Authentication - Outbound SMTP Authentication for Devices

Updated

This article contains information on configuring SMTP and POP3 authentication in Mimecast, including enabling TLS encryption, creating user accounts, configuring devices, and bypassing anti-spoofing policies to ensure secure email communication.

Email can be sent and received from any device or application that supports POP and SMTP protocols.

Considerations

  • Mimecast requires that TLS Encryption be utilized for POP3 and SMTP Auth connections.
  • The Mimecast internal domain user must have the POP and SMTP options enabled before the email can be sent and received using these protocols.
  • New messages can only be sent outbound via SMTP authentication using a Mimecast cloud password.
  • Two-factor Authentication (2FA) must be disabled for users to submit emails using SMTP authentication. Additionally, SMTP Authentication should be enabled in the User Account. For information on how to do this, see Configuring Authentication Profiles.

An authenticated account can send SMTP messages using any "from" address. An alternative to SMTP authentication is generating emails through an API endpoint. This endpoint operates similarly to SMTP submission; however, it does not permit sending emails using just any address. The only "from" addresses allowed with this method are those that belong to the account that created the API key, or addresses that have been delegated within Mimecast. For more information about the send-email endpoint, please refer to the following API & Integrations portal

Configuring SMTP Authentication

To configure an SMTP authentication, you must create a specific user account for sending mail (e.g., scanner@domain.com), by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Directories | Internal Directories. A list of your domains is displayed.
  3. Select a Domain. A list of the domain's users is displayed.
  4. Click on the New Address button.
  5. Complete the dialog as follows:
  • Enter the Email Address of the assigned account.

We recommend not using an administrator account because if the SMTP auth username and password are shared widely (e.g., among people configuring the printers), there could be issues.

  • Enter a Password for the account and make a note of it.

Cloud passwords must be used to allow SMTP / POP submission. Ensure the default application setting has cloud password enabled. See the Configuring Authentication Profiles page for further information.

  • Enable the Password Never Expires setting.
  • In addition, enable the Allow SMTP Email Submission setting.
  1. Click on the Save button.

Configuring the Device for SMTP

Configure the device to:

  1. Use Mimecast's IP Addresses as the SMTP server. See the table below for the IP addresses for your region.

Region

IP Addresses

Europe (Excluding Germany)

eu-smtp-outbound-1.mimecast.com
eu-smtp-outbound-2.mimecast.com

Germany

de-smtp-outbound-1.mimecast.com
de-smtp-outbound-2.mimecast.com

United States of America

us-smtp-outbound-1.mimecast.com
us-smtp-outbound-2.mimecast.com

Canada

ca-smtp-outbound-1.mimecast.com
ca-smtp-outbound-2.mimecast.com

South Africa

za-smtp-outbound-1.mimecast.co.za
za-smtp-outbound-2.mimecast.co.za

Australia

au-smtp-outbound-1.mimecast.com
au-smtp-outbound-2.mimecast.com

Offshore

je-smtp-outbound-1.mimecast-offshore.com
je-smtp-outbound-2.mimecast-offshore.com

USB

usb-smtp-outbound-1.mimecast.com
usb-smtp-outbound-2.mimecast.com

USPCOM

uspcom-smtp-outbound-1.mimecast-pscom-us.com
uspcom-smtp-outbound-2.mimecast-pscom-us.com

  1. Use Port 587.
  2. Enable TLS Encryption.

Mimecast does not support TLS 1.0 and TLS 1.1 as they have been deprecated since 25 March 2022. Instead, Mimecast supports TLS 1.2 and recommends that TLS 1.2 or TLS 1.3 be used in the end-user environment.

  1. Enable Authentication using the same login credentials (email address and password) configured above.

Troubleshooting SMTP Authentication Errors

To resolve SMTP authentication errors when sending emails through Mimecast:

  • Ensure the SMTP submission address has the SMTP submission option turned on in User Settings.
  • Ensure the Password Never Expires option is enabled in User Settings.
  • Ensure the SMTP address is tied to an Application Settings and the Authentication Profile has Cloud Authentication enabled (not SAML or Two-factor Authentication).
  • Ensure the associated Authentication Profile either has no Permitted Gateway IP Ranges, or includes the IP Address of the device.

To maintain the security of the SMTP account and prevent unwanted access to Mimecast applications without multi-factor authentication, ensure that features such as the Mimecast Personal Portal, Mimecast Mobile, and Mimecast for Outlook access are disabled within the Application Settings associated with the SMTP account.

Bypassing an Anti-Spoofing Policy

In specific customer accounts, an Anti-Spoofing Policy may be enabled to prevent unauthorized access to your Mimecast mail service. Evident if, during testing, an "550 Anti-Spoofing policy - Inbound not allowed" error is returned. In this instance, enable an Anti-Spoofing SPF-Based Bypass Policy for your email addresses.

See Also...

Related to

Was this article helpful?
2 out of 6 found this helpful

Comments

1 comment
Date Votes
  • Avatar
    Admin-TM
    (Edited )

    Hi Alex,

    Thank you for reaching out. We appreciate your patience. Our advisory team recommended we update the KB. There have been some updates added.

    For further engagement around this topic, please post your question in our Community. This will allow both Cybersecurity peers and the Mimecast team to address it. Once resolved, you can bookmark the solution for easy access.

    If your issue is urgent or you prefer to open a new support case, please do so here.

    0

Please sign in to leave a comment.