This article discusses some of the risks and pitfalls of using Office 365 Email Essentials (purchased via GoDaddy Inc.) for bulk email send out directly via SMTP servers. As many others, I have faced issues with this product and I’m hoping that the information below will help you solve these issues once and for all.
- Introduction
- GoDaddy SMTP settings
- 550 User has exceeded its 24-hour sending limit. Messages to 25 recipients out of 25 allowed have been sent
- Increasing SMTP relay per day quota?
- Office 365 SMTP settings
- 535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Mailbox
- Enabling SMTP client authentication for Office 365 email
- 550 5.7.708 Service unavailable. Access denied, traffic not accepted from this IP
- Setup a port forward
- Conclusion
Introduction
Recently I was asked by a client to perform a phishing exercise for their organization. It was a medium-sized organization with a couple hundred employees.
I chose Gophish as the phishing platform for the job, purchased a domain via GoDaddy Inc. along with one Microsoft 365 Email Essentials account from GoDaddy Inc. as well.
Why Office 365 email? The reason is that it gives a slightly higher chance of successful email delivery instead of ending up in the junk / spam folder.
Anyway, the setup was quite straightforward and typical, however I faced a couple of unexpected problems with using GoDaddy / Office365 SMTP servers directly and this article hopefully provides all the answers and solutions how to fix these problems
GoDaddy SMTP settings
When looking for GoDaddy SMTP settings, you will most likely end up on similar page like this recommending you to use smtpout.secureserver.net:465 SMTP server for sending out emails.
This is how to setup a Sending Profile in Gophish for this particular SMTP server:
| Settings | Value |
|---|---|
| Name | profile1 |
| From | Your User <[email protected]> |
| Host | smtpout.secureserver.net:465 |
| Username | [email protected] |
| Password | ******** |
During the testing phase, everything seems fine. The emails are being sent and received. All seems good.
However, there is a hidden caveat waiting for you behind the corner. If you are lucky as me, you will hopefully encounter the problem before the actual execution phase of the campaign.
550 User has exceeded its 24-hour sending limit. Messages to 25 recipients out of 25 allowed have been sent
After sending a few more testing emails, I have noticed that Gophish was suddenly unable to send out any more emails. Instead, Gophish was showing the following error message:
550 User [email protected] has exceeded its 24-hour sending limit. Messages to 25 recipients out of 25 allowed have been sent. Relay quota will reset in 23.60 hours.Here’s a screenshot:
Only 25 emails per day? This is obviously a huge problem, completely stopping us from performing the actual exercise. Unless, of course, we are doing only some kind of targeted spear phishing campaign where we can tolerate this limitation.
While I was looking for a solution, these are the things that I have tried and which did not help:
- Upgrading to Business Premium
- Re-creating the email account
- Purchasing Marketing Email product
None of these things will lift, reset or increase the SMTP relay quota for sending out emails using your Office 365 account, unfortunately. It seems like we simply have to wait 24 hours.
Increasing SMTP relay per day quota?
On this community thread it was suggested that it might be possible to increase the number of SMTP relays per day from 25 to 250 via an option in the Advanced settings in the GoDaddy web interface.
Well, not any more. It is not there, no matter how much time you spend clicking around the web interface.
In the GoDaddy tech support chat, I eventually got a confirmation that historically it was indeed possible to increase it, but this is no longer possible in the current web interface and nobody from the tech support was able to increase the number of SMTP relays for me either.
So, increasing the number of SMTP relays per day is simply not an option anymore.
Solution: The last person that I spoke to advised me to use the Office 365 SMTP servers, instead of the GoDaddy’s SMTP server. This is indeed the right way to go, but unfortunately again, not without problems..
Office 365 SMTP settings
So, to configure Gophish to use Office 365 SMTP servers, the Sending Profile in Gophish has to use the smtp.office365.com:587 SMTP server, like this:
| Settings | Value |
|---|---|
| Name | profile1 |
| From | Your User <[email protected]> |
| Host | smtp.office365.com:587 |
| Username | [email protected] |
| Password | ******** |
Now let’s try to send some emails..
535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Mailbox
Unfortunately, I was facing the following error while trying to send emails directly via Office 365 SMTP servers:
Max connection attempts exceeded - 535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Mailbox. Visit https://aka.ms/smtp_auth_disabled for more information. [JN3P275MB0811.ZAFP275.PROD.OUTLOOK.COM]Here’s another variant of the error:
Max connection attempts exceeded - 535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled for more information. [JN3P275MB0811.ZAFP275.PROD.OUTLOOK.COM]Believe or not, sending out emails directly via SMTP is disabled by default for these Office 365 email accounts.
Although you can send and receive emails using your favorite email client (e.g. Outlook) or by going to outlook.office365.com with your browser and logging in, sending emails using the smtp.office365.com SMTP server directly has to be enabled first.
Luckily, it’s not that hard.
Solution: Here’s how to enable the SMTP client authentication for your Office 365 email account:
Enabling SMTP client authentication for Office 365 email
- Connect to the Exchange Online PowerShell using these steps.
- Check the SMTP transport level settings:
Get-TransportConfig | fl SmtpClientAuthenticationDisabled - Check the SMTP authentication settings:
Get-CASMailbox [email protected] | fl SmtpClientAuthenticationDisabled - Enable the SMTP transport level:
Set-TransportConfig -SmtpClientAuthenticationDisabled $False - Enable the SMTP authentication:
Set-CASMailbox [email protected] -SmtpClientAuthenticationDisabled $False
Once you have that, you should be finally able to send emails directly via SMTP.
If that’s the case, then congratulations! Your job is done and you can continue with your business.
However, for me it was still not working..
550 5.7.708 Service unavailable. Access denied, traffic not accepted from this IP
The problem I had was that my emails were being sent fine, but none of them was being delivered! Instead, the emails were bouncing back and I was receiving failed delivery notices into my mailbox..
Here’s one such failed delivery notice:
Delivery has failed to these recipients or groups:
[email protected]
Your message wasn't delivered because the recipient's email provider rejected it.
Diagnostic information for administrators:
Generating server: C2106A94FE057.ZAFP275.PROD.OUTLOOK.COM
[email protected]
Remote Server returned '550 5.7.708 Service unavailable. Access denied, traffic not accepted from this IP. For more information please go to http://go.microsoft.com/fwlink/?LinkId=526653 AS(8561) [JN3P275MB0811.ZAFP275.PROD.OUTLOOK.COM]'
Original message headers:
Received: from C2106A94FE057.ZAFP275.PROD.OUTLOOK.COM
([cc50::eccf:a2be:2ed3:3f3f]) by C2106A94FE057.ZAFP275.PROD.OUTLOOK.COM
([cc50::eccf:a2be:2ed3:3f3f%7]) with mapi id 15.20.4669.016; Mon, 8 Nov 2021
20:41:19 +0000
MIME-Version: 1.0
Content-Type: text/plain
Date: Mon, 8 Nov 2021 20:41:19 +0000
Message-ID:
<C2106A94FE057A42266C991E4A9339F99DA919@C2106A94FE057.ZAFP275.PROD.OUTLOOK.COM>
Subject: Test email subjectAfter searching online I have found that perhaps the problem could be that my source IP address (where I have Gophish installed) is flagged and blacklisted.
I have looked on all kinds of spam blacklists online and even tried to whitelist (delist) my IP address via sender.office.com (official Office 365 Anti-Spam IP Delist Portal), but there wasn’t any indication that my source IP address is even blacklisted.
All spam blacklists were telling me that my IP is fine. So what now?
Solution: Turns out you must not trust those lists! You are probably blacklisted somewhere if you are getting the above failed delivery notices, Microsoft is simply not telling you the truth that your IP address is blacklisted..
Setup a port forward
So to solve the above problem, I have launched another VPS instance and started up a simple port forwarder on it to forward all traffic to the Office 365 SMTP servers. You can for example use Amazon AWS free tier for the job.
For the actual port forwarding, I have used Socat tool, but other methods of port forwarding should work as well. Here’s how to do the port forward with Socat:
socat -d TCP4-LISTEN:55587,reuseaddr,fork TCP4:smtp.outlook.com:587Now in Gophish I had to change the Host value in the Sending Profile to point to my new VPS on port 55587, disable the certificate validation and it worked like a charm!
I was successfully able to send out bulk emails directly via SMTP using Office 365 SMTP servers. I could finally execute the phishing scenario for my client.
Conclusion
It can be quite stressful to find out that the product that you paid for doesn’t really work. Thankfully, after spending some additional effort, I was able to make it work the way I needed.
I’m hoping that you can do it too, using the information in this article. Please share your experience and comments below!
Thank you for reading and if you find this useful, feel free to buy me a coffee. If you would like more content like this, subscribe to my mailing list, Twitter or Facebook.
SHARE THIS
MOST VIEWED TOOLS
