> > I've done a terrible job of explaining this, partly because I don't > fully understand and also don't have all the facts. > Try to gather as much information as possible and draw a diagram on a piece of paper)
> > We are trying to provide mail filtering using postfix/amavis for a > company using O365 for their corporate mail who realizes just O365 > filtering isn't enough. > > The clients are using Outlook without SMTP Auth and outlook.office.com > webmail. > > The primary problem we're having is that outbound filtering through > the postfix server doesn't work because it won't allow relaying from > the outbound.protection.outlook.com server, and we haven't implemented > submission support. > I am not an expert in O365, but it seems that it can't use SASL for the outbound connector. But it can use certificate https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow Postfix also supports certs: http://www.postfix.org/TLS_README.html#server_access permit_tls_clientcerts: > Permit the request when the remote SMTP client certificate fingerprint or public key fingerprint (Postfix 2.9 and later) is listed in $relay_clientcerts With all of that you can try to add O365 cert to the $relay_clientcerts and add " permit_tls_clientcerts" to the "smtpd_relay_restrictions" I heard that O365 supports VPN, so if you setup it, you would be able to add O365 IP to the $mynetworks (I am not sure if it is possible to send emails from O365 via VPN) I suggest to ask O365 support/forum/superuser.com for help. Again: Postfix needs to distinguish O365 from some random bot that sends spam, otherwise it will not relay email! There are 3 ways to do that: * Add O365 IP to the $mynetworks (can't be done unless you setup VPN between O365 and Postfix, because you do not know public IP of O365) * Make O365 use SASL authentication (but looks like it is not supported) * Use O365 certificate for the authentication. Should work. >
