Mail Server Settings
PAM360 sends email notifications to newly added users to inform them the details about their PAM360 access credentials. Therefore, it is necessary to configure mail server settings prior to adding new users into the product. You can either configure the SMTP mail server used in your environment or use the Microsoft Exchange Online mailbox. PAM360 supports OAuth 2.0 authentication for SMTP-based email communications when using Microsoft Exchange Online. Choosing Microsoft Exchange Online as the mail server will activate OAuth 2.0 authentication for all emails sent from the product. Read further to learn how to configure mail server settings.
1. Configure Microsoft Exchange Online as the Mail Server
To configure Microsoft Exchange Online as the mail server in PAM360, you must create an application in the Azure portal and generate the Application ID, Client ID, and Client Secret value. Follow the below steps:
1.1 Steps to Configure an Azure Application for Microsoft Exchange Online Server
- Log in to the Microsoft Azure portal.
- Click App registrations from the Microsoft Azure homepage.
- Click + New registration from the top pane of the App registrations page.
- In the Register an application page, enter the following attributes:
- Enter a name of your choice for the application.
- Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
- For the Redirect URI, choose Web from the drop-down list and enter the URI of PAM360 application in the following format: <PAM360-URI>/pam360redirect/AzureOAuth.
For example: https://win23-t11f:8282/pam360redirect/AzureOAuth - Click Register. PAM360 will be added as an application in the Microsoft Entra ID portal.
- You will be taken to the page with the details of the newly registered application.
- In the left pane, expand Manage, and click API permissions. On the page that appears, click +Add a permission.
- On the Request API Permissions page, choose Microsoft Graph >> Delegated permissions.
- Search for smtp in the Select Permissions search bar to populate relevant permissions. Select the option SMTP.Send from the list and click Add Permissions.
- Similarly, search for offline_access in the Select Permissions search bar and add the offline_access permission.
- Now, click the Grant admin consent button beside the + Add a permission button.
- In the pop up that opens, click Yes to grant consent for the requested permissions.
- Click the Certificates & secrets option on the left pane.
- Navigate to the Client secrets tab and click + New client secret.
- Enter a description and choose an expiry period. Click Add.
- Immediately after creation, the client secret value is displayed under the Value column in the table, copy the value and save it in a secure location. This client secret value will be displayed only once and will not be accessible once you move away from this page.
- Once you have registered the application with the appropriate permissions, go to PAM360's web interface and configure mail server settings.
Note: Ensure that the PAM360-URI provided here is the same as the one users use to access the PAM360 application from other machines. Provide this PAM360-URI in the Access URL field in the section 1.2.
Note: Once an application is created in the Microsoft Azure portal, the User.Read permission will be added to it by default.
1.2 Steps to Configure Microsoft Exchange Online in PAM360
- Navigate to Admin >> Settings >> Mail Server Settings.
- In the pop-up form that opens, enter the following:
- Server name - The actual SMTP server's name. For e.g. smtp.office365.com.
- Port - The default port for TLS is 587 and for SSL is 465. Enter the port that you are using.
- Sender E-mail Address - This field requires a valid email address, as PAM360 will send onboarding messages, notification alerts, and license expiry reminders to users. Also, ensure that the user account you specify in this field has the ownership permission for the SMTP enterprise application created in the Azure portal.
- Access URL - The URL that is to be displayed on the mail intimation sent to users to access PAM360. Please ensure that the Access URL is the same as the one you have specified in the Redirect URI mentioned in step 1.1. For example, if the mentioned Redirect URI is https://win10-prod-qa:8282/pam360redirect/AzureOAuth, then the Access URL to be provided here must be https://win10-prod-qa:8282.
- Provider - Choose Microsoft Exchange Online from the dropdown.
- Tenant ID - The directory ID of the Azure application.
- Client ID - The application ID of the Azure application.
- Client Secret - The client secret value created for the Azure application. Click Save to save the settings.
- You will be redirected to the Microsoft Azure portal for authentication. Log in to the Azure portal using the email address you specified in the Sender E-mail Address field (this is a one-time operation).
Note: Ensure that the user account you specify in the Sender E-mail Address field has the ownership permission for the SMTP enterprise application created in the Azure portal.
Upon completing the above steps, Microsoft Exchange Online will be configured as the mail server in PAM360.
2. Configure Other Mail Servers
- Navigate to Admin >> Settings >> Mail Server Settings.
- In the pop-up form that opens, enter the following:
- Server name - The actual SMTP server's name. For e.g. smtp.zoho.com.
- Port - Most SMTP servers work with port 25. However, the default port for TLS is 587 and for SSL is 465.
- Sender E-mail Address - A valid email address from which you want to send emails to users.
- Access URL - The URL that is to be displayed on the mail intimation sent to users to access PAM360.
- Provider - Choose Others from the dropdown.
- Upon clicking the Requires Authentication checkbox, the pop-up form lists two options:
- Specify a Username and Password Manually
- Use an account stored in PAM360
- If you choose the first option Specify a Username and Password Manually, enter the authentication details and click Save.
- If you choose the second option Use an account stored in PAM360, the resources and accounts that appear in your resources tab will be listed in a dropdown. You can choose the required details and click Save. The chosen Account will be used for authentication. Earlier, in case of a password change, the user has to manually update the new password in the mail server settings. But now, the new password will be automatically updated for authentication.
- You also have the option to choose the Secure Connection Protocol - None/SSL/TLS.
- SSL - Secure Sockets Layer (SSL) is a cryptographic protocol that enables secure connection over the internet.
- TLS - Transport Layer Security (TLS) is a new version of SSL that enables secure connection over the internet.
Once you have provided the authentication details and the secure connection mode, click Save.
Notes:
- It is recommended to use SSL/TLS options for secure communication over the internet /intranet.
- If the mail server is using a self-signed certificate, then we need to import it in PAM360.
- Copy the server certificate and paste it under <PAM360 Installation Folder>/bin directory.
- From <PAM360 Installation Folder>/bin directory, execute the following command:
- This adds the certificate to the PAM360 certificate store.
importCert.bat <name of the server certificate>
- After providing the authentication details and the secure connection mode, you also have the option to test mail server before clicking save.