Catch-all with Office 365
Set-up of E-mail servers in Office and Odoo.
10 February, 2022 by
Catch-all with Office 365
manaTec GmbH, Jan Wiegand
 


In our past blog posts, we have already dealt with the communication in Odoo as well as the setup of a catch-all E-mail-adress . We have already mentioned that setting up a catch-all mailbox via Office 365 is somewhat more extensive than with other providers. In order for the Odoo ERP system to be connected to Office 365 securely and with all communication functions, some prerequisites have to be created and settings have to be made. So in today's blog, we'll look at setting up a catch-all mailbox in Office 365, covering the following topics: general prerequisites, settings in Office 365 with additional two-factor authentication, correct SPF and DKIM entries in DNS, and the setup in Odoo.

1. the general prerequisites

These instructions are not suitable for Odoo-Online. It assumes that the Odoo is running on-premises. In addition, the Odoo instance must communicate externally via a fixed IP. For the following configuration, full administrative permissions are required in Odoo and in Office 365. In addition, at least one account with a "Microsoft 365 Business Basic" license must exist in Office 365, which is used for the Odoo catch-all email address.

2. settings in Office 365

In order to make Odoo with all its internal functions correctly usable in Office 365, an Office 365 mail relay must be available configured accordingly and a basic catch-all functionality must be represented by means of email flow rules.

2.1 Preparing a Mail Relay

For this purpose, a new connector is created in the "Exchange Admin Center" (Email Flow → Connectors → Add Connector).

The specification of the E-mail flow scenario.
The specification of the E-mail flow scenario.

Your organization's email server" is selected as the email flow scenario. In the next step, the name of the connector is defined, for example "Odoo Mail-Relay". The connector can also be activated directly, as well as the Internal Exchange email header can be kept.

The specification of the connector name.
The specification of the connector name.

The last step determines how the Odoo instance authenticates itself to Office 365. Since it is assumed here that Odoo is connected directly to the relay and no other mail relay or similar is integrated in between, the outgoing IP of the Odoo instance is added. This also makes it important that the IP of the Odoo instance also exists later as an SPF entry.

The connector authentification.
The connector authentification.

2.2 Configure catch-all email address

Office 365 does not actually have a typical catch-all feature. However, it is possible to create a rule that provides this type of functionality.

The first thing to do for this rule is to create a dynamic distribution list. This can be done in the "Exchange Admin Center" group settings (Recipients → Groups → Add Groups). This group will be needed later as a filter to define which email addresses and distribution groups exist in Office 365 and thus will not be forwarded to the catch-all address.

The selection of a group type.
The selection of a group type.

The next step is to assign a name, for example "Catch-all exceptions".

The basic setup.
The basic setup.

Dynamic distribution lists, as the name suggests, are organized dynamically and it is necessary to define accordingly which addresses belong to this group.

The assignment of users.
The assignment of users.

This group does not need an owner, only the recipient types have to be defined. The next step is to assign a group email address to this list. It is pointed out that this group does not work in real time. This must be considered then for example in the Onboarding or with the creation of new resources, with the appropriate processes.

The E-mail address in the group.
The E-mail address in the group.

After the group is created, it should be hidden in the global address list. To do this, click once again on the group name and activate the corresponding setting.

Hiding the group in the global adress list.
Hiding the group in the global adress list.

Next, the email flow rule is created in the "Exchange Admin Center" (Email Flow → Rules). If rules already exist here, they must be followed accordingly. Therefore, this rule should be the only one or the first one in the rule sequence. Basically, this rule specifies that all email recipients of the own domain not known to Office 365 are forwarded to the mailbox provided for Odoo.

The Catch-all rules.
Die Catch-all-Regel-Einstellungen.

Configured to apply this rule to all messages and forward them to the Odoo catch-all mailbox. Unless the recipients are outside of your own organization. This is important so that this rule does not apply to outgoing emails. Additionally, it also does not apply if the recipient is in the previously created dynamic distribution list, so that delivery of emails still works to existing mailboxes. Since this is the only rule in this example, it is given the priority "0" and so that it is always applied, the severity level "High". Since no further rule is to be applied afterwards, this is activated with.

This rule alone does not work, however, because Office 365 still checks whether an email address exists in Office 365 and, if not, rejects it via a bounce message. To stop this behavior, Office 365 still needs to know that other email addresses can exist without being configured in Office 365 (Email Flow → Accepted Domains). By selecting one or more domains, this can be changed to "Internal Relay" in the respective settings.

The configuration of the domain.
The configuration of the domain.

2.3 Two-factor authentication

Wenn Office 365 neu eingerichtet wird, ist bereits die Zwei-Faktor-Authentifizierung aktiviert, was die Sicherheit vor unberechtigten Zugriffen auf die Daten des Unternehmens erhöht. Dies soll natürlich bestehen bleiben und ist auch  sehr wichtig. In Office 365 ist es jedoch nur möglich E-Mails via IMAP abzuholen, wenn zur Authentifizierung die oAuth2-Methode verwendet wird. Wie man die IMAP Verbindung richtig einrichtet finden Sie einem zusätzlichen Blogbeitrag.

3. DKIM and SPF

In order for emails from Odoo to gain high trustworthiness with other email servers later on, it is recommended to enable DKIM in Office 365. Furthermore, the IP of the Odoo instance must additionally be added to the SPF record of the domain used and a recommendation must be made via DMARC record.

3.1 DKIM

DKIM adds a private DKIM signature to each email sent from Office 365. These can then be verified by the receiving email servers using the DKIM public key. In Office 365, a corresponding CNAME record is added to one's domain as a subdomain for this purpose. If you are already logged into Office 365 with administrator rights, you can use the website https://security.microsoft.com/kimv2 to create the DKIM entries. The DNS entries specified by this will then be set accordingly.

3.2 SPF

With the Sender Police Framework entry, the Odoo instance and of course Office 365 must be specified as authorized senders. This is added to the own domain as a TXT entry, for example: "v=spf1 include:spf.protection.outlook.com ip4:IP_ODOO -all". This authorizes Office 365 and the Odoo instance as the sender and prevents all others.

3.3 DMARC

The DMARC entry is the recommendation how the receiving email server should handle emails where the DKIM signature is missing or incorrect or originates from an address stored in the SPF entry. A simple variant is for example "v=DMARC1; p=quarantine; rua=mailto:example@example.org" and is set as TXT entry under the subdomain "_dmarc". It is important that this is not set until it has been ensured that SPF and DMARC are correct.

4. Setup in Odoo

The Odoo ERP is now set up to send emails from its own Office 365 instance using the SMTP relay and to retrieve emails from the catch-all account using IMAP. In addition, Odoo should send emails that do not belong to its own domain using a specified email address.

4.1 General settings

The Odoo ERP must know under which domain the own e-mail addresses are managed. For this purpose, the alias domain is defined as administrator in the general settings of Odoo.

The specification of the alias domain.
The specification of the alias domain.

In addition, the system parameter (mail.dynamic.smtp.from) determines which email address Odoo uses when it wants to send emails on behalf of someone else.

The Odoo system parameter.
The Odoo system parameter.

On the one hand, this is important because the Office 365 SMTP relay only allows sending with addresses that belong to your own domain and on the other hand, this would be considered email spoofing and thus often end up in spam.

4.1.1 Changes as of Odoo 15

As of Odoo version 15, this system parameter is no longer used and the desired behavior can be configured in the outbound server settings. For this purpose, the domain that is allowed is specified in the "From Filter".

The Odoo system parameters in version 15.
The Odoo system parameters in version 15.

In addition, the system parameter (mail.default.from) can be used to adjust the sender address to be used. The address is then composed of the specified value and the set "Alias Domain".

The Odoo system parameters in version 15.
The Odoo system parameters in version 15.

4.2 SMTP Settings (Outgoing Email Server)

The outgoing email server is now our Office 365 SMTP relay. The address corresponds to the MX record, the own domain used in Office 365.

The outbound E-mail server.
The outbound E-mail server.

The port "25" is used and the connection security "TLS (STARTTLS)" is selected. User name or password is not specified, since Odoo authenticates itself using the outgoing IP address at Office 365.


5. Annotations

Now that email addresses arrive in Odoo that do not exist, additional modules are needed, for example to manually assign them or to send a rejection email.

Are you looking for an ERP system with which you can map your complete corporate communication or do you need support in setting up a catch-all in Office 365 for Odoo? No problem! Contact us now and we will be at your side as an experienced Odoo partner and IT support!


Sources https://ventor.tech/

 
DIN 5008 layouts in Odoo
Definition, origin and use in Odoo