The three ways you can accomplish this are SMTP Client Submission, Direct Send and SMTP Relay.
The first option requres a mailbox username and password. This option should be considered first because it is the most secure. You authenticate as that user and send email as them. Some obvious caveats: You will need access to a mailbox on Office 365 and when the account password changes you will need to update it on the firewall. Direct Send and SMTP Relay don’t have those requirements.
So if you are choosing between Direct or Relay, you should know that Direct can only send to your own mailboxes. So if some of the mail from your device is going to email addresses other than your own domain’s (could be the case if you need to send reports or VPN authentication emails to people who do not have mailboxes in your org) then you’ll need to use Relay. Just so you know though, Relay requires a static IP.
For a handy chart and full instructions on all three setup variations, please refer to: https://technet.microsoft.com/en-us/library/Dn554323(v=EXCHG.150).aspx
SMTP Relay setup:
- FortiGate setup:
System–>Advanced–>Email Service. Turn it on.
SMTP Server: Your MX Endpoint, example: contoso-com.mail.protection.outlook.com
Default Reply To: <any email address for one of your domains, working or dummy>
Security Mode: STARTTLS
- Office 365 Connector:
This is needed to accept email from your firewall. You’ll need the static IP of the firewall and the MX Endpoint.
In Office 365, Open up Exchange Admin–>Click Mail Flow–>Connectors, create a new connector for mail sent from your organization’s server to Office 365.
The connector setup will ask you to use one of two methods for verifying the email coming in. The most secure is to use your organization’s security certificate (which you should have installed on the firewall). You can also use the external IP address of the firewall.
- Recommended setting:
Domain SPF (TEXT) record: Add to your existing if you have one (multiple SPF records are not supported and will result in email delivery issues), or create one. Format like this: v=spf1 ip4:<Static IP Address> include:spf.protection.outlook.com ~all
This will ensure your mail doesn’t get marked as SPAM.
To Test: Go to Log & Report–>Alert Email and setup a message to go when you log in and log out of the firewall. Then simply do that and within 5 minutes you should get an alert email