Configure SMTP settings for email notifications

Deep Security Manager can send emails to users when selected alerts are triggered (see Configure alerts). Before setting up the email notifications, you need to allow Deep Security Manager access to a simple mail transfer protocol (SMTP) mail server:

Starting with Deep Security 20.0, you can use OAuth 2.0 authentication for Microsoft Exchange Online SMTP. This provides secure email delivery without requiring basic authentication or application-specific passwords. See Configure OAuth 2.0 for Microsoft Exchange Online.

  1. Go to Administration > System Settings > SMTP.
  2. Type the IP address or hostname of your SMTP email server. Include the port number if different from the default port number.

    AWS throttles (rate limits) email on the Internet Assigned Numbers Authority (IANA) standard port number for SMTP: Port 25. If you use AWS Marketplace, you may have faster alerts if you instead use SMTP over StartTLS (Start Transport Layer Security, a secure type of SMTP). For more information, see Connecting to an Amazon SES SMTP endpoint.
  3. Use the From field to enter the email address from which the emails should be sent.

    If you are using Amazon Simple Email Service (SES), the sender email address must be verified. To learn how to verify your email address in Amazon SES and view a list of addresses you have already verified, see Verifying an email address identity.
  4. Optionally, type a bounce address to which delivery status notifications (DSN) should be sent if the alert emails cannot be delivered to one or more users.
  5. Configure authentication based on your SMTP server:
    • For Microsoft Exchange Online with OAuth 2.0, select Mail server requires OAuth 2.0 authentication for Microsoft Exchange Online and enter your OAuth 2.0 credentials. See Configure OAuth 2.0 for Microsoft Exchange Online.
    • For standard SMTP authentication, select Mail server requires authentication and enter your SMTP user name and password.
  6. Select STARTTLS if your SMTP server supports the protocol. Deep Security Manager FIPS mode supports StarTTLS in Deep Security Manager 20 LTS Update 2022-03-22 and later. See FIPS 140 support.

    If OAuth 2.0 authentication is enabled for Microsoft Exchange Online, STARTTLS is automatically enabled and cannot be disabled, as this is a requirement for OAuth 2.0.
  7. After entering the necessary information, click Test SMTP Settings to test the connection.

Configure OAuth 2.0 for Microsoft Exchange Online

Starting with Deep Security 20.0, Deep Security Manager supports OAuth 2.0 authentication for SMTP, allowing secure email delivery through Microsoft Exchange Online without requiring basic authentication or application-specific passwords.

Prerequisites

Ensure that you have the following:

  • Microsoft 365 subscription with Exchange Online (Business or Enterprise license). Basic Office 365 plans without Exchange Online are not supported.
  • Administrator role:
    • Global Administrator or Application Administrator - for Azure AD configuration
    • Exchange Administrator or Global Administrator - for Exchange Online configuration

    If you do not have the required administrator permissions, you need to work with your IT department or Microsoft 365 administrator to complete the Azure AD and Exchange Online configuration. The final DSM configuration can be performed by any DSM user with the Settings Update permission.

Configure Microsoft Entra ID

Configuring Microsoft Entra ID is a multi-step process.

Step 1: Register an application in Microsoft Entra ID

  1. Sign in to the Azure portal.
  2. Navigate to Microsoft Entra ID (formerly Azure Active Directory).
  3. Select App registrations from the menu on the left.
  4. Click New registration.
  5. Configure the application by defining the following:
    • Name: Provide the Deep Security Manager SMTP or your preferred name.
    • Supported account types: Select Accounts in this organizational directory only.
    • Redirect URI: Leave this field blank.
  6. Click Register.
  7. After registration, note the values of the Application (client) ID and Directory (tenant) ID fields on the Overview page, as you will need them later.

Step 2: Create a client secret

  1. In your application registration, select Certificates & secrets from the menu on the left.
  2. Under Client secrets, click New client secret.
  3. Configure the secret by defining the following:
    • Description: Enter the DSM SMTP secret or your preferred description.
    • Expires: Set the appropriate expiration period (for example, 24 months).
  4. Click Add.
  5. Copy the Value immediately and store it in a secure location - this is your client secret and it is only visible once. You will need it to configure DSM.

Step 3: Configure API permissions

  1. In your application registration, select API permissions from the menu on the left.
  2. Click Add a permission.
  3. Select APIs my organization uses.
  4. Search for and select Office 365 Exchange Online.
  5. Select Application permissions (not Delegated permissions).
  6. Add s permission by expanding the SMTP section and selecting SMTP.SendAsApp.
  7. Click Add permissions.
  8. If you are a Global Administrator, click Grant admin consent for [Your Organization], then click Yes.
  9. Verify that the status is Granted for [Your Organization] with a green checkmark.

It is important that you select Office 365 Exchange Online API, as opposed to Microsoft Graph. The permission should be SMTP.SendAsApp in the API permissions list.

Configure Exchange Online

Step 4: Enable SMTP AUTH for your tenant

SMTP AUTH may be disabled by default in your tenant. You need to verify this and if it turns out to be disabled, enable it as follows:

  1. Sign in to the Exchange admin center.
  2. Navigate to Settings > Mail flow > Accepted domains.
  3. Select your domain and verify SMTP is enabled.

    If you encounter an error about SMTP AUTH being disabled:

    • In Exchange admin center, go to Settings > Mail flow.
    • Click on SMTP AUTH settings.
    • Enable Authenticated SMTP (SMTP AUTH) for your organization.

Step 5: Enable SMTP AUTH for the mailbox

SMTP AUTH needs to be enabled for the specific mailbox used by DSM.

Option A: Enable using Exchange Online PowerShell (recommended for bulk operations)

  1. Connect to Exchange Online PowerShell by executing the following command: 
    Connect-ExchangeOnline -UserPrincipalName admin@yourcompany.com
  2. Enable SMTP AUTH for the mailbox by executing the following command: 
    Set-CASMailbox -Identity "dsm-notifications@yourcompany.com" -SmtpClientAuthenticationDisabled $false
  3. Verify the setting by executing the following command: 
    Get-CASMailbox -Identity "dsm-notifications@yourcompany.com" | Select-Object SmtpClientAuthenticationDisabled
    The value should be False.

Option B: Enable using Exchange Admin Center

  1. Go to Recipients > Mailboxes.
  2. Select the mailbox and click Manage email apps settings.
  3. Ensure that Authenticated SMTP is enabled.
  4. Click Save.

Step 6: Register service principal in Exchange Online

The application must be registered as a service principal in Exchange Online.

To register, perform the following procedure using PowerShell (there is no UI option available):

  1. Connect to Exchange Online PowerShell (if not already connected) by executing the following command: 
    Connect-ExchangeOnline -UserPrincipalName admin@yourcompany.com
  2. Register the service principal by executing the following command: 
    New-ServicePrincipal -AppId <Application (client) ID> -ServiceId <Object ID> -DisplayName "Deep Security Manager SMTP"
    Replace the following values:
    • <Application (client) ID>: The Application (client) ID from Step 1.
    • <Object ID>: The Object ID in Azure Portal > App registrations > Your app > Overview > Object ID
  3. Grant the service principal permission to send email as the mailbox by executing the following command: 
    Add-MailboxPermission -Identity "dsm-notifications@yourcompany.com" -User <Application (client) ID> -AccessRights FullAccess

Configure Deep Security Manager

Step 7: Configure SMTP settings in DSM

  1. Log in to the Deep Security Manager console.
  2. Navigate to Administration > System Settings > SMTP tab.
  3. Configure the following:
    • SMTP mail server address: Set it to smtp://smtp.office365.com:587
    • From email address: Set it to dsm-notifications@yourcompany.com. This is the mailbox you configured in Step 5.
    • Bounce email address: Set it to dsm-notifications@yourcompany.com
  4. Select Mail server requires OAuth 2.0 authentication for Microsoft Exchange Online.
  5. Enter OAuth 2.0 credentials:
    • Directory (tenant) ID: Enter the value from Step 1.
    • Application (client) ID: Enter the value from Step 1.
    • Client secret: Enter the value from Step 2.
  6. Click Test SMTP settings to verify the configuration.
  7. If the test is successful, click Save.

When Mail server requires OAuth 2.0 authentication for Microsoft Exchange Online is selected, the following applies:

  • Standard SMTP authentication fields SMTP username and SMTP password are not available.
  • STARTTLS is automatically enabled and cannot be disabled, as this is required for OAuth 2.0.

Troubleshooting

The following are common errors and solutions when using OAuth 2.0 with Microsoft Exchange Online:

Error: "535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled"

Cause: SMTP AUTH is disabled at the tenant or mailbox level.

Solution:

  1. Enable SMTP AUTH for the tenant (see Step 4).
  2. Enable SMTP AUTH for the mailbox (see Step 5).
  3. Wait 5-10 minutes for changes to propagate.

Error: "535 5.7.3 Authentication unsuccessful"

Cause: One or more of the following:

  • Incorrect Application (client) ID, Directory (tenant) ID, or Client secret.
  • Service principal not registered in Exchange Online.
  • Missing API permissions or admin consent not granted.
  • Client secret has expired.

Solution:

  1. Verify all credentials are entered correctly in DSM.
  2. Ensure service principal is registered (see Step 6).
  3. Verify SMTP.SendAsApp permission is granted with admin consent (see Step 3).
  4. Verify that Client secret has not expired in Azure Portal.

Error: "430 4.2.0 STOREDRV; mailbox logon failure"

Cause: The service principal does not have permission to access the mailbox.

Solution:

  1. Grant the service principal FullAccess permission to the mailbox (see Step 6).
  2. Wait 15-30 minutes for permission changes to propagate.

For more information, see the following: