Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Concerns with rerouting emails from head office's Proofpoint to our exchange server

Posted on 2016-07-27
2
Medium Priority
?
729 Views
Last Modified: 2016-07-29
We plan to have an interim  setup where emails meant for us in our country & HQ (in another country)
has a common (.com instead of .sg & .au) so the plan is to reroute emails from HQ's Proofpoint (which
scan for malware, spam, rules) meant for us to us (via public Internet ) & Proofpoint locally won't
scan further for malware, spam, rules.   Pls share the possible concerns/issues (security & non-security as well):

(I can only think of 2 concerns : can the source from our HQ srvm02.zzzbank.com.au be spoofed either by
 IP & FQDN?  & while forwarding via Internet, can it be altered/injected?  we don't plan to set up a site to
 site VPN between our HQ & us)

eg: header info from a sample email
Received: from smtp.zzzbank.com.au (10.98.2.87) by ZZZWVEXC01ZZ.bbb.com.au
 (10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul 2016
 17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1])      by
 srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id u6K97Jk3033821
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 1000 total points
ID: 41733363
I haven't used Proofpoint before, but many SMTP gateways can enforce TLS encryption and drop plaintext connections.  This can be done domain-specific or globally.

That would avoid man-in-the-middle problems.

Using SPF and DKIM would help with spoofing.  SPF takes minutes to setup testing.  DKIM is a little more involved.
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 1000 total points
ID: 41733464
It is a interesting setup.
I assume you don't have site-to-site VPN, therefore you will have 2 different AD.

I am not worried too much about security as those can be identified and close off, and you can always make sure all emails deliver back to proofpoint so your email always deliver in and out from proofpoint. further you can also whitelist in proofpoint where your origin email from.



I am more concern about the business needs and configuration

the first concern is who is the authoriative AD of the .com domain
for example,
there are 2 seperate users called John.citizen in 2 different domain
so john.citizen@zzzbank.com.au in domain au
john.citizen@bbbbank.com.sg in domain sg

who will have the john.citizen@aaabank.com ?

if you ask me, i will rather create subdomain on aaabank.com
for example
john.citizen@au.aaabank.com
john.citizen@sg.aaabank.com

this way you won't have conflict especially you are in a large corporation (assuming your environment are in bank)

2nd concern
how the email to be delivered to
let's say john.citizen@aaabank.com belongs to au. How do you configure your proof point to deliver to?
do you want to deliver to zzzbank.com.au and if not found, then deliver all emails to bbbbank.com.sg ?

i hate to say this will always introduce complicity on management and troubleshooting on issues can be funny.


3rd concern
who control what. in a large corporate, i doubt email administration and proofpoint administration is the same team.  you need to minimise your possible of error
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question