Send Certificate Signed Email From Keycloak to SMTP Server


We have configured Keycloak’s SMTP server settings to point to our Office 365’s Smart Host/relay endpoint so that we can send emails from our domain. Emails send just fine when sending inside our organization but fail when trying to send outside of the organization. We get the following error: “com.sun.mail.smtp.SMTPAddressFailedException: 550 5.7.64 TenantAttribution; Relay Access Denied”. This is because Office 365 is trying to validate that the domain in the certificate’s Subject/CN from the TLS connection matches the expected/configured domain in the Office 365 relay connector configuration.

We have StartTLS enabled and Authentication turned off since legacy authentication is disabled on our SMTP server. From what I can tell it does not appear that Keycloak is signing the emails that get sent even though we are using Keycloak over SSL. I have looked but cannot seem to find whether it is even possible to configure the SMTP mail connector in Keycloak to use a certificate to sign emails before sending.

Any help/guidance on this issue would be greatly appreciated!