Steven Kiergaard
asked on
configuring exchange online protection to allow "spoofing"
ok, so I'm brand spankin' new to EOP. we have a few services run by our security team that send emails from outside using internal email addresses. with our Barracuda, it was easy enough to allow them through and not be tagged. EOP is tagging these messages with "This sender failed our fraud detection checks......". I added the ip for the server issuing these to the connection filter ip allow lst in o365 admin center (EAC/protection/connection
any pointers would be appreciated.
any pointers would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is the article for above mentioned condition:
https://blogs.technet.microsoft.com/exchange/2016/03/29/important-notice-for-office-365-email-customers-who-have-configured-connectors/
https://blogs.technet.microsoft.com/exchange/2016/03/29/important-notice-for-office-365-email-customers-who-have-configured-connectors/
Create one or more connectors in Office 365 to authenticate emails coming from your on-premises mail servers, using either the sending IP address or a certificate.
Configure your on-premises servers to relay via Office 365.
Configure your setup so that:
a) The sender domain belongs to your organization (i.e. you have registered your domain with Office 365). For more information, see Add Domains in Office 365.
OR
b) Your on-premises email server is configured to use a certificate to send email to Office 365, and the CN (Common-Name) or SAN (Subject Alternate Name) in the certificate contains a domain name you have registered with Office 365 and you have created a certificate based connector in Office 365 with that domain.
If neither step 3a nor 3b is true, Office 365 will NOT be able to know deterministically whether the email sent from your on-premises environment belongs to your organization. Therefore, it is important that organizations with hybrid deployments ensure that they fulfill either step 3a or 3b. This protects your organization, your domain, and your IP reputation.
ASKER
specific (and so far only) example.
the security team uses "wombat" as an external service to send a training reminder to a user inside my domain (heyyou.net for example)
wombat sends the message as securitymavin@heyyou.net from a wombat ip address. the message gets to the inbox so most of the rules are correct but is tagged with "This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing"
I'm guessing from the spf is the key since the message analyzer show permfail on spf.
I'm going to try btan's advice on that but am listening to any advice
the security team uses "wombat" as an external service to send a training reminder to a user inside my domain (heyyou.net for example)
wombat sends the message as securitymavin@heyyou.net from a wombat ip address. the message gets to the inbox so most of the rules are correct but is tagged with "This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing"
I'm guessing from the spf is the key since the message analyzer show permfail on spf.
I'm going to try btan's advice on that but am listening to any advice
yes that's true. I though you are routing e-mail using internal SMTP server.
I advise you to avoid spoofing. 99% your IP or Domain will be blacklisted. I am dealing with same situation for my client. With recent ransomware attack. Lot of companies has setup very strict rule for spammers. Though you are sending genuine mail, but you cannot justify spoofing. I heard Google will not entertain certificate older than one year and domain will be blocked.
ASKER
adding the SPF took care of the issue.
Amit, I understand the issue but my security team "insists".
Amit, I understand the issue but my security team "insists".
If this is the case then your e-mail won't route very simple, because O365 needs certificate based connectors to relay your internal SMTP servers. Else it will accept only registered domain's emails only. This change was applied very recently by Microsoft on 5th July 2017.