Mail Server Settings

When new users are added to PAM360, the system sends email notifications to these users about their PAM360 access credentials. Therefore, it is crucial to configure mail server settings before adding new users to the product to ensure the newly added users receive email notifications about their access credentials. PAM360 offers flexibility in choosing your mail server settings: you can either configure the SMTP mail server used in your environment or use the Microsoft Exchange Online mailbox.

PAM360 supports OAuth 2.0 authentication for SMTP-based email communications when using Microsoft Exchange Online. Selecting Microsoft Exchange Online as your mail server will enable OAuth 2.0 authentication for all emails sent from PAM360, enhancing security and compliance with modern authentication standards. This document offers comprehensive instructions for configuring Microsoft Exchange Online and other SMTP mail servers within PAM360. Follow these steps to ensure seamless email communication for notifications, alerts, and other essential messages.

1. Configuring Microsoft Exchange Online as the Mail Server
2. Configuring Other Mail Servers

1. Configuring Microsoft Exchange Online as the Mail Server

In this section, you will learn how to configure Microsoft Exchange Online as the mail server for PAM360. The process involves registering PAM360 as an application in the Microsoft Azure portal, assigning necessary API permissions, and creating a client secret. These steps are crucial for enabling PAM360 to send emails through Microsoft Exchange Online securely and efficiently. Follow the detailed instructions given below to complete the configuration process.

1.1 Steps to Register PAM360 as an Application on the Microsoft Azure Portal

To integrate PAM360 with Microsoft Azure, you should register PAM360 as an application in the Microsoft Azure portal. The registration process involves specifying essential details about PAM360 and setting up the necessary configurations. Follow these steps to add PAM360 as a new application in the Azure portal.

1. Log in to the Microsoft Azure portal
2. Select the App registrations option under the Azure services section on the Microsoft Azure home page.
   
3. On the App registrations page, click the + New registration button on the top-left corner of the screen.
   
4. Specify the following details on the Register an application page:
1. Name - Enter a display name of your choice for the application (e.g., PAM360)
2. Supported account types - Select the Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) option.
3. Redirect URI - Choose Web from the drop-down menu and enter the URI of the PAM360 application in the format: <access URL>/pam360redirect/AzureOAuth. For example, if the access URL is https://pamserver:8282 then the Redirect URI you enter here should be https://pamserver:8282/pam360redirect/AzureOAuth.
   

   Caution

   Ensure the PAM360 application URI (access URL) you enter in the Redirect URI field is the same as the one users can use to access the PAM360 application from other machines. Provide the same link in the Access URL field in step 1.4.

5. Click Register to add PAM360 as an application in the Microsoft Azure portal. You will be redirected to the App registrations page, where you can view the details of the newly registered application.
   
6. You can view the details of your newly added app registration by clicking on the application name from the list of registered applications on the App registrations page.

1.2 Steps to Delegate API Permissions to the Application on the Microsoft Azure Portal

To enable PAM360 to send emails through Microsoft Exchange Online, you must delegate the necessary API permissions to the PAM360 application on the Microsoft Azure portal. Follow these steps to delegate the required API permission to enable PAM360 to send emails securely through Microsoft Exchange Online .

1. Go to the App registrations page and select PAM360 (The display name entered during app registration) from the list of registered applications.
2. On the left pane, select Manage >> API permissions.
3. On the API permissions page, click the +Add a permission button under the Configured permissions section to open the Request API permissions window.
   
4. In the Request API Permissions window, select Microsoft Graph from the available list of Microsoft APIs.
   
5. In the window that opens, select Delegated permissions.
   
6. Under the Delegated Permission tab, locate the following API permissions using the search bar and click the Add Permissions button.
1. SMTP.Send
2. offline_access
3. User.Read
   
7. Click the Grant admin consent button beside the + Add a permission button.
   
8. In the pop-up window that opens, click Yes to grant consent for the selected permissions.

1.3 Steps to Generate Client Secret on the Microsoft Azure Portal

To complete the setup on the Microsoft Azure portal for using Microsoft Exchange Online as the mail server, you need to generate a client secret. PAM360 will use this client secret to authenticate with Microsoft Exchange Online. Follow these steps to generate the client secret on the Microsoft Azure portal.

1. Go to the App registrations page and select PAM360 (The display name entered during app registration) from the list of registered applications.
2. Navigate to Manage >> Certificates & secrets from the left pane.
3. Switch to the Client secrets tab and click + New client secret.
   
4. In the Add a client secret window, enter a description for the client secret, choose an expiry period from the drop-down menu, and click Add.
   
5. The client secret value will be displayed under the Value column on the Certificates& secrets page. Copy and save this value securely, as it will be shown only once. This client secret is required to configure Microsoft Exchange Online as the mail server in PAM360.
   
6. Once the application is registered with the required permissions, go to the PAM360 web interface and configure the mail server settings using the obtained client secret value.

1.4 Steps to Configure Microsoft Exchange Online as Mail Server in PAM360

To set up Microsoft Exchange Online as the mail server in PAM360, you need to configure several settings within the PAM360 interface. The steps include specifying the SMTP server details, authentication credentials, and relevant URLs. Follow these steps to use Microsoft Exchange Online to send onboarding messages, notifications, and other alerts.

1. Navigate to Admin >> Server Settings >> Mail Server Settings.
2. In the Mail Server Settings window, fill in the following details:
1. Server Name - Enter the actual name of the SMTP server, such as smtp.office365.com.
2. Port - Specify the port number for TLS (587) or SSL (465), depending on your setup.
3. Sender E-mail Address - Provide a valid email address for sending onboarding messages, notification alerts, and license expiry reminders. Enter the account that owns the app registration created in the Azure portal.
4. Access URL - Enter the PAM360 access URL to be included in the mail intimations sent to the users. This URL must match the access URL specified in the Redirect URI field in step 1.1. For example, if the mentioned Redirect URI is https://pamserver:8282/pam360redirect/AzureOAuth, then the Access URL given here should be https://pamserver:8282.
5. Provider - Select Microsoft Exchange Online as the service provider from the drop-down.
6. Tenant ID - Enter the directory ID of the Azure application.
7. Client ID - Enter the application ID of the Azure application.
8. Client Secret - Enter the client secret generated on the Microsoft Azure portal.
   
3. Click Save to save the configuration.
4. You will be redirected to the Microsoft Azure portal for authentication. Log in to Azure portal using the mail address specified in the Sender E-mail Address field in PAM360. This is a one-time operation.

After completing these steps, Microsoft Exchange Online will be successfully configured as the mail server for PAM360.

2. Configuring Other Mail Servers

PAM360 allows you to set up SMTP servers like Zoho, Gmail, or any other provider to send emails from PAM360. Follow these steps to configure a mail server other than Microsoft Exchange Online in PAM360 to send mail notifications to the users.

1. Navigate to Admin >> Server Settings >> Mail Server Settings.
2. In the Mail Server Settings window, enter the following details:
1. Server name - Enter the actual name of the SMTP server, E.g., smtp.zoho.com.
2. Port - Specify the port number for the SMTP server. Most SMTP servers work with port 25. However, the default port for TLS is 587, and 465 for SSL.
3. Sender E-mail Address - Provide a valid mail address for sending onboarding messages, notification alerts, and license expiry reminders.
4. Access URL - Enter the PAM360 access URL to be included in the mail intimations sent to users for accessing PAM360.
5. Provider - Choose Others from the drop-down menu.
   
3. Upon clicking the Requires Authentication checkbox, you will see two options:
1. Specify a Username and Password Manually - Select this option to enter the authentication details manually. Enter the required details in the respective fields and click Save.
   
2. Use an account stored in PAM360 - Choose this option if you have the authentication credentials stored inside PAM360. Select the appropriate resource name and account name from respective drop-down fields and click Save. The selected account will be used for authentication. In case of a password change, the new password will be automatically updated for authentication.
   
4. You also have the option to choose between the supported secure connection protocols, such as SSL and TLS, or without any encryption.
1. SSL - Secure Sockets Layer (SSL) is a cryptographic protocol that enables secure connection over the internet.
2. TLS - Transport Layer Security (TLS) is a new version of SSL that enables secure connection over the internet.
5. Once you have provided the necessary authentication details and selected the secure connection mode, click Test to test the connection and Save to save the configured mail server settings.

   Best Practices

   1. We recommended using SSL/TLS options for secure communication over the internet/intranet.
   2. If the mail server uses a self-signed certificate, you should import the certificate into the PAM360 certificate store.
   1. Copy the mail server certificate to the <PAM360 Installation Folder>/bin directory.
   2. From the <PAM360 Installation Folder>/bin directory, execute the command importCert.bat <name of the server certificate>. This command adds the certificate to the PAM360 certificate store.