Quantcast

Using Postfix as a smarthost for Exchange Online (O365)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Using Postfix as a smarthost for Exchange Online (O365)

martijn.list
Hi,

I need to configure a smart host for Exchange Online (Office 365), i.e.,
all email sent with Exchange Online should be relayed through an
external Postfix server (smarthost). O365 allows a smarthost to be
configured. Unfortunately you can only configure the hostname (or IP) of
the smarthost but not some sort of authentication. Because O365 does not
support an authenticated connection, I need to add filtering based on
sender domain (assuming that O365 does not allow other users to spoof a
sender domain). The complicating factor is that I also want the Postfix
server to accept email for the domains hosted by O365, i.e., Postfix
should accept the email for my domains and then forward it to O365.

O365 <-> Postfix <-> Internet

I came up with the following:

If the IP is from the O365 IP range, check if the sender is from my
domains, if not reject the message.

In main.cf
mynetworks = 23.103.132.0/22, 23.103.136.0/21, .. other IP ranges used
by O365

smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/o365_ip_ranges

o365_check_sender_domain = check_sender_access
hash:/etc/postfix/o365_authorized_senders, reject

smtpd_restriction_classes = o365_check_sender_domain

o365_ip_ranges file:

23.103.132.0/22  o365_check_sender_domain
23.103.136.0/21  o365_check_sender_domain
... other IP ranges used by O365

o365_authorized_senders file:

<>                              OK
exchange-online.example.com     OK

Note: <> is added to allow bounces

The above setup seems to work for the most part (at least in a local
test). If email is sent from the O365 range, the email is rejected if
the sender address is not from the authorized list. Email sent from some
other IP range is accepted.

There might however be one problem. The Postfix server should accept all
email for the hosted domains and forward it to O365 regardless of the
sender domain. This works if the incoming address is *not* from the O365
IP range. However this does not work if the sender is using O365 (using
some other domain hosted on O365). The authorized sender domain check
should be skipped if the recipient domain is in the relay domains.

Any idea how I can skip the check sender domain if the recipient domain
is in the relay domains?

There might also be a better way to configure Postfix as a smarthost for
O365.

Kind regards,

Martijn
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using Postfix as a smarthost for Exchange Online (O365)

martijn.list
On 04/25/2017 01:19 PM, [hidden email] wrote:

> On 2017-04-25 01:54, martijn.list wrote:
>
>> I need to configure a smart host for Exchange Online (Office 365), i.e.,
>> all email sent with Exchange Online should be relayed through an
>> external Postfix server (smarthost). O365 allows a smarthost to be
>> configured. Unfortunately you can only configure the hostname (or IP) of
>> the smarthost but not some sort of authentication. Because O365 does not
>> support an authenticated connection, I need to add filtering based on
>> sender domain (assuming that O365 does not allow other users to spoof a
>> sender domain). The complicating factor is that I also want the Postfix
>> server to accept email for the domains hosted by O365, i.e., Postfix
>> should accept the email for my domains and then forward it to O365.
>
> So by using the term "smart host," I am taking that to mean you are
> wanting all email from O365 to be relayed through your postfix box, when
> in fact it seems you are wanting to implement some sort of filter,
> correct?  Or am I misunderstanding your use of the term "smarthost"?

Yes that is correct.

The following configuration seems to work.

In main.cf:

mynetworks = 23.103.132.0/22, 23.103.136.0/21, .. other IP ranges used
by O365

smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/o365_ip_ranges

o365_check_sender_domain = check_sender_access
hash:/etc/postfix/o365_authorized_senders, reject_unauth_destination

smtpd_restriction_classes = o365_check_sender_domain

o365_ip_ranges file:

23.103.132.0/22  o365_check_sender_domain
23.103.136.0/21  o365_check_sender_domain
... other IP ranges used by O365

o365_authorized_senders file:

<>                              OK
exchange-online.example.com     OK

Note: <> is added to allow bounces

But perhaps there is an easier/better way.

Kind regards,

Martijn
Loading...