Hi all, I'm hoping some of you may have experience with this type of setup or have some input as to how this may be done correctly. Also, if this is not something that's ok to discuss on this mail list, apologies for that. We are currently running Exchange in a hybrid setup and wish to send and receive mails "on-prem" and route it to Exchange Online (for those who have mailboxes there). Inbound mail is fairly easy to set up. That's already done, and it works well. What I would like to get your input on is how to (securely) relay mails from Exchange Online to people outside our organization. We are currently running all in- and outbound emails on postfix. Exchange Online lists 4 ip-ranges as their outbound connectors: 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 I could just list those 4 ranges as "mynetworks" and that should work but I'm uncertain if Microsoft make any kind of "guaranties" that only their Exchange servers use those 4 ip-ranges. If I use the "mynetworks" then I'm worried that we'd be an open relay. I thought about using "smtpd_client_restrictions" to limit who could relay through the server (besides a firewall) and adding our own domains to "check_sender_access". That way you would at least have to both send from the above-mentioned ranges, and we'd only allow you to send from our domains. I know that's not more than "security through obscurity" but it does raise the bar a little. The issue with this approach is that I can't do something like this "relay_domains = *". This would also keep "mynetworks" to localhost only. Has anyone here any experience or ideas on how to securely relay mails from Exchange Online? I know Microsoft doesn't allow other tenants to send from our domains so if I can trust that it doesn't change, and they only allow their own Exchange servers on those ip-ranges then the "mynetworks" approach is by far the easiest. Best regards, Bo
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
