High Sending SMTP Solution:
As part of the move to Exchange Online, there are a new set of limits mandated by Microsoft. These are linked here, but cover a range of settings including sending and receiving email as well as distribution lists, mailbox folders and message limits.
In recognition that many NHS accounts send above the 30 messages a minute defined by Microsoft, a new high-sending solution has been provided on the platform. The solution allows, where applicable, application accounts to send above this limit.
How to use the solution?
The solution is made available to accounts that are enabled for SMTP and are configured to use send.nhs.net as the hostname.
Longer term there will be a review process to ensure this service is only available to application accounts that require it.
Any accounts that use the O365 SMTP address – smtp.office365.com will be held to the Microsoft Exchange Online sending limits.
Implementation:
The solution was implemented successfully on the 29th and 30th of March. Large volumes of Internet and HSCN traffic have been witnessed successfully sending mail through the solution.
Troubleshooting & FAQs:
We are aware that a small number of applications have experienced issues following the cutover. Please see below for guidance and advice on troubleshooting.
Please note, in most scenarios troubleshooting will be required by local vendors/3rd party application providers. The below guidance should help steer those conversations:
- Local Firewall: Please ensure that your local firewall is configured correctly to enable SMTP traffic on port 587. Should you experience any POP or IMAP issues, please also ensure the correct IP ranges are allowed.
- Authentication: 7.8 Authentication Failed error – please ensure the username and password is correct for the account attempting to authenticate. Please try the below steps:
- Check the account is authenticating successfully by logging into OWA
- Reset the account password
- Log out and back into the SMTP client
- Clearing any cached credentials in your local application configuration
- When authenticating to use the solution, your application must use a fully qualified hostname – including the @nhs.net suffix. This is also the case when sending – it must be an @nhs.net account
- EHLO / HELO commands must include the authenticating account hostname. Applications cannot present themselves as send.nhs.net – if this is configured incorrectly the below error message will be seen: 554+5.7.1+:+Helo+command+rejected:+Hostname+Abuse:+send.nhs.net
- Transport Layer Security (TLS): The same versions of TLS are currently supported as they were previously on-premise (v1.0-1.2). Your application must be configured to use the STARTTLS command when authenticating. If you currently use ‘Implicit Mode’ or don’t explicitly call the STARTTLS command you will need to update your application. TLS v1.0 and v1.1 will be cease to be usable over the network due to Microsoft depreciation in 2021
- Supported Ciphers: If your application uses Java, please ensure it is configured to use supported ciphers. SHA-0 and SHA-1 are deprecated and will not be able to authenticate with the high-sending solution
- Send As permissions: SMTP can be configured to use the Send As permission for sending. Full Access or Send on Behalf of delegate permissions cannot be used for SMTP sending. Sending As from external domains is also not supported (i.e. @nhs.uk). If you are facing issues sending as another @nhs.net account, please ensure it is enabled for SMTP and the delegate permissions are correctly setup in the NHSmail Portal
- Sending to Distribution Groups: If your application is sending directly to distribution Groups, you must configure the authorised senders for the DL to allow ‘Senders inside and outside of NHSmail including the Internet’ or ‘Specific Senders Only.’ This can be configured through the NHSmail Portal here
If some of your application accounts work, whilst others do not – it is important to verify initially that the account has SMTP enabled, that the credentials authenticate successfully (log in to OWA / reset password if needed) and as mentioned any delegate permissions are configured correctly. If the issue persists, please contact your application provider and ask them to complete a side by side comparison with accounts that are successfully connecting.
Setting up IIS
- To view the settings, open IIS 6.0 manager, right click the SMTP Virtual Server and choose Properties.
- Once the properties are open, go to the Delivery tab and open the Outbound Security options.
- Ensure the outbound security includes a full email address and password of the account which is used to relay emails, with the TLS encryption box checked like the screenshot below:
- Ensure that the fully qualified domain name and smart host is setup correctly in the Advanced Delivery options. Example below:
The smart host will need to be setup as send.nhs.net otherwise the IIS server will attempt local delivery and will have issues routing emails.
| Last Reviewed Date | 25/05/2021 |
