All of our network printers Scan to Email across 5 locations went down today... anyone else experiencing the same?
Posted by One_Stranger7794@reddit | sysadmin | View on Reddit | 86 comments
Just wondering, as all of them breaking at the same time suggests there was a network change, but our network person says they've changed nothing so I'm wondering if MS maybe made a configuration change?
_Durs@reddit
Hi mate, this is due to Microsoft 2FA being forced to all accounts, which impacts the printer sending accounts. Been affecting us heavily as an MSP and Photocopier business.
We only use Canon machines, but if you access the RUI you can configure OAuth2 (provided the machine is on the latest updates).
You’ll need the following link:
Https://login.microsoftonline.com/organizations/oauth2/v2.0
You’ll get a device token, log in with the sending email account and enter the code.
Hope that helps!
_Durs@reddit
Attaching a screenshot of an example machine.
Set the sender address as blank, TLS enabled.
_keyboardDredger@reddit
How are you finding token refresh on OAuth with the canons? We’re looking at it while but online it seemed like people were getting 2-3 weeks tops with one authorisation?
_Durs@reddit
only had two devices out of the 40 or so we've changed that've lost it so far, If it does continue to be an issue I'll raise a case with MS and continue to investigate, as the machines should request a new auth code from their current to prevent deauthentication/refresh the session.
_keyboardDredger@reddit
That’s enough for me to give it a trial run, thank you
One_Stranger7794@reddit (OP)
Your a legend
b4k4@reddit
I got this working a few days ago. Had the config exactly as Canon instructed but couldn't get it to work until I found this:
https://youtu.be/ud-nL3m7dvQ?si=rRjck9tLcyWCFuhn
Had to enable Authenticated SMTP as an allowed email app on the account before it would work. Also had to wait a few hours before it took effect
One_Stranger7794@reddit (OP)
!!! Thank you! This should be on Canon & MS's documentation page
elpollodiablox@reddit
Your my hero for this.
SpecMTBer84@reddit
This. We setup an email relay to circumvent this issue.
BsXeD@reddit
same, we use smtp2go
PolygonError@reddit
same, no issues other than a few emails every 3 months that sit in their queue for a few hours
The-Jesus_Christ@reddit
+1 for SMTP2GO. Great service.
One_Stranger7794@reddit (OP)
That's what I'm using now but the administration is keen on getting everything running through our domain again
trail-g62Bim@reddit
We have some machines that don't have internet access, so we have an internal SMTP relay. It's a pretty simple windows server install.
GWSTPS@reddit
Setup Conditional Access Policies; disable the forced security defaults, and exclude your copier account from MFA. Then use a CA policy to IP restrict it to your location.
LaxVolt@reddit
Simple postfix relay can solve your needs.
Ohmec@reddit
You can easily setup a HVE (high volume email) in the exchange admin panel. Serves the same purpose, routes through a separate SMTP server provided by microsoft, and goes through the domain still. Doesn't cost any extra.
qkdsm7@reddit
Relay with a 365 connector can still certainly go entirely through your domain. We run two on two networks just in case there's craziness with their inbound rules... For instance Comcast business as a source IP wouldn't work without doing a tunnel.
-echo-chamber-@reddit
mailhop.org
Flameancer@reddit
Holy shit canons can do oauth now?! But also glad I’m not in an msp anymore. I honestly am imagining the tickets that came into my old place if they weren’t aware.
G8racingfool@reddit
Piggybacking to mention another option:
If your environment has licensing which includes Conditional Access, you can add MFA onto the account and then set a CA policy to waive MFA challenges for that account when it's logging in from your company-specific IP address(es) into Exchange Online.
ValeoAnt@reddit
Usually this is a compliance issue though
One_Stranger7794@reddit (OP)
u/_Durs thank you! I strongly suspect that this may be the case after doing some digging around.
pelzer85@reddit
You don’t have Meraki MXes or Talos in the mix do you?
One_Stranger7794@reddit (OP)
Not as far as I know, 99% sure we don't though
pelzer85@reddit
I ask because we had our scan to email break across multiple offices and after a few days, we finally figured out it was a snort rule change about smtp detections.
levan86@reddit
MS made a change, and yes we got affected as well, scan to email stopped working for those that uses ms365 direct send... luckily we have a backup relay.
One_Stranger7794@reddit (OP)
Same I ended up throwing in the backup process I had in the back pocket so users can still work in the meantime
pedrolane@reddit
We got so tried of getting random errors and getting forced MFA that we did end up getting mailgun and dedicated smtp mailboxes instead. So much easier and their portal has great analytics.
One_Stranger7794@reddit (OP)
I jury-rigged a free version just using Gmail for now, I'm going to work on getting it back up and running navigating the MS process, but if having done so we are experiencing the issues you were I think I'll probably go a paid third party route.
pakman82@reddit
My condolences... Normally I'd probably be supporting stuff like this, and glad to help with ease. But some dumb-$$ , decided I was redundant. So I'm collecting unemployment right now. Email and o-auth are my jam too
One_Stranger7794@reddit (OP)
IT is crazy like that, someone gets laid off for redundancy, but in the next town over that exact person is desperately needed!
AggravatingPin2753@reddit
Create a connector. Add your static public IPs. Firewall rule to allow smtp from your copiers, firewall rule to block smtp from everything right below that rule. No need for a username and password or mailbox for the copiers. Any @your domain email address will work, even if there is not mailbox or alias.
One_Stranger7794@reddit (OP)
Do you know of using the connector prevents the need for for the MFA that MS is requiring now?
NextSouceIT@reddit
Yes. When using a connector, you disable SMTP authentication altogether. No login / password / MFA is needed
One_Stranger7794@reddit (OP)
thanks
greenstarthree@reddit
Mandatory MFA is only for users accessing the admin centres / portals etc., as far as I know.
Gaijin_530@reddit
Make sure all devices are using one of these methods:
How to set up a multifunction device or application to send emails using Microsoft 365 or Office 365 | Microsoft Learn
One_Stranger7794@reddit (OP)
This seems to be deprecated information, you are now required to use a connector address/configure the account for Oauth I think (as other redditors in this discussion have suggested to me anyway)
Ohmec@reddit
The proper, new method is using an HVE https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/high-volume-mails-m365
One_Stranger7794@reddit (OP)
thanks!
Broad-Celebration-@reddit
The options provided in the Microsoft learn article are not deprecated. If your tenant allows legacy auth options , option 1 will work. Options 2 and 3 to configure a relay in 365 are also fully functional methods.
daweinah@reddit
Option 2 and 3 are identical except for adding the IP to the connector. We have noticed some devices not able to send to accepted domains unless the IP is added to the connector (which should only be necessary when sending external).
Broad-Celebration-@reddit
The connector itself is the difference between them, being the required item to send external.
Connector can authenticate via IP or certificate.
oloruin@reddit
Been using option 2 (direct send) since 2019 with no issues. Well, one issue. When someone wants to scan to external email, they have to scan to themselves then copy the attachment to the intended recipient.
Reduces the chance for accidental data exfiltration, so I'm not eager to "upgrade" to a different method.
Terriblyboard@reddit
did someone enable security defaults on your o365 tenant? its in entra Identity > Overview > Properties security defaults ... if so it will kill smtp. you can disable it and smtp will work again. or buy business premium licenses and do conditional access
the most recent change to add mfa to m365 accounts is for administrator only. doesnt effect normal accounts/access yet.
One_Stranger7794@reddit (OP)
Ah ok thanks. I'm still a little stumpted here as I have a connector set up, SMTP allowed, hole in the firewall for it... I'm starting to think it might just be that the software is older Ricoh software
Terriblyboard@reddit
did someone enable security defaults on your o365 tenant? its in entra Identity > Overview > Properties security defaults ... if so it will kill smtp. you can disable it and smtp will work again. or buy business premium licenses and do conditional access
the most recent change to add mfa to m365 accounts is for administrator only. doesnt effect normal accounts/access yet.
Gaijin_530@reddit
The particular tenant I know of that is using it this way does not have Premium licenses.
said-what@reddit
Could also be the mailbox is full. We have to periodically delete old emails to clear space
xrobx99@reddit
we created a retention policy for these accounts/mailboxes to delete all mail after 72 hours to minimize any potential data loss issues
2donks2moos@reddit
I had the same thing a few weeks ago. Firewall guy swore that he didn't change anything. Turns out the Firewall magically started blocking the ports the print server needed for Gmail smtp. (46 and 587)
halxp01@reddit
I have a smtp relay on a windows 2016 server. It went down about 3:30pm central. Lasted about 65 mins. Restarted iis and smtp many times. And finally mail started flowing again.
I had changed nothing in my 0365 environment and it has been working fine today also.
AlexHallberg@reddit
!remindme 12h
mr_data_lore@reddit
Did someone ignore the email from Microsoft warning about these MFA changes?
Happy_Kale888@reddit
Once you get it sorted out use a real solution like SMTP2GO saves so much time...
https://www.smtp2go.com/pricing/
Great product!
dirtrunner21@reddit
This right here. Stress free SMTP
Alert-Main7778@reddit
I love SMTP2Go. So much.
no_regerts_bob@reddit
+1 for smtp2go. it's not the only way, but its so flexible and easy and has great diagnostics when you need them
livevicarious@reddit
I instead created Scans folders in all users personal drives and set scans to go there with quick sets. Scan to email is not allowed here
Ok-Double-7982@reddit
Isn't that with something you have to pay extra for like a OneDrive sync software?
_Durs@reddit
90% of scanners/copiers will support SMB shares these days. You can either make and share a folder in their onedrive and path accordingly (C:/Win/Usr/Onedrive/Desktop/Scans etc.) as suggested above, or the more secure alternative we normally use is to create a local "scans" user on the machine, and SMB share a folder under that user. Using a local user on the machine keeps any files quarantined until they're retrieved by the user, and not synced to the cloud wasting space.
Ok-Double-7982@reddit
What I am asking though is how are each of the users who are scanning, authenticating to their personal OneDrive cloud folder on the device when they scan?
One_Stranger7794@reddit (OP)
The way I would set it up would be that every user has their username already in the machines address book, and when you scan on your account it goes to that users scan folder only they have permission to access
Ok-Double-7982@reddit
I'm not following what you're saying at all. That's typically an add-on where it's true OneDrive sync.
We already have scan to email where their email is listed as a contact and they can email the doc to themselves. I was asking how to config OneDrive folders, but to my original point, you have to pay for that software integration.
Who wants to use on premise fileshare SMB? That's old fuddy duddy shit. That's dinosaur stuff.
One_Stranger7794@reddit (OP)
Dino maybe but secure, modular, easy to use, move, full control etc. I personally prefer them to Onedrive almost 100% of the time
Ok-Double-7982@reddit
I worked with old school types who cling to on premise. Then they bitch when they want to go on vacation and something breaks lmao
bjc1960@reddit
I paid $100/year more, and all I heard was bitching and moaning about having to enter a password and MFA.
Ok-Double-7982@reddit
Badge scanning.
maggotses@reddit
We use an on-site smtp relay for that for a long time, glad for us lol
Sultans-Of-IT@reddit
SMTP relays should fix this.
CardiologistTime7008@reddit
Another thing to check is that the mailbox is not full. Has happened to me more than once.
One_Stranger7794@reddit (OP)
I was hoping that'd be it but no dice
netsysllc@reddit
as others have said SMTP2Go is the way to go.
lexbuck@reddit
We use SendGrid for this. Been great
unavoidablefate@reddit
Configure DirectSend and don't bother with accounts and mfa
FlickKnocker@reddit
It’s amazing how often this is not done. You can use certificates for an extra layer of security with an on-prem SMTP relay if there are a bunch of printers, but if your firewall egress rules are tight, abuse via allowed IP is pretty low.
bluehairminerboy@reddit
Use SMTP2GO and avoid using EXO for anything that's not a user on Outlook
xXNorthXx@reddit
On-prem mail relay to work around it. Multifunction printers are notorious for not keeping up with security.
Ivy1974@reddit
Depends on how it was configured. There are ways around the MFA.
MajesticAlbatross864@reddit
MS is blocking non oauth methods of connecting so simple smtp isn’t available, if the printer supports oauth that will work otherwise an smtp relay
FSK405N@reddit
The device passwords likely expired, assuming 'MS' is office365/Azure, etc..
One_Stranger7794@reddit (OP)
I don't think that's it, as test workarounds using google's SMTP works just fine. Maybe the app passwords on 365 for those printers?
Gaijin_530@reddit
365 doesn't use app passwords, at this stage you have to do SMTP auth with a single named account that you authorize with an SPF record at the domain level. (There's multiple ways, that's just the easiest.)
How to set up a multifunction device or application to send emails using Microsoft 365 or Office 365 | Microsoft Learn
TheLightingGuy@reddit
Depends on how they're setup. My old job, we had them go through a local SMTP relay server, and then we used SMTP.com for automated email sending (Was looking at switching that over to AWS SES before I left that company)