![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 11%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
Hi @Sandro D'Incà
Thank you for posting your question in the Microsoft Q&A forum.
To ensure reliable and secure delivery of alarm notifications from an unmonitored address via an on-prem Exchange server using authenticated SMTP over TLS, the recommended best practice is to create a dedicated service account. Below is a step-by-step guide to help you implement this setup effectively:
- Create a dedicated service account
Set up a dedicated mailbox-enabled user (e.g., [******@yourdomain.com]) in Active Directory and Exchange. This account will serve as the authenticated sender for alarm notifications.
-Mailbox type: Use a standard user mailbox, avoid shared or resource mailboxes and do not use mail-enabled users without mailboxes, as they cannot authenticate via SMTP AUTH.
-Authentication: This account will authenticate over TLS using SMTP AUTH.
-Permissions: Grant only the minimum permissions required to authenticate and send mail.
-Use a strong, non-expiring password, or manage credentials securely via a password vault or a managed identity solution to reduce operational risk.
- Configure as a “No-Reply” Mailbox since this mailbox is not intended to receive responses:
-Use transport rules to auto-delete incoming mail.
-Or hide the mailbox from the Global Address List (GAL) to silently drop mail.
- Ensure your Exchange server is properly configured to accept and relay messages from the service account:
-Authentication: Enable Basic Authentication over TLS or use Integrated Windows Authentication if the client is domain-joined.
-Permission Groups: Enable Exchange Users to allow authenticated users to send mail.
-TLS Enforcement: Require TLS and ensure the certificate is trusted by the client.
- SMTP Client Configuration
-Server Address: Point your alarming solution to the Exchange server’s internal FQDN or IP address over port 587.
-Credentials: Use the dedicated account’s username and password.
-Encryption: Enforce STARTTLS or SSL/TLS depending on your Exchange configuration.
Additional considerations:
-Ensure SPF, DKIM, and DMARC records are correctly configured for the domain to avoid delivery issues.
-Avoid bypassing sender authentication unless absolutely necessary.
-Apply a retention policy to automatically delete sent items after a defined period or use transport rules to prevent saving sent items.
-Log and monitor the account’s activity to detect any misuse, misconfiguration, or unexpected behavior.
I hope this information is helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.