Contact

Setting Up a Secure Postfix Relay for SAP with Office 365 and Dynamic BCC

September 9th 2025

At our organization, we needed SAP Business One to send emails through Microsoft 365.
The challenge: every email sent from SAP on behalf of a user should also BCC that user automatically, so they have a copy in their mailbox.

Here’s how I solved it with Postfix + Office 365 in a secure way without added cost of Boyum or other add-ons or even worse cost of programing using the SAP B1 SDK.

How about 365 Exchange?

I tried using exchange rules but there was no way to manipulate the sender from SAP because Exchange only connects with 1 mailbox.

Why not use the Outlook Integration Add-On?

Most users have moved on the new 365 Outlook which can’t be configured in SAP B1 and there is also an issue if the 64 bit version is being used.

Why Postfix?

  • Enforce mail routing through Office 365

  • Dynamically add BCC recipients before handoff

  • Maintain visibility and control in logs

Authentication and Permissions

We configured Postfix to authenticate to Office 365 with a dedicated service account.
On the Microsoft 365 side:

  • Each SAP user was given Send On Behalf permission on with the dedicated account.

  • This allows them to send mail “as themselves” while Office 365 enforces proper permissions.

  • If someone tries to spoof without permission, Office 365 rejects the message with SendAsDenied.

Security Considerations

Security had to be considered first and as a priority. 

  • Postfix only listens on localhost and internal SAP servers.

  • TLS is enforced when connecting to Office 365.

  • Service account password stored securely (chmod 600).

  • Only specific user granted.

  • Monitored via Postfix logs and Exchange message trace.

    ✅ This ensures the relay is not an open relay and that Office 365 enforces final identity checks.

Results

Security had to be considered first and as a priority. 

  • SAP B1 can now send invoices, order confirmations, and customer notices reliably.

  • Users automatically receive a BCC of every email they send through SAP.

  • If the recipient replies Outlook will create a thread.

  • All messages are routed securely through Microsoft 365, with headers intact and compliance policies applied.

Key Takeaway

With Postfix as a smart relay and Office 365 enforcing Send As permissions, we created a secure, auditable, and user-friendly way for SAP B1 to send mail — while guaranteeing employees always have a copy of what they send without adding bloatware to SAP and no additional cost.

I will update this post with simple detailed instructions. From spinning a Linux VM to the complete configuration of Postfix. I will provide an update on LinkedIn and on X when I complete it.