Re: [mailop] Relaying mails from Exchange Online

Wed, 30 Oct 2024 03:16:41 -0700 

On Wed, 30 Oct 2024, Bo Frost Larsson via mailop wrote:



Hi all,
 
I'm hoping some of you may have experience with this type of setup or have some 
input as to how this may be done correctly.
 
Also, if this is not something that's ok to discuss on this mail list, 
apologies for that.
 
We are currently running Exchange in a hybrid setup and wish to send and receive mails 
"on-prem" and route it to Exchange Online (for those who have mailboxes there).
 
Inbound mail is fairly easy to set up. That's already done, and it works well. 
 
What I would like to get your input on is how to (securely) relay mails from 
Exchange Online to people outside our organization. We are currently running 
all in- and outbound emails on postfix.
 
Exchange Online lists 4 ip-ranges as their outbound connectors:
 
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
 
I could just list those 4 ranges as "mynetworks" and that should work but I'm uncertain if 
Microsoft make any kind of "guaranties" that only their Exchange servers use those 4 ip-ranges. If 
I use the "mynetworks" then I'm worried that we'd be an open relay.
 
I thought about using "smtpd_client_restrictions" to limit who could relay through the server (besides a firewall) and 
adding our own domains to "check_sender_access". That way you would at least have to both send from the above-mentioned 
ranges, and we'd only allow you to send from our domains. I know that's not more than "security through obscurity" but 
it does raise the bar a little. The issue with this approach is that I can't do something like this "relay_domains = 
*". This would also keep "mynetworks" to localhost only.
 
Has anyone here any experience or ideas on how to securely relay mails from Exchange 
Online? I know Microsoft doesn't allow other tenants to send from our domains so if I can 
trust that it doesn't change, and they only allow their own Exchange servers on those 
ip-ranges then the "mynetworks" approach is by far the easiest.


I don't know what sorts of rate-limiting postfix can do but I would be
tempted to limit these flows by sender, by ip and by total flow.

--
Andrew C. Aitchison                      Kendal, UK
                   and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to