issue with outlook.com / office 365 distribution lists...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

issue with outlook.com / office 365 distribution lists...

mario.barbosa+postfixusers
... or whatever they are called.

Hello,

I come to you for help after a few days of work trying to figure out how
to go around what I understand to be a quirk of the office 365 mail
service. Any help is greatly appreciated, and thank you in advance for it.


So, context:

1) I work for a smallish company with about ~100 users. We have our own
domain and mailserver, running the latest kolab available (which use
postfix as one of it's components). Let's call my domain 'example.com'

2) some of my users are listed on a few "distribution lists" on the
office 365 side. Those "lists" have members from other domains too.

3) whenever one of those other members send mail to one of those lists,
every member gets their copy.

4) whenever one of my users sends an email to a list that he is a member
of, only the members that are not on '@example.com' get their copy. The
'@example.com' sender gets a DSN generated by office 365 saying
something along the lines of

'553 5.7.1 <[hidden email]>: Sender address rejected: not
logged in'



Upon further inspection, I figured out what is probably obvious to you
by now: the office 365 lists do not change the 'Sender:' header of the
original message, and when it comes back to be delivered to its
'@example.com' members, it bumps into...

smtpd_sender_restrictions =
        permit_mynetworks,
        reject_sender_login_mismatch,
        check_policy_service unix:private/sender_policy_incoming

... namely, that reject_sender_login_mismatch policy, because during the
SMTP session the MAIL FROM is set by outlook.com servers as
'[hidden email]' (and those servers have obviously not logged
in as that user).



So, my question to you is, what is the current best practice to deal
with this?


As stated above, thank you in advance for your help.

Best regards,
Mário Barbosa


P.S.: Temporarily, with help of 'smtpd_restriction_classes' and
'check_client_access' I have managed to relax the
'reject_sender_login_mismatch' requirement on mails coming from the
office 365 servers, but I'd like to plug that hole as soon as possible.


Reply | Threaded
Open this post in threaded view
|

Re: issue with outlook.com / office 365 distribution lists...

Viktor Dukhovni


> On Apr 23, 2018, at 12:25 PM, [hidden email] wrote:
>
> Upon further inspection, I figured out what is probably obvious to you
> by now: the office 365 lists do not change the 'Sender:' header of the
> original message, and when it comes back to be delivered to its
> '@example.com' members, it bumps into...

Minor correction, the relevant address is the envelope sender, and
not any message header such as "Sender:".  The envelope is transmitted
separately alongside the message, but is not part of the message.

> smtpd_sender_restrictions =
> permit_mynetworks,
> reject_sender_login_mismatch,
> check_policy_service unix:private/sender_policy_incoming
>
> ... namely, that reject_sender_login_mismatch policy, because during the
> SMTP session the MAIL FROM is set by outlook.com servers as
> '[hidden email]' (and those servers have obviously not logged
> in as that user).

Correct.

> Temporarily, with help of 'smtpd_restriction_classes' and
> 'check_client_access' I have managed to relax the
> 'reject_sender_login_mismatch' requirement on mails coming from the
> office 365 servers, but I'd like to plug that hole as soon as possible.

Actually, that's about the best you can do, unless you sign the outbound
mail with DKIM *and* transit through Office365 does not invalidate those
signatures, *and* you narrow the scope of your current policy of rejecting
potentially forged sender addresses with:

   http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

and finally you implement some content or proxy filter that allows external
email from your domain if DKIM authenticated, and otherwise rewrites the
From: and/or Sender: address or (with proxy filter only) perhaps rejects
the message.

> So, my question to you is, what is the current best practice to deal
> with this?

Roughly what you're doing, unless you want to invest some real effort
to implement DKIM-based anti-spoofing.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: issue with outlook.com / office 365 distribution lists...

mario.barbosa+postfixusers
Hello again,

On 04/23/2018 06:55 PM, Viktor Dukhovni wrote:

>> On Apr 23, 2018, at 12:25 PM, [hidden email] wrote:
>>
>> Upon further inspection, I figured out what is probably obvious to you
>> by now: the office 365 lists do not change the 'Sender:' header of the
>> original message, and when it comes back to be delivered to its
>> '@example.com' members, it bumps into...
>
> Minor correction, the relevant address is the envelope sender, and
> not any message header such as "Sender:".  The envelope is transmitted
> separately alongside the message, but is not part of the message.

Correct. Thank you.


>> smtpd_sender_restrictions =
>> permit_mynetworks,
>> reject_sender_login_mismatch,
>> check_policy_service unix:private/sender_policy_incoming
>>
>> ... namely, that reject_sender_login_mismatch policy, because during the
>> SMTP session the MAIL FROM is set by outlook.com servers as
>> '[hidden email]' (and those servers have obviously not logged
>> in as that user).
>
> Correct.
>
>> Temporarily, with help of 'smtpd_restriction_classes' and
>> 'check_client_access' I have managed to relax the
>> 'reject_sender_login_mismatch' requirement on mails coming from the
>> office 365 servers, but I'd like to plug that hole as soon as possible.
>
> Actually, that's about the best you can do, unless you sign the outbound
> mail with DKIM *and* transit through Office365 does not invalidate those
> signatures, *and* you narrow the scope of your current policy of rejecting
> potentially forged sender addresses with:
>
>    http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

I already narrow the scope as you recommend: outlook servers get
'reject_authenticated_sender_login_mismatch', all others get
'reject_sender_login_mismatch'.
We already DKIM-sign outbound email. I have to check if those signatures
remain valid after going through Office365 servers (I think so).


> and finally you implement some content or proxy filter that allows external
> email from your domain if DKIM authenticated, and otherwise rewrites the
> From: and/or Sender: address or (with proxy filter only) perhaps rejects
> the message.
>
>> So, my question to you is, what is the current best practice to deal
>> with this?
>
> Roughly what you're doing, unless you want to invest some real effort
> to implement DKIM-based anti-spoofing.


Got any pointers on how to do this? What should I put in my to-read list
next?

Thank you again.
Best regards,
Mário Barbosa
Reply | Threaded
Open this post in threaded view
|

Re: issue with outlook.com / office 365 distribution lists...

Viktor Dukhovni


> On Apr 23, 2018, at 1:45 PM, [hidden email] wrote:
>
> Got any pointers on how to do this? What should I put in my to-read list
> next?

I know of an implementation via custom hooks in amavisd-new, not open-source.
Don't know whether there's anything off-the-shelf you can use.

--
        Viktor.