Hi Thomas, Thanks for the suggestion however all our hosted customers do in fact use RPC over HTTP as this allows them to make full use of hosted Exchange contacts, tasks, calendar etc which IMAP/SMTP would not.
All on premises Exchange solutions allow multiple ways of authenticating connections and changing port numbers. I'm astounded that Microsoft have stripped that functionality out of their hosted product, maybe they have done it to try and force everyone to use their own security/archiving solutions or maybe they're just useless! I did indeed use that list of addresses to set all my allow lists/firewalls. Annoyingly however there is no method to subscribe and receive notifications if it changes. The first thing we know about a change is when mail starts bouncing (as it did when they added an IP block at the beginning of July). I had a conversation on the phone with a guy from Microsoft this morning, he repeated himself for about 10 minutes confirming the limitations of their product and that I had found a workaround then said he'd put me through to a manager to discuss how they could improve the hosted service so this wouldn't be an issue. I then got some lovely hold music for a while before I hung up. Presumably they don't really want my feedback! At least we have a workaround that achieves the job now so we can look at putting ASSP in place for other clients. All the best, Colin Waring. On 11/08/2014 15:03, Thomas Eckardt wrote: > Collin, > > what speaks against to switch the outbound from > > OC -> HE -> ASSP -> Internet > > to > > OC -> ASSP(relayPort) -> HE -> Internet > > I know, this looks not very common, but it will work. It protects the HE > also from a possibly hijacked OC (if assp is configured to do so). > I think it is possible to define an DNS delivery "outbound connector" in > the HE like in any other Exchange server. > I only know one reason that speaks against this switching - the OC uses > IMAP or RPC or RPC over HTTP or HTTP. But it should be possible to > configure the OC to use IMAP.... for all except outbound mail, which > should be configured to use SMTP (->assp). > >> There is no ability to specify a username and password, >> there is no ability to specify a different port. > Are we back in the "good" old Exchange 4 times ??? Even an 11 years old > SBS2003 could do it better. > > If you can't do the switch for any reason, you can define an IP-address > group for the Office 365 EOP ranges like: > (possibly you've already done it) > > (from > http://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx) > > [Office365EOP] > 65.55.88.0/24 > 94.245.120.64/26 > 207.46.51.64/26 > 207.46.163.0/24 > 213.199.154.0/24 > 213.199.180.128/26 > 216.32.180.0/24 > 216.32.181.0/24 > 2a01:111:f400:7c00::/54 > > These addresses are the only and are only used for customer O365 relay > connection by microsoft. > > The group definition [Office365EOP] could than be used anywhere you can > define IP-addresses and ranges in assp. > > Splitting the IP's of assp in to public and privat is fine. How ever, you > need to configure assp to check the local sender address > ('DoLocalSenderAddress') for outbound mails - but at least for local > domains in the sender address ('DoLocalSenderDomain') - to prevent other > HE admins in the world to use your assp as an open relay-host - as you > said! > > Never define any EOP in 'acceptAllMail' ! (allowRelayCon is OK - really > good) > > I don't know if it is possible to fake the sender address/domain in Office > 365 - if so, this would be very very problematic - you'll be lost, if > there is no way to sign or to tag a relayed mail. > Collin - have a look in to some O365 outbound mails. MS has every time > written some sender/domain - unique tags or X-headers or something like > that in there mails, if they were processed by an Exchange server. If we > can find something like that, it would be relative easy to implement a > 'validateOffice365' in the Relay section of ASSP. This could be also the > first 'Received:' line (the last down from top). > > Just another idea. I know MS uses SSL or TLS for the customer relay > connections. Are you able to define your own certificate/key for the relay > connection in the HE ? If so, V2 is able to verify the client certificate > and to drop wrong connections. I'm afraid, nobody at MS thought thus far, > because on the short way they lost the relay port anyway > > Thomas > > > > Von: Colin <colin.war...@gmail.com> > An: assp-test@lists.sourceforge.net > Datum: 11.08.2014 14:01 > Betreff: Re: [Assp-test] FW: Email interface kicking in on > external mail? > > > > Hi Thomas, > > The mail flow is this: > > Outbound OC -> HE -> ASSP -> Internet > Inbound Internet -> ASSP -> HE -> OC > > Inbound works fine as we can set up an inbound connector on Office 365 > and tell it to accept mail for specific domains from our ASSP IP address. > Outbound is the issue. HE communicates uses "outbound connectors". The > only thing you can configure in an outbound connector is the IP address > it delivers to. There is no ability to specify a username and password, > there is no ability to specify a different port. > > In the end, I have assigned an extra IP address to the ASSP server. I > have bound the normal traffic to the main IP, port 25 and bound the > relay port to the second IP, port 25. I've made sure that the second IP > is locked down. The data centre firewall, iptables and allowRelayCon are > configured to only accept port 25 mail locally or from the IP blocks > that Microsoft use. > > The only improvement I could make would be to limit the sender domains > allowed by connections to relayPort. > > All the best, > Colin Waring. > > > On 11/08/2014 12:39, Thomas Eckardt wrote: >> Collin, >> >> the infrastructure behind your Office 365 implementation is still > unclear >> to me. >> It does not matter if this szenario is used by an ISP or a local > company. >> assuming the following: >> >> - you have local Office 365 clients -> OC >> - you have a local assp instance ->assp >> - you have a hosted Exchange 365 instance -> HE >> >> Where local means 'local' in terms of assp - this could be any client > and >> assp in the world. All OC's should connect to assp using the 'relayPort' >> or the 'listenPort2'. Foreign connections should go to the assp >> 'listenPort'. >> >> OC is getting mails from HE using POP3 - that's clear to me >> OC (and local printers/faxmachines/scanners/notifyers....) sends all > mails >> (local and outgoing) to assp and assp forwards the mails to HE using TLS >> (and injected AUTH for the local >> printers/faxmachines/scanners/notifyers....) - that's clear to me >> Because assp should scan incoming foreign mails for spam, the domain MX >> points to assp - assp forwards the good mails to a local MTA(forwarder), >> which sends the mails to the HE . >> >> >>> get ASSP and Office 365 talking seen as Office 365 can't do outbound >> authentication >> >> Now the question: >> >> - all OC must (IMHO) use TLS and AUTH to connect to the HE directly - > why >> they can't do this through assp? >> - in which case the HE is connecting to assp via SMTP - the only case >> where AUTH will be a problem ? >> >> Please help me to understand the problem - it seems that you do > something >> different? >> >> Thomas >> >> >> Von: Colin <colin.war...@gmail.com> >> An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> Datum: 09.08.2014 12:07 >> Betreff: Re: [Assp-test] FW: Email interface kicking in on >> external mail? >> >> >> >> Thanks for the clarification. >> >> This was an attempt to get ASSP and Office 365 talking seen as Office >> 365 can't do outbound authentication. Unfortunately it has meant that >> anyone using Office 365 was treated as a local user which is something >> that we cannot have so I will have to take it all out and find another >> solution to Office 365. >> >> My personal preference for the email interface would be to be able to >> restrict it and just have it work on a defined domain (ie smtphost.co.uk >> for us) but if you're happy with just the requirement to define unique >> addresses then that's OK as it is your software! >> >> All the best, >> Colin Waring. >> >>> -----Original Message----- >>> From: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] >>> Sent: 08 August 2014 11:07 >>> To: ASSP development mailing list >>> Subject: Re: [Assp-test] Email interface kicking in on external mail? >>> >>> don't use 'acceptAllMail' for foreign IP's - I never used it for any > IP, >>> because it is an old legacy problematic feature - use the 'relayPort' >>> instead >>> I know, that is must be used in some cases for local IP's. For example > , >>> if you can't define the destination-port for a SMTP-server in another >>> application (report/notifications). >>> >>> 'assphelp' is the default for 'EmailHelp' >>> >>> From the GUI: >>> >>> Enable Email Interface (EmailInterfaceOk) • >>> Checked means that you want ASSP to intercept and parse mail to the >>> following usernames at any localdomains. The domain '@assp.local' is >>> automatically a local domain and can be used for the email-interface. >>> read: 'at any localdomains' !!!! >>> >>> How ever - IP's connected to the relayPort are authenticated to relay >> and >>> to use the emailinterface ..... >>> >>> The usernames used in the emailinterface/BlockReport have to be unique >> for >>> all local domains - this is a simple conclution - and every username >>> should show, what it is used for. >>> This requires no additionally exception lists or definitions - only a >>> clear setup. >>> >>> Thomas >>> >>> >>> ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
