Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SMTP Relay with Office 365

Posted on 2016-10-06
5
Medium Priority
?
172 Views
Last Modified: 2016-10-07
We are in the process of migrating to Office 365. Currently we have a hybrid environment and all regular user accounts have been migrated to O365. I am left with some mailboxes that are used for alerts and the like for automated processes. These mostly function thru SMTP relays from the server running the process using the on-premise Exchange server as the relay. We have the Exchange server set to not allow relays except for a designated list of internal IPs.

We'd like to move that process into the O365 cloud. I have found the following articles:

https://technet.microsoft.com/en-us/library/dn554323(v=exchg.150).aspx#option3

https://support.microsoft.com/en-us/kb/230235

Here's my issues.  I want to do this without having any on-premise Exchange, hybrid or other SMTP server. We'd like to relay directly to the cloud.

Second, we use an email filtering service that we like and at the moment aren't going to abandon. So, our MX record points to that service and NOT the preferred DNS name that gets set up when you activate your tenant: x.x@outlook.com.

I might be able to relay thru the email filtering service, but I'm waiting to hear back from their tech support.

I have found that if I follow the first article in setting up an SMTP relay and I point my process to use the preferred DNS name that it works.

So that brings me to my main issue and question. I am assuming that if I can relay to that preferred DNS name from my server, that a hacker could probably also bypass my MX record and send to that DNS name from the outside as well. Currently we have a firewall rule that says to only accept incoming email that has pass thru our filtering service. So, if someone attempts to bypass the designated MX record, the email will fail to come in. With everything in O365, the traffic won't come thru our firewall anymore.

Am I right in assuming that anyone could use the preferred DNS name to send us mail and bypass our email filtering system?  If so, can I, and how can I, block incoming email that doesn't pass thru our email filtering system.  

I realize that creating such a block would infect break my SMTP relay directly to O365, but assuming I can relay thru my filtering service, that's OK. I also realize that O365 has builtin protections that I can also turn on, but I always think it's better to not get in what would obviously be trash in the first place then to let it in and then hopefully stop it later on.
0
Comment
Question by:jhyiesla
  • 2
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1500 total points
ID: 41832031
The most common question I ask when it comes to "relaying" with an Office365 is whether the client is actually relaying. If it is alerts etc, are they going to an external email address? In a lot of cases they are not. Therefore you aren't relaying and you can just send the email in the usual way, either to your MX record host or to the Office365 environment direct.

Another method I have used (and actually encourage) when it comes to alerting which involves external recipients is to have those external recipients set as contacts and members of a group. The group email address then gets configured as the alert address. Makes it very easy to change the destination of the alerts.

If you are looking to send to random addresses from internal resources, then the second article is the key point. You would restrict the use of the connector to specific IP addresses. That would stop someone from abusing the connection. I don't think Office365 would allow you to setup a connector which allows anything to relay, because that would be an open relay.
0
 
LVL 28

Author Comment

by:jhyiesla
ID: 41832306
We have a couple of different scenarios, but in the one I'm doing that I'm using as a test for this, the application just sends an alert email to an internal mailbox with it's SMTP connection pointed at the Exchange server using port 25. It doesn't authenticate to anything.

The second article seems to be about setting something up using the EMC, which I don't want to do because eventually there will not be an Exchange server on-site. So I don't think that will work for me. Mostly we email to internal mailboxes which are either monitored by a person or the emails are picked up by an automated process of some kind. I think we do email some things outside the company, but it's not as common. And some of the things that we are relaying now do log in and authenticate as a user before sending the email.

Assuming that I can get relaying to work thru the email filtering service, the actual relay issue isn't as big a deal... I then become more concerned about the apparently open incoming DNS connection that I'd like to block since it would bypass filtering.
0
 
LVL 4

Expert Comment

by:Dinesh Singh
ID: 41832492
There are 3 Options to Send email from Device or Application in office 365
1. SMTP client submission.
2. Direct Send.
3. SMTP Relay.

for full details, please go through :
https://ucservice.blogspot.com/2016/09/office-365-send-email-from-device-or.html

https://technet.microsoft.com/en-us/library/dn554323(v=exchg.150).aspx
0
 
LVL 28

Author Comment

by:jhyiesla
ID: 41832496
Dinesh, Yes, I've discovered that. It's the point of the first article I referenced. Thanx...
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1500 total points
ID: 41832713
If you are sending to an internal recipient, then you aren't relaying. You are just sending email in the same way as everyone else sends you email. Therefore nothing would need to be changed on either your Office365 configuration or at the filter. The most you may have to do is whitelist the IP addresses.

It is only for sending to external recipients that requires relaying.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
How to effectively resolve the number one email related issue received by helpdesks.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question