firewall access with necessary ports on inbound and outbound

Dear Experts

We have the application server ( CRM system web-based ) running on windows 2012 R2 which is deployed on premises behind the firewall. we have to configure CRM application to send mails to the customers through office365 email account hence network team has provided access only to smtp.office365.com and on port 587 and denied rest of the outbound or inbound access i,e no http or https access to this system.  
1. The CRM application is not able to send mails when the http/https is disabled for this system.   Through the CRM workflows we are able to send the mails out only when the http and https is allowed to this system at firewall .
2.  we are not able to convince the network team as they say we allowed outbound smtp.office365.com and 587 the issue would be at application side, they are asking explanation on why http/ https required,
can you please help me to understand on what all ports or access to be enabled at firewall for this system/server in additional to smtp.office365.com and port 587 in case of  INBOUND and OUTBOUND so that we can communicate to the network team please.
D_wathiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Prabhin MPDevOps EngineerCommented:
while sending mail from your CRM application using o365 email ID doesn't require HTTP and https access to outside world.

Email SMTP communicates using SMTP server 587 which is already done by your network team.

As you are using SMTP for sending emails, it doesn't require port 80 and 443 to be open.

here is the config doc on SuiteCRM.

https://community.sugarcrm.com/thread/23638
D_wathiAuthor Commented:
thank you very much for the reply, when provided access to the outside world able the CRM system sends out mails but when stop it the mails also gets stopped, we are able to telnet from this system and connect to smtp.office365.com on port 587, is there any handshake to happen between this system and office365 smtp servers due to this is it failing, can you help to steps to investigate please.
Prabhin MPDevOps EngineerCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Prabhin MPDevOps EngineerCommented:
as you are confused with handshake with the smtp server , how it is depended to Web server ports 80 and 443
D_wathiAuthor Commented:
thanks for the reply, yes the network team wanted only to keep outbound access limited to smtp.office365.com on port 587 and close the rest all access, the issue faced when https is allowed it works else it does not,netstat output may help I think so.
Prabhin MPDevOps EngineerCommented:
can you try telnet send email using the above link
D_wathiAuthor Commented:
yes through telnet able to connect and as well able to send and receive mail. do you suggest windows server firewall has something to do here , should we have to disable and see.
Prabhin MPDevOps EngineerCommented:
I Hope you are performing telnet (for send /receive) from the windows server. If that's the case it not the problem with the firewall. iF you want you can disable windows firewall itself.
D_wathiAuthor Commented:
thanks, let me dig little more and see the logs and will post, thank you so much.
Prabhin MPDevOps EngineerCommented:
are you sure you are using TLS??

if not try with 465 port!!! tell your NW team to allow 465 and check.
Prabhin MPDevOps EngineerCommented:
is there any  logs in sugarcrm logs?


if any post it here!!!
D_wathiAuthor Commented:
following were used
Account Type: IMAP
incoming mail server: outlook.office365.com
outgoing mail server (SMTP): smtp.office365.com
Outgoing Server (SMTP) requires authentication- YES
Ports:
Incoming Server (IMAP) over SSL: 993
Outgoing server SMTP over TLS: 587
27sugarcrmlog.txt
David Johnson, CD, MVPRetiredCommented:
Account Type: IMAP
incoming mail server: outlook.office365.com
outgoing mail server (SMTP): smtp.office365.com
Outgoing Server (SMTP) requires authentication- YES
Ports:
Incoming Server (IMAP) over SSL: 993
Outgoing server SMTP over TLS: 587

Why don't you do a capture of the packets and see where it fails.
Unfortunately I can't test this using the trial.
D_wathiAuthor Commented:
thanks for the reply, in linux can use tcpdump can you please suggest on which tool to use on windows 2012R2 to capture the packets please.
Prabhin MPDevOps EngineerCommented:
D_wathiAuthor Commented:
now that in CRM system by configuring email settings able to send email to the office365 smtp relay server (outlook protection) but though the process definitions( replacement of workflows) emails are not getting delivered, this works based on task scheduler, is the task scheduler user to be part of local admin group/domain group or IIS office 365 relay server some group, please suggest
D_wathiAuthor Commented:
I am back for your help, when we tested with TCP Viewer as well netstat commands we could see the connection getting ESTABLISHED but packets are not flowing , to be more clear the CRM system work flow triggers emails to the prospect email via the SMTP server and with email account ( without password that is without authentication as it is Relay server hosted locally ) as and when the status of the prospect changes, any time status changes an email through workflow to be sent to the prospect, we could see the connection to the email server getting established but no packets sent/received , but through telnet we can send and receive mails with from and to email commands, can you help where the things are going wrong.
D_wathiAuthor Commented:
using offfice 365 SMTP relay to send mails to the external users though the CRM application, i,e option 3 in the following URL
https://support.office.com/en-us/article/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-365-69f58e99-c550-4274-ad18-c805d654b4c4
Important observation
1. we observed the  CRM system workflow triggers emails when port 80 is opened for the CRM system at the gateway/firewall level, the CRM system gets connected to internet and connects to crl.globalsign.com  and from here it is connecting to office365 smtp.
2. when we disable access to external network i,e port 80 http blocked for CRM system at gateway/firewall then emails does not flow ,
3. we only allowed CRM system can talk to crl.globalsign.com  then emails are getting triggered.
can you please help me understand how this office365 is working when it is configured to the CRM system. is it essential that CRM system to be allowed to talk to crl.globalsign.com . please suggest.
Prabhin MPDevOps EngineerCommented:
crl.globalsign.com this for checking certification revocation list.
Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

this is the new method of checking whether a certificate expired or not.
For more info please find the below link

https://www.techrunnr.com/certificate-revocation-crl-vs-ocsp/
D_wathiAuthor Commented:
thanks for the reply and allowing access to this URL and blocking should not make any difference to email sending to external users from CRM system and also I am aware allowing http or https for the CRM system outbound to the external network i,e is internet has nothing to do with emails sending out to external network as long as CRM system is able to connect to the smtp server with required ports. I also did not find log in the tcpviewer of smtp traffic when CRM system executed the workflow for email triggers, tcpviever or netstat should capture smtp traffic if CRM system is sending out mail to smtp server is this correct.
Prabhin MPDevOps EngineerCommented:
do you have endpoint security installed in your server or network
D_wathiAuthor Commented:
it is installed in the network, the network team is not supporting can you please help me in understanding what to be done if installed on network and same what to be done if installed on server on this basis I can talk with them,please.
Prabhin MPDevOps EngineerCommented:
this is very curious how email works when port 80 is allowed in firewall.


if possible if you have outlook in that system, please try to send and receive mail. I know this won't make any sense.
Prabhin MPDevOps EngineerCommented:
any new error in sugarcrm logs?
Prabhin MPDevOps EngineerCommented:
D_wathiAuthor Commented:
thank you so much for this link, in that is is mentioned the following in the last section
"It should be noted that 3rd party certificate revocation will be required which is carried out normally anonymously on port 80 so any proxies/firewalls routing the traffic should expect this. Depending on your provider you may be able to get the CRL URL in advance but for Office 365 this is not as simple."

1. does it mean port 80 to be allowed for CRM system
2. also mentioned for office365 this is not as simple
can you please help me understand this, thank you.
Prabhin MPDevOps EngineerCommented:
even I'm not sure about this,
this is an assumption, During the time of sending email server and client exchanges the certificate, at the same time, there is a communication happening with  CRL server for certificate validity checks with Certification authority which is the global sign in your case. so I hope port 80 should be opened for the CRM system in a firewall.




I would like to conclude like this, as I don't have any other options or links to dig down into.
Prabhin MPDevOps EngineerCommented:
if possible you can share the link to your network team for more understanding
D_wathiAuthor Commented:
yes I have done it thank you very much.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SugarCRM

From novice to tech pro — start learning today.