How to fix your HP, Canon or other printer’s scan to email not working issue for Microsoft 365 and Google Workspaces

Photo by Mahrous Houses on Unsplash

Table Of Contents

1. Short answer: No, you cannot fix it, you can only bypass the issue.
2. Emails in Microsoft 365
3. Emails in Google Workspace
4. So can you use an older email program like a printer?
5. So, what we can do?
6. If you or your company use Google Workspaces as the main email.
7. If you need a more secure option and send emails externally…
8. If you use Microsoft 365 emails, and want a free option called Direct Send.
9. Conclusion
10. Useful links


1. Short answer: No, you cannot fix it, you can only bypass the issue.

In my line of work, sometimes you need to find a way to fix things, even if you don’t like the solution. The primary example of this is the Scan to Email (or like some prefer Scan2Email) functionality of “modern” office printers. I said the word “modern” in quotes because the firmware is not that new as you would expect it. Yes, they add features but core libraries are not updated as often, as they are working, right? So why waste time on it?

What’s the problem then? The problem is that since last year both M365 and Google started to phase out old encryption standards SSL, TLS1.0, TLS 1.1, and this year (2021), was the last time you could use them in emails. The standard now is TLS1.2.

Our client has an office printer HP Color LaserJet Pro M377dw, that has SSL/LTS1.0 and no OAuth, so any quick attempts to switch over SMTP server to find that scan to email is not working. Diggin up the Internet, we have found some ideas…

2. Emails in Microsoft 365

One of the ways to be forced into TLS1.2 for me was turning on “Security Defaults” in M365 for my client. This option happily turns 2-Factor Authentication for all our users, but at the same time disabled “legacy encryption SSL, TLS1.0, TLS1.1” for older mail apps like Outlook 2010. It was not much of an issue, as we do use Outlook 365 anyway, but I knew it might be a problem sometime later.

The main new authenticating protocol is OAuth, this will allow you to use your 2FA token to be used when required. This also means that any older device (yes! your printers!), will not work with this protocol.

3. Emails in Google Workspace

As for using Google emails, OAuth is the primary authentication protocol for a long time, but you can manually turn on IMAP/POP3 on your account and create an “App Password” to use it with an older mailer. The main problem is that it will require another account created in Google Workspaces (+£9.40 per month). If you are tight on money, then this might not be your best bet. You can use your account, but from a security point of view, anyone with this “app password” will be able to get to your emails.

4. So can you use an older email program like a printer?

Yes… Kinda… Sorta… Problem is that even if your “older” mailing program doesn’t like OAuth, still need to have TLS1.2 working and here is the problem. TLS1.2 is not only a software issue but also hardware. It’s much more complicated than previous iterations, thus more CPU demanding. This is not a problem with modern CPUs on Linux or Windows, but for printers with their cheap and weak Microcontrollers might be a massive problem. Also, the firmware is not updated that often, especially encryption libraries or core services.

5. So, what we can do?

We don’t want to create paid accounts, and we don’t want to use our own/other users accounts (for security) with “App Passwords”. Also, both will not work due to the TLS1.2 requirement, unless your printer can use TLS1.2, but those are far in between. From what I saw, the ones operating on Linux, usually offer you TLS1.2, the rest not really unless specified in the printer description.

6. If you or your company use Google Workspaces as the main email.

There is a way to send email in a restricted Gmail SMTP server mode without authentication (no need for TLS1.2). This option lets you send messages to Gmail or Google Workspace users only. This option doesn’t require you to authenticate, and you can’t send messages to people outside your organization. It’s also FREE.

Requirements

Sending limitsPer-user limits apply (Max 2000 per day). This option restricts sending messages to only Gmail or Google Workspace users.
Anti-spam filtersSuspicious emails might be filtered or rejected.
The fully qualified domain name of the SMTP serviceaspmx.l.google.com
Configuration optionsPort 25, TLS not required
Dynamic IPs allowed
Authentication requirementsNone

If your company has a work email in the Google Workspaces, then your old printer should work with this set-up.

7. If you need a more secure option and send emails externally…

…be willing to pay for a separate account for the printer. If you need to send emails from your printer externally to Google, and you want them to be encrypted (SSL or TLS1.0/1.1 only) you can send mail to anyone inside or outside of your organization using smtp.gmail.com as your server. This will require an active email account in your Workspace (preferably only for the printer), and create an “App Password” for less secure applications:

  1. Turn on less secure apps in the Admin console. If not set by default.
  2. Turn on less secure apps in the account.
  3. Create and use app-specific passwords to use with the device or app that is sending email.

Requirements

Sending limits2,000 messages per day.
Anti-spam filtersSuspicious emails might be filtered or rejected.
The fully qualified domain name of the SMTP servicesmtp.gmail.com
Configuration optionsPort 465 (SSL required)
Port 587 (TLS required).
Dynamic IPs allowed
Authentication requirementsYour full Gmail or Google Workspace email address (your.name@solarmora.com) is required for authentication.
Google’s free Restricted SMTP Server configuration

8. If you use Microsoft 365 emails, and want a free option called Direct Send.

Here we have the same situation as Google free option if your emails are stored in Microsoft 365. This will also send emails to M365 accounts only, but there is no need for authentication.

Requirements for direct send

  • Port: Port 25 is required and must be unblocked on your network.
  • Static IP address is recommended: A static IP address is recommended so that an SPF record can be created for your domain. The SPF record helps avoid your messages being flagged as spam.
  • Does not require a Microsoft 365 or Office 365 mailbox with a license.

Limitations of direct send

  • Direct send cannot be used to deliver email to external recipients, for example, recipients with Yahoo or Gmail addresses.
  • Your messages will be subject to antispam checks.
  • Sent mail might be disrupted if your IP addresses are blocked by a spam list.
  • Microsoft 365 and Office 365 use throttling policies to protect the performance of the service.

Requirements

Server/smart hostYour MX endpoint, for example, contoso-com.mail.protection.outlook.com
PortPort 25
TLS/StartTLSOptional
Email addressAny email address for one of your Microsoft 365 or Office 365 accepted domains. This email address does not need to have a mailbox.
Direct send configuration for M365

If you are sending from a static IP address, to avoid having messages flagged as spam, add it to your SPF record in your domain registrar’s DNS settings as follows:

SPFv=spf1 ip4:<Static IP Address> include:spf.protection.outlook.com ~all
SPF configuration to be added to DNS

9. Conclusion

Because our client uses Google emails (hopefully we will switch to M365 next year), we decided to try the free M365 direct SMTP server access, it will be the way to go. Then our HP Color LaserJet Pro M377dw, show us its ugly head: the maximum email address is about 35 characters. My email for example has 52 characters… There we go, the client’s new “onmicrosoft” accounts with M365 are out of luck.

The only way to fix the problem for us was to use a free Google restricted SMTP server, as the client is still on Google servers (and shorter emails). It doesn’t need authentication, or an account and the limit of 2000 emails per day will never be reached.

So, we bypass the problem as I said, until the next year, when we move them to M365, the TLS saga will start again…

10. Useful links

https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365

https://support.google.com/a/answer/176600?hl=en

You may also like...