Solved

Concerns with rerouting emails from head office's Proofpoint to our exchange server

Posted on 2016-07-27
2
246 Views
Last Modified: 2016-07-29
We plan to have an interim  setup where emails meant for us in our country & HQ (in another country)
has a common (.com instead of .sg & .au) so the plan is to reroute emails from HQ's Proofpoint (which
scan for malware, spam, rules) meant for us to us (via public Internet ) & Proofpoint locally won't
scan further for malware, spam, rules.   Pls share the possible concerns/issues (security & non-security as well):

(I can only think of 2 concerns : can the source from our HQ srvm02.zzzbank.com.au be spoofed either by
 IP & FQDN?  & while forwarding via Internet, can it be altered/injected?  we don't plan to set up a site to
 site VPN between our HQ & us)

eg: header info from a sample email
Received: from smtp.zzzbank.com.au (10.98.2.87) by ZZZWVEXC01ZZ.bbb.com.au
 (10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul 2016
 17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1])      by
 srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id u6K97Jk3033821
0
Comment
Question by:sunhux
2 Comments
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 250 total points
ID: 41733363
I haven't used Proofpoint before, but many SMTP gateways can enforce TLS encryption and drop plaintext connections.  This can be done domain-specific or globally.

That would avoid man-in-the-middle problems.

Using SPF and DKIM would help with spoofing.  SPF takes minutes to setup testing.  DKIM is a little more involved.
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 250 total points
ID: 41733464
It is a interesting setup.
I assume you don't have site-to-site VPN, therefore you will have 2 different AD.

I am not worried too much about security as those can be identified and close off, and you can always make sure all emails deliver back to proofpoint so your email always deliver in and out from proofpoint. further you can also whitelist in proofpoint where your origin email from.



I am more concern about the business needs and configuration

the first concern is who is the authoriative AD of the .com domain
for example,
there are 2 seperate users called John.citizen in 2 different domain
so john.citizen@zzzbank.com.au in domain au
john.citizen@bbbbank.com.sg in domain sg

who will have the john.citizen@aaabank.com ?

if you ask me, i will rather create subdomain on aaabank.com
for example
john.citizen@au.aaabank.com
john.citizen@sg.aaabank.com

this way you won't have conflict especially you are in a large corporation (assuming your environment are in bank)

2nd concern
how the email to be delivered to
let's say john.citizen@aaabank.com belongs to au. How do you configure your proof point to deliver to?
do you want to deliver to zzzbank.com.au and if not found, then deliver all emails to bbbbank.com.sg ?

i hate to say this will always introduce complicity on management and troubleshooting on issues can be funny.


3rd concern
who control what. in a large corporate, i doubt email administration and proofpoint administration is the same team.  you need to minimise your possible of error
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question