Direct Send allows SMTP relay to external recipients?

look like you were using another method smtp client submission. I want to inform you this method also allow sending emails externally. There is an easy way to indentify it, see if you can send emails externally without a licensed office 365 mailbox. Just read the article again.

I'm not using SMTP client submission.

You can recreate this "issue" with Direct Send by doing the following:

Make sure to complete this test from behind a static IP address that is NOT on any blacklists, as Microsoft won't accept SMTP traffic from an IP on any blacklist (which most dynamic IP addresses are on).

Download an SMTP testing tool (or use telnet if you're familiar with SMTP commands). I use SMTP Diag Tool (https://www.adminkit.net/smtp_diag_tool.aspx).

Enter a valid Office 365 MX record for "SMTP Server". UNCHECK "Server requires authentication".

Make up a From: address at the correct domain (like *** Email address is removed for privacy ***).

Enter a To: address that is EXTERNAL to the Office 365 tenant (like another Office 365 account in a different tenant OR a Gmail address).

Click "Test SMTP" and it will go through. It might be delivered to junk/spam on the recipient's end, but the point is that it allows relaying to external recipients.

Hi Ts_ryan,

My understanding is that the tool itself has the ability (acting as the mail server) to rout the mail. As a result, it can be routed to external non-Office 365 accounts.

You can read more in that article (How direct send works> Note). 

Regards,

Alan

I understand how direct send works. Can you please try to recreate the issue as I've described? Take any domain's Office 365 tenant MX record and try to use it to send mail from *** Email address is removed for privacy *** to a Gmail account. It sends successfully, which I don't believe should be allowed.

Here's an example of the SMTP Diag Tool settings, the resulting log, and the message in Gmail. The O365 tenant for this MX record does NOT have a connector set up for the "SMTP Relay" method (which would make this work):

(note that the MX record in the SMTP Server box has the beginning cut off in this screenshot)

Hi Ts_ryan,

Thanks for your clarification. 

It should be the tool's machanism. I will further check the tool. You may also test it via other device to see if ithe same situation. But, since you can send successfully, isn't it a good news.

Regards,

Alan

Alan,

I can do the same exact thing using telnet and SMTP commands. I just verified this...I connected to an Office 365 MX record on port 25, then used the commands to compose a message to a Gmail account. I received the message successfully in the Gmail account.

So, it has nothing to do with SMTP Diag Tool...that's just a much easier/faster way of testing than using telnet and SMTP commands.

It's most definitely not "good news" that Direct Send seems to not work the way Microsoft's documentation shows. It says it won't send to external recipients, but it does...unless I'm missing something here.

Hi Ts_ryan,

Thanks for your update.

Please change the From address to an Office 365 group’s email address in your Office 365 tenant and then send a test email to the Gmail account.

In addition, please send us the SMTP Diag Tool. I’ve sent you a Private Message to collect it. You can access it via this link:

https://answers.microsoft.com/en-us/privatemessages/list

Regards,

Barry

Hi Ts_ryan,

Any update please let us know.

Regards,

Alan