One solution is to enable the client certificate for the Office365 sending connector and to validate this client certificate for authentication in assp using:
a separate SSL relayPort listener for these connections and to configure listenPortSSL smtpSSLRequireClientCert SSLSMTPCertVerifyCB - (read SSLWEBCertVerifyCB) SSLSMTPConfigure - (read SSLWEBConfigure) eg. the same way you would configure a direct connection from Office365 to a local Exchange server. I'm not sure, if this will work with selfsigned certificates - possibly you'll need to buy the client authentication cert, if Office365 does not accept a selfsigned client certificate.. The client cert is only used for authentication - for the SSL/TLS traffic the assp server cert is used! A second solution (the one I prever) would be to send the outgoing Office365 mails directly to your local Exchange by configuring both sites for SSL only (with SSL-client-cert-auth) - MS has nice manuals for those connections. The Exchange server (eg. in hybrid mode) then sends the outgoing mails the same way like for your local users (with ...->assp->...). Both methodes are very secure because of the client-certificate-authentication. Another (still not implemented in assp) possible solution would be to analyze the header lines and to verify (in addition to the connected IP and the sender address) the 'X-MS-Exchange-CrossTenant-id:' header line. This header line contains the Office365 tenant unique identifier. The identifier for privat (not company related) outlook.com addresses is for example : X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa (more than 99% seen in spam) The problem here is, that assp needs to receive the MIME-header first before a relay allowed connection can be detected. At this point in time assp is unable to switch over to the relayHost and the internal MTA (your exchange) will have to route the mail. I don't see a secure solution, if you don't use a hosted organization at Office365 - and - (if used) privat Office365 accounts are not able to configure a smarthost using a client certificate. Thomas Von: "K Post" <nntp.p...@gmail.com> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net> Datum: 28.07.2021 18:00 Betreff: [Assp-test] ASSP with Office365 - discussion Hello everyone, One department with their own subdomain at our charity is going to be moving to Office365 for email. I want to be able to keep ASSP in use for this handful of users, but could use some guidance from the community here. My plan is: 1) Inbound mail to dept1.ourcharity.org will still have their MX record as our internal server. 1a) The internal SMTP server will then forward mail to users @ dept1.ourcharity.org to <whateveruser>@forward.dept1.ourcharity.org which will be set up as an alternate address for each user at Office365. that forward subdomain will have MX records pointing to office365. I think we're okay there. 2) Outbound mail from Office365 will use a smarthost to connect to ASSP so that outbound mail can be added to the corpus, whitelist and other lists updated, etc. My issue is with relaying. I do not want to allow all of Microsoft's Office365 IP space (into allowRelayCon) as allowed relay hosts because the huge IP space that they use to send messages out is not exclusively used by me. That means that any other Office365 user could set up an Exchange connector to send messages through our ASSP. Authentication would solve that issue, but apparently, Office365 does NOT allow SMTP AUTH for outgoing smarthost. I've got to believe that I'm not the only one out there who has run into this problem before. Any ideas would be incredibly appreciated!! Thanks, Ken _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
