Solved

Concerns with rerouting emails from head office's Proofpoint to our exchange server

Posted on 2016-07-27
2
131 Views
Last Modified: 2016-07-29
We plan to have an interim  setup where emails meant for us in our country & HQ (in another country)
has a common (.com instead of .sg & .au) so the plan is to reroute emails from HQ's Proofpoint (which
scan for malware, spam, rules) meant for us to us (via public Internet ) & Proofpoint locally won't
scan further for malware, spam, rules.   Pls share the possible concerns/issues (security & non-security as well):

(I can only think of 2 concerns : can the source from our HQ srvm02.zzzbank.com.au be spoofed either by
 IP & FQDN?  & while forwarding via Internet, can it be altered/injected?  we don't plan to set up a site to
 site VPN between our HQ & us)

eg: header info from a sample email
Received: from smtp.zzzbank.com.au (10.98.2.87) by ZZZWVEXC01ZZ.bbb.com.au
 (10.9.95.37) with zzzzz SMTP Server (TLS) id 24.3.271.0; Wed, 20 Jul 2016
 17:07:22 +0800
Received: from pps.reinject (srvm02.zzzbank.com.au [127.0.0.1])      by
 srvz02.zzzbank.com.au (8.15.0.59/8.15.0.59) with ESMTPS id u6K97Jk3033821
0
Comment
Question by:sunhux
2 Comments
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 250 total points
Comment Utility
I haven't used Proofpoint before, but many SMTP gateways can enforce TLS encryption and drop plaintext connections.  This can be done domain-specific or globally.

That would avoid man-in-the-middle problems.

Using SPF and DKIM would help with spoofing.  SPF takes minutes to setup testing.  DKIM is a little more involved.
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 250 total points
Comment Utility
It is a interesting setup.
I assume you don't have site-to-site VPN, therefore you will have 2 different AD.

I am not worried too much about security as those can be identified and close off, and you can always make sure all emails deliver back to proofpoint so your email always deliver in and out from proofpoint. further you can also whitelist in proofpoint where your origin email from.



I am more concern about the business needs and configuration

the first concern is who is the authoriative AD of the .com domain
for example,
there are 2 seperate users called John.citizen in 2 different domain
so john.citizen@zzzbank.com.au in domain au
john.citizen@bbbbank.com.sg in domain sg

who will have the john.citizen@aaabank.com ?

if you ask me, i will rather create subdomain on aaabank.com
for example
john.citizen@au.aaabank.com
john.citizen@sg.aaabank.com

this way you won't have conflict especially you are in a large corporation (assuming your environment are in bank)

2nd concern
how the email to be delivered to
let's say john.citizen@aaabank.com belongs to au. How do you configure your proof point to deliver to?
do you want to deliver to zzzbank.com.au and if not found, then deliver all emails to bbbbank.com.sg ?

i hate to say this will always introduce complicity on management and troubleshooting on issues can be funny.


3rd concern
who control what. in a large corporate, i doubt email administration and proofpoint administration is the same team.  you need to minimise your possible of error
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now