, how can I create policy to resolve this error on office365 side?

Question

Hi Team,

I installed postfix on Kali Linux and configured office365 account (username and password). On office 365 sides, I just created test1user and after that on test1user Go -> Manage email apps --> Authenticated SMTP= enabled Go--> MFA=Enabled (App password) then, this test1user and app password used in Postfix configuration which is showing below:
Relayhost = smtp.office365.com:25 /etc/postfix/sasl_passwd=smtp.office365.com:25 test1user:scjdkjncjdcdkjncjd

On that time it was working good but after enable security default. it is giving error which is shown below:

Error: Kali postfix/smtp: SASL authentication failed; server smtp.office365.com said: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully.

So, I have two questions regarding this:-

1. First, if I use/follow option-3 method https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365#option-3-configure-a-connector-to-send-mail-using-microsoft-365-or-office-365-smtp-relay. Will it work with default security setting= on? if yes, then great. otherwise, what is the best option for postfix server to given office365 account credential?
2. Secondly, it is possible for adding some policy to resolve this issue? if yes, How can I create policy on office365 admin center for resolve this issue?
   How can I create such an Conditional Access Policy for enabling SMTP again?

I'm little bit confuse. Please guide me. it would be very appreciated..!! Thanks

Answer 1

Hi @Asher Fiyaz

Since app password uses basic authentication, if you have security defaults enabled (tenant-level), the authentication attempt would fail.

First, if I use/follow option-3 method https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365#option-3-configure-a-connector-to-send-mail-using-microsoft-365-or-office-365-smtp-relay. Will it work with default security setting= on? if yes, then great. otherwise, what is the best option for postfix server to given office365 account credential?

It may work for you and you don't need to offer credentials.

With SMTP relay, you can send from any email address in one of your Microsoft 365 or Office 365 verified domains.

And this email address does not need an existing or licensed mailbox.

Secondly, it is possible for adding some policy to resolve this issue? if yes, How can I create policy on office365 admin center for resolve this issue?
How can I create such an Conditional Access Policy for enabling SMTP again?

It is not possible if you have security defaults enabled, which already blocks basic authentication at organization level.

Moreover, you need to allow basic authentication on per-user level for the mailbox you are using in Conditional Access Policy (in other words make sure there are no policy that blocks basic authentication when security defaults is disabled)

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.