authenticate o365 users with postfix without smtp auth

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

authenticate o365 users with postfix without smtp auth

Stefan Bauer-2
Hi,

we are running a small smtp relay service with postfix for authenticated users. Unfortunately office 365 does not offer any smtp authentication mechanism when sending mails via connectors to smarthosts.

how could one protect smtp submission in another way?

without authentication, everyone from MS ip ranges with valid sender address could relay through our service. i dont like to open our service 'blind' to MS ip ranges.

Ideas/Thoughts are very welcome.

Stefan
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Viktor Dukhovni
On Sun, Jun 16, 2019 at 04:00:38PM +0200, Stefan Bauer wrote:

> We are running a small smtp relay service with postfix for authenticated
> users. Unfortunately office 365 does not offer any smtp authentication
> mechanism when sending mails via connectors to smarthosts.

There's a giant gap between the first sentence and the second.
You'll need to explain the use-case in considerably more detail.

Why does Office365 elect to use your relay at all?  Do they limit
the traffic so routed to just the authorized users?  Are you sure
they can't/won't use a SASL login or TLS client cert to authenticate,
in this context.

There's no magic, Postfix can only authorize based on IP address,
SASL or TLS auth, possibly further constrained by sender address
(which is never sufficient in isolation).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Stefan Bauer-2
some of our users use o365 but would like to use our service for outgoing mails. we are offering smtp sending services. integrating our service in o365 is tricky, as one can only specify a smarthost but microsoft does not offer any kind of authentication for smarthosts.

so i'm asking if someone also noticed that and can recommend best practice to allow o365 to relay via postfix without available sasl authentication in a secure way.  

I'm just baffled about microsofts move to remove authentication in there exchange cloud version and howto work around that in a reasonable way.

Am Sonntag, 16. Juni 2019 schrieb Viktor Dukhovni <[hidden email]>:

> On Sun, Jun 16, 2019 at 04:00:38PM +0200, Stefan Bauer wrote:
>
>> We are running a small smtp relay service with postfix for authenticated
>> users. Unfortunately office 365 does not offer any smtp authentication
>> mechanism when sending mails via connectors to smarthosts.
>
> There's a giant gap between the first sentence and the second.
> You'll need to explain the use-case in considerably more detail.
>
> Why does Office365 elect to use your relay at all?  Do they limit
> the traffic so routed to just the authorized users?  Are you sure
> they can't/won't use a SASL login or TLS client cert to authenticate,
> in this context.
>
> There's no magic, Postfix can only authorize based on IP address,
> SASL or TLS auth, possibly further constrained by sender address
> (which is never sufficient in isolation).
>
> --
>         Viktor.
>
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Benny Pedersen-2
Stefan Bauer skrev den 2019-06-16 17:46:
> some of our users use o365 but would like to use our service for
> outgoing mails. we are offering smtp sending services. integrating our
> service in o365 is tricky, as one can only specify a smarthost

cyrus-sasl support rimap, if o365 users can use that ?

if not it would not stop you from make own sasl auth backends for
custommers, but try rimap first
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

@lbutlr
In reply to this post by Stefan Bauer-2
On 16 Jun2019, at 09:46, Stefan Bauer <[hidden email]> wrote:
> some of our users use o365 but would like to use our service for outgoing mails. we are offering smtp sending services. integrating our service in o365 is tricky, as one can only specify a smarthost but microsoft does not offer any kind of authentication for smarthosts.

You can, and should (and I would say MUST) authenticate your users. You do not need Microsoft to authenticate them.

> so i'm asking if someone also noticed that and can recommend best practice to allow o365 to relay via postfix without available sasl authentication in a secure way.  

Why would o365 be relaying via your server?

User connects to your server.
User authenticates and passes authentication
User sends email

Where is 0365 involved at all?







Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Stefan Bauer-2
our users send/receive via o365. the last mile o365->recipient should go through our service like o365->postfix->recipient

here, o365 does not offer smtp auth against postfix.

Am Sonntag, 16. Juni 2019 schrieb @lbutlr <[hidden email]>:

> On 16 Jun2019, at 09:46, Stefan Bauer <[hidden email]> wrote:
>> some of our users use o365 but would like to use our service for outgoing mails. we are offering smtp sending services. integrating our service in o365 is tricky, as one can only specify a smarthost but microsoft does not offer any kind of authentication for smarthosts.
>
> You can, and should (and I would say MUST) authenticate your users. You do not need Microsoft to authenticate them.
>
>> so i'm asking if someone also noticed that and can recommend best practice to allow o365 to relay via postfix without available sasl authentication in a secure way. 
>
> Why would o365 be relaying via your server?
>
> User connects to your server.
> User authenticates and passes authentication
> User sends email
>
> Where is 0365 involved at all?
>
>
>
>
> —
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Wietse Venema
Stefan Bauer:
> our users send/receive via o365. the last mile o365->recipient should go
> through our service like o365->postfix->recipient

Dumb question: is the mail flow like this:

end-user client -> microsoft server -> postfix server -> remote recipient

Or is it something else?
- Local recipient?
- End-user office 365 client -> postfix server?

Please be explicit about the client and server roles.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Stefan Bauer-2
its like the first:


end-user client -> microsoft server -> postfix server -> remote recipient

Am Sonntag, 16. Juni 2019 schrieb Wietse Venema <[hidden email]>:

> Stefan Bauer:
>> our users send/receive via o365. the last mile o365->recipient should go
>> through our service like o365->postfix->recipient
>
> Dumb question: is the mail flow like this:
>
> end-user client -> microsoft server -> postfix server -> remote recipient
>
> Or is it something else?
> - Local recipient?
> - End-user office 365 client -> postfix server?
>
> Please be explicit about the client and server roles.
>
>         Wietse
>
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

@lbutlr
In reply to this post by Stefan Bauer-2
On 16 Jun2019, at 10:48, Stefan Bauer <[hidden email]> wrote:
> our users send/receive via o365.

That’s not what you said. You said "some of our users use o365 but would like to use our service for outgoing mails.”

> the last mile o365->recipient should go through our service like o365->postfix->recipient

I do not believe any company, much less Microsoft, is going to sent emails from their users to other users through your mail server.



--
The Earth is like a tiny grain of sand, only much, much heavier.


Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Wietse Venema
In reply to this post by Stefan Bauer-2
Stefan Bauer:
> its like the first:
>
> end-user client -> microsoft server -> postfix server -> remote recipient

How would Postfix know that the server is Microsoft Office 365?
From the reverse DNS?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Stefan Bauer-2
MS is publishing source ips/ranges.

sasl_exeptions_networks seems an option but i still dont like the lack of authentication.

Am Sonntag, 16. Juni 2019 schrieb Wietse Venema <[hidden email]>:

> Stefan Bauer:
>> its like the first:
>>
>> end-user client -> microsoft server -> postfix server -> remote recipient
>
> How would Postfix know that the server is Microsoft Office 365?
> From the reverse DNS?
>
>         Wietse
>
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Bill Cole-3
In reply to this post by @lbutlr
On 16 Jun 2019, at 13:18, @lbutlr wrote:

> On 16 Jun2019, at 10:48, Stefan Bauer <[hidden email]> wrote:
[...]
>> the last mile o365->recipient should go through our service like
>> o365->postfix->recipient
>
> I do not believe any company, much less Microsoft, is going to sent
> emails from their users to other users through your mail server.

But they do. As the OP says, they support an outbound "smarthost"
connector, it is just missing an authentication functionality.

This is not such an unusual requirement. I have worked with multiple
businesses whose regulatory compliance relies on having all external
communication archived in real time to a 3rd party system. This allows
users to manage their mailboxes however they like without risking
violation of company policy or law. Often a 'global Bcc' is adequate for
that but it can be a better fit to put redirection a step away from the
mail system handling mailboxes.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Bill Cole-3
In reply to this post by Stefan Bauer-2
On 16 Jun 2019, at 13:40, Stefan Bauer wrote:

> MS is publishing source ips/ranges.
>
> sasl_exeptions_networks seems an option but i still dont like the lack
> of
> authentication.

So if you know that the SMTP client matches SPF (or a statically-set
address set) for the sender domain AND the sender address is one you
intend to service, how reliably is the mail authenticated by those 2
elements together?

Is the mail DKIM signed?


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Stefan Bauer-2
Bill,

yes thats the question. i would consider the two factors as reliable. MS is signing mails. i just like clear user authentication instead of rely on volatile ips/blocks, microsoft publishes/changes.

what i need to check is also, whether MS allows spoofing of sender address. i need to make sure, no user can use our service, just by sending through any ms account with a correctly guessed allowed sender address.

far away from perfect.

Am Sonntag, 16. Juni 2019 schrieb Bill Cole <[hidden email]>:

> So if you know that the SMTP client matches SPF (or a statically-set address set) for the sender domain AND the sender address is one you intend to service, how reliably is the mail authenticated by those 2 elements together?
>
> Is the mail DKIM signed?
>
>
> --
> Bill Cole
> [hidden email] or [hidden email]
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
>
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Peter Ajamian
In reply to this post by Stefan Bauer-2
On 17/06/19 2:00 AM, Stefan Bauer wrote:
> we are running a small smtp relay service with postfix for authenticated
> users. Unfortunately office 365 does not offer any smtp authentication
> mechanism when sending mails via connectors to smarthosts.

I can't believe I just looked up MS docs for you, but:

https://docs.microsoft.com/en-us/powershell/module/exchange/mail-flow/set-sendconnector?view=exchange-ps

Note the -SmartHostAuthMechanism and -AuthenticationCredential parameters.

For more info please ask in a forum appropriate to o365 or exchange,
this is not support for exchange.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

@lbutlr
In reply to this post by Bill Cole-3
On 16 Jun2019, at 12:05, Bill Cole <[hidden email]> wrote:
> But they do.

Wild.

> As the OP says, they support an outbound "smarthost" connector,

Not a term I’ve heard before.

> This is not such an unusual requirement. I have worked with multiple businesses whose regulatory compliance relies on having all external communication archived in real time to a 3rd party system. This allows users to manage their mailboxes however they like without risking violation of company policy or law. Often a 'global Bcc' is adequate for that but it can be a better fit to put redirection a step away from the mail system handling mailboxes.

I would have thought he way to do this is to use your own host for outbound mail, allowing you to archive copies of it however you want, rather than have a third party relay mail through you. You can certainly prevent connections out to other mail hosts so that your server cannot be bypassed inside your network/VPN.

Obviously when out on the open Internet there would need to be a system on Microsoft’s side for these sorts of clients, but wouldn’t it be simpler to say “Hey, you’re a valid 0365 account, but you are only authorized to used [Corporate mail server]?

Using the corporate mail server as a relay struck me (and still strikes me) as the bassackwards way to do this, but I assume I am missing something in there.



--
He was Igor, son of Igor, nephew of several Igors, brother of Igors and
cousin of more Igors than he could remember without checking up in his
diary. Igors did not change a winning formula. {Footnote: Especially if
it was green, and bubbled.}


Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Viktor Dukhovni
In reply to this post by Stefan Bauer-2
On Sun, Jun 16, 2019 at 05:46:52PM +0200, Stefan Bauer wrote:

> Some of our users use o365 but would like to use our service for outgoing
> mails.  We are offering smtp sending services.  Integrating our service in
> o365 is tricky, as one can only specify a smarthost but microsoft does not
> offer any kind of authentication for smarthosts.

Are these individual users or cloud-hosted domains?  Who's authorized
to ask Microsoft to route their outbound traffic through your relay?
Can you distinguish one such Office365 sender from another? ...

What's the point (if I may ask) of having their mail sent through
your relay?  I assume that Microsoft could quite easily send their
outbound traffic directly to its destination.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Bill Cole-3
In reply to this post by Stefan Bauer-2
On 16 Jun 2019, at 14:33, Stefan Bauer wrote:

> Bill,
>
> yes thats the question. i would consider the two factors as reliable.
> MS is
> signing mails. i just like clear user authentication instead of rely
> on
> volatile ips/blocks, microsoft publishes/changes.
>
> what i need to check is also, whether MS allows spoofing of sender
> address.

I believe that they do not, so that if you get mail from an O365
outbound machine (which should be identifiable by SPF) in a domain which
they believe to be part of the O365 forest, the full envelope sender
address is trustworthy and, if the DKIM signature verifies, so is the
 From header address.

These of course would only be as trustworthy as O365 user authentication
in general but that's reasonably good.

> i need to make sure, no user can use our service, just by sending
> through
> any ms account with a correctly guessed allowed sender address.

I'm not currently managing any O365 domains but to the best of my
recollection (which is from 2 years ago and is no better than that of
other humans of my advancing age) they claim to not allow any form of
unauthorized user impersonation. In other words, one can delegate
account access to another user but one cannot simply send mail as
whatever user one likes.

This is a question that MS would surely answer clearly and directly if
asked by a paying customer, yes? I expect that if you found the right MS
mail admin in a place where they communicate with the outside community,
you might get an answer for free even if you were not a paying customer.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Bill Cole-3
In reply to this post by @lbutlr
On 16 Jun 2019, at 16:27, @lbutlr wrote:

> On 16 Jun2019, at 12:05, Bill Cole
> <[hidden email]> wrote:
[...]
>
>> As the OP says, they support an outbound "smarthost" connector,
>
>
> Not a term I’ve heard before.

The term "smarthost" dates from the days when it was fairly common for
some hosts to know more about how to route email than others, the days
before ubiquitous Internet connectivity and before that included DNS
and/or before DNS was adequate to find the route to all mailable
domains. So some hosts were smarter than others and it was quite common
for many hosts to only know a friendly nearby "smarthost."

The terminology remains because the basic model of operation remains
useful, even when the rationale is no longer how "smart" an outbound
gateway might be.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: authenticate o365 users with postfix without smtp auth

Jon Radel

> On Jun 16, 2019, at 6:38 PM, Bill Cole <[hidden email]> wrote:
>
>> On 16 Jun 2019, at 16:27, @lbutlr wrote:
>>
>> On 16 Jun2019, at 12:05, Bill Cole
>> <[hidden email]> wrote:
> [...]
>>
>>> As the OP says, they support an outbound "smarthost" connector,
>>
>>
>> Not a term I’ve heard before.
>
> The term "smarthost" dates from the days when it was fairly common for
> some hosts to know more about how to route email than others, the days
> <snip>

I believe the term “connector” is a Microsoftism and best I can explain it is that it’s a collection of abstractions of various types for connecting email systems. I use some for sending trusted email from on premise Postfix servers to several O365 accounts. I specify the source IP addresses, or the CN of the TLS cert I’m using, in the connector configuration, and a number of capacity controls, filtering for spoofed return addresses, etc. no longer apply.

I’ll note that MS appears fairly serious about depreciating anything other than TLS 1.2 with “real” certs and I validate their cert and have them validate mine.  Of course, my email is flowing in the opposite direction of the OP’s.

—Jon Radel
Please do not use e-mail to transmit orders for securities or for other time-sensitive messages. Securities products and services are offered through Folio Investments, Inc. and are subject to investment risk, including the possible loss of principal. Member FINRA/SIPC. Folio Investments, Inc. and First Affirmative Financial Network, LLC are affiliates. This e-mail message and any files transmitted with it are confidential, intended only for the person(s) to whom this e-mail message is addressed. If you have received this e-mail message in error, please notify the sender immediately by telephone or e-mail and destroy the original message without making a copy. This e-mail is subject to review, retrieval, archiving and disclosure by Folio to third parties.
12