• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1340
  • Last Modified:

Concerns with rerouting emails from head office's Proofpoint to our exchange server

We plan to have an interim  setup where emails meant for us in our country & HQ (in another country)
has a common (.com instead of .sg & .au) so the plan is to reroute emails from HQ's Proofpoint (which
scan for malware, spam, rules) meant for us to us (via public Internet ) & Proofpoint locally won't
scan further for malware, spam, rules.   Pls share the possible concerns/issues (security & non-security as well):

(I can only think of 2 concerns : can the source from our HQ srvm02.zzzbank.com.au be spoofed either by
 IP & FQDN?  & while forwarding via Internet, can it be altered/injected?  we don't plan to set up a site to
 site VPN between our HQ & us)

eg: header info from a sample email
Received: from smtp.zzzbank.com.au (10.98.2.87) by ZZZWVEXC01ZZ.bbb.com.au
 (10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul 2016
 17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1])      by
 srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id u6K97Jk3033821
0
sunhux
Asked:
sunhux
2 Solutions
 
aleghartCommented:
I haven't used Proofpoint before, but many SMTP gateways can enforce TLS encryption and drop plaintext connections.  This can be done domain-specific or globally.

That would avoid man-in-the-middle problems.

Using SPF and DKIM would help with spoofing.  SPF takes minutes to setup testing.  DKIM is a little more involved.
0
 
Jian An LimSolutions ArchitectCommented:
It is a interesting setup.
I assume you don't have site-to-site VPN, therefore you will have 2 different AD.

I am not worried too much about security as those can be identified and close off, and you can always make sure all emails deliver back to proofpoint so your email always deliver in and out from proofpoint. further you can also whitelist in proofpoint where your origin email from.



I am more concern about the business needs and configuration

the first concern is who is the authoriative AD of the .com domain
for example,
there are 2 seperate users called John.citizen in 2 different domain
so john.citizen@zzzbank.com.au in domain au
john.citizen@bbbbank.com.sg in domain sg

who will have the john.citizen@aaabank.com ?

if you ask me, i will rather create subdomain on aaabank.com
for example
john.citizen@au.aaabank.com
john.citizen@sg.aaabank.com

this way you won't have conflict especially you are in a large corporation (assuming your environment are in bank)

2nd concern
how the email to be delivered to
let's say john.citizen@aaabank.com belongs to au. How do you configure your proof point to deliver to?
do you want to deliver to zzzbank.com.au and if not found, then deliver all emails to bbbbank.com.sg ?

i hate to say this will always introduce complicity on management and troubleshooting on issues can be funny.


3rd concern
who control what. in a large corporate, i doubt email administration and proofpoint administration is the same team.  you need to minimise your possible of error
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now