SCAN TO EMAIL SHAKE-UP FROM MICROSOFT

Written By Patrick Moran

All modern and secure systems that connect to Microsoft mailboxes to send email messages should be using modern, secure authentication protocols, says Microsoft.  So why is your scan to email any different?

Within Microsoft's settings for all email accounts is a default setting for sending emails called SMTP AUTH and this is turned off, and this is for a reason.

We have to manually override these baseline security settings to then allow scanners to use SMTP AUTH.  However, due to this method being a security risk, Microsoft state "We highly recommend that you disable SMTP AUTH in your Exchange Online organization"

See the below Microsoft article for more detail
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission

Attackers can use weaknesses built into this older protocol to break into online mail servers where they can easily find all the stored scans in the sent items!

In 2021, Microsoft disabled basic authentication for all mailboxes.
However, at the same time it did make an exception for SMTP AUTH to be manually turned back on to allow everyone time to transition away from this method of sending emails.   But this is not an excuse to keep using it, especially for unsecured devices such as printers that can easily be logged into.  It is time to plan for the inevitable change and put in more secure systems for sending emails.

Microsoft's deadlines are:-
1 Sept 2022 - 2FA / Multifactor Authentication is enforced on all user accounts (so accounts using SMTP Auth will stop working and scan to email will stop).
1 Oct 2022 - Basic Authentication to all mailboxes is being permanently disabled

Alternative Solutions
Microsoft allow you to create a SMTP connector but this requires 2 prerequisites from your internet provider:-
1. An external static IP address which costs between $10 and $20 per month + gst
2. Unblocking port 25 on your internet connection **

** Port 25 is blocked on your internet connection by your internet provider for good reason. Hackers that gain access to your network easily send emails from your systems with a simple powershell command and as these connectors do not use authentication (a username and password).  As your external IP address is the authentication, it is just a matter of time before you become blacklisted and your internet connection is closed down by your provider.

Hence, the connector solution is not cost effective and lowers security

The only other option is to use a secure, third party plugin which is by far the most easy and cost effective solution.
SMTP2GO is internationally recognised and a fantastic solution.  Please see our separate article on how to implement this along with options.  Plans for this start at $5 nz dollars per month + gst.

The bottom line
When sending emails from any device, the international recommendations and best practices are to ensure that all devices use modern authentication protocols.  Don't wait until this is enforced on you, the time to act and make the change is now.

Patrick Moran
Previous

IS GOOGLE'S LATEST CHANGES AFFECTING YOUR WORKFLOW?
Next

ARE YOU TAKING ADVANTAGE OF ALL THE FEATURES IN MICROSOFT 365?