Solved

Concerns with rerouting emails from head office's Proofpoint to our exchange server

Posted on 2016-07-27
2
406 Views
Last Modified: 2016-07-29
We plan to have an interim  setup where emails meant for us in our country & HQ (in another country)
has a common (.com instead of .sg & .au) so the plan is to reroute emails from HQ's Proofpoint (which
scan for malware, spam, rules) meant for us to us (via public Internet ) & Proofpoint locally won't
scan further for malware, spam, rules.   Pls share the possible concerns/issues (security & non-security as well):

(I can only think of 2 concerns : can the source from our HQ srvm02.zzzbank.com.au be spoofed either by
 IP & FQDN?  & while forwarding via Internet, can it be altered/injected?  we don't plan to set up a site to
 site VPN between our HQ & us)

eg: header info from a sample email
Received: from smtp.zzzbank.com.au (10.98.2.87) by ZZZWVEXC01ZZ.bbb.com.au
 (10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul 2016
 17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1])      by
 srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id u6K97Jk3033821
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 250 total points
ID: 41733363
I haven't used Proofpoint before, but many SMTP gateways can enforce TLS encryption and drop plaintext connections.  This can be done domain-specific or globally.

That would avoid man-in-the-middle problems.

Using SPF and DKIM would help with spoofing.  SPF takes minutes to setup testing.  DKIM is a little more involved.
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 250 total points
ID: 41733464
It is a interesting setup.
I assume you don't have site-to-site VPN, therefore you will have 2 different AD.

I am not worried too much about security as those can be identified and close off, and you can always make sure all emails deliver back to proofpoint so your email always deliver in and out from proofpoint. further you can also whitelist in proofpoint where your origin email from.



I am more concern about the business needs and configuration

the first concern is who is the authoriative AD of the .com domain
for example,
there are 2 seperate users called John.citizen in 2 different domain
so john.citizen@zzzbank.com.au in domain au
john.citizen@bbbbank.com.sg in domain sg

who will have the john.citizen@aaabank.com ?

if you ask me, i will rather create subdomain on aaabank.com
for example
john.citizen@au.aaabank.com
john.citizen@sg.aaabank.com

this way you won't have conflict especially you are in a large corporation (assuming your environment are in bank)

2nd concern
how the email to be delivered to
let's say john.citizen@aaabank.com belongs to au. How do you configure your proof point to deliver to?
do you want to deliver to zzzbank.com.au and if not found, then deliver all emails to bbbbank.com.sg ?

i hate to say this will always introduce complicity on management and troubleshooting on issues can be funny.


3rd concern
who control what. in a large corporate, i doubt email administration and proofpoint administration is the same team.  you need to minimise your possible of error
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question