I’ve been experimenting with self-hosting e-mail, taking advantage of Microsoft Exchange Online Protection to handle spooling and deliverability for $1/month.
Microsoft provides just two methods to authenticate outbound relay: By IP Address, or by Client TLS (SSL) Certificate. I’d like to use the latter and I’ve configured my Synology with certs for my domains from LetsEncrypt, but my mails were still being rejected by Microsoft.
Diagnostic-Code: smtp; 550 5.7.64 TenantAttribution; Relay Access Denied
[ValidationStatus of '' is EmptyCertificate]
[SN1PEPF0002529F.namprd05.prod.outlook.com 2025-03-24T20:27:41.492Z
08DD65488162F7A5]That error seems to suggest that no certificate was presented.
After much digging, I determined that Synology configures postfix with certificates for inbound SMTP but not outbound. Knowing that was half that battle.
From /var/packages/MailPlus-Server/target/etc/main.cf take these values:
smtpd_tls_cert_file = /some/path/cert
smtpd_tls_key_file = /some/path/keyThen create the file /var/packages/MailPlus-Server/etc/customize/postfix/main.cf using the paths you found:
smtp_tls_cert_file = /some/path/cert
smtp_tls_key_file = /some/path/keyRestart the MailPlus-Server package and it should re-generate main.cf with those values added.
Some day I’ll do a more detailed write-up on hosting e-mail yourself — it is not something one should enter into lightly — but right now I just wanted to get this information out there for Google to pick up because it was incredibly difficult to track down.
(Note: This was with DSM 7.2.1 and MailPlus Server 3.3.0)