On 30.10.2024 at 08:59 Bo Frost Larsson via mailop wrote:
We are currently running Exchange in a hybrid setup and wish to send and receive mails "on-prem" and route it to Exchange Online (for those who have mailboxes there). Inbound mail is fairly easy to set up. That's already done, and it works well. What I would like to get your input on is how to (securely) relay mails from Exchange Online to people outside our organization. We are currently running all in- and outbound emails on postfix. Exchange Online lists 4 ip-ranges as their outbound connectors: 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 I could just list those 4 ranges as "mynetworks" and that should work but I'm uncertain if Microsoft make any kind of "guaranties" that only their Exchange servers use those 4 ip-ranges. If I use the "mynetworks" then I'm worried that we'd be an open relay. I thought about using "smtpd_client_restrictions" to limit who could relay through the server (besides a firewall) and adding our own domains to "check_sender_access". That way you would at least have to both send from the above-mentioned ranges, and we'd only allow you to send from our domains. I know that's not more than "security through obscurity" but it does raise the bar a little. I wouldn’t do this, this is not secure. Restricting the sender addresses to your domain name makes it only slightly better, as your domain is also known to attackers and thus not very „obscure“. Multiple Proofpoint customers have been in the news lately for basically running open relays which accepted all messages from Exchange Online as internal emails. I believe Microsofts designated way to do this is called „Centralized Mail Transport“: Exchange Online will send every outgoing message to your Exchange on premise, from where it will take the same route as your local mailboxes. Additionally you have to make sure that your Exchange Online tenant rejects all incoming messages except those coming from your Exchange on premise. Just having the MX records point to your local Postfix is NOT enough, Exchange Online will still accept emails if someone tries to deliver them directly there - and attackers do try just that. Also some special exceptions apply for mailboxes with forwarding rules and the various ways to set them up in Exchange. If you don‘t want to use Centralized Mail Transport, I‘d configure Exchange Online to add a secret header to every outgoing message. Your local relay server then only accepts emails with this header, strips the header and dispatches the emails for final delivery. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
