Send en receive mail by external partner

ArjanBroekhuizen · ‎06-01-2023

Hello,

One of our partners is some taks for us, what results in sending mails by their mailserver. They use one of our domains for this.

Because of some security related questions we are examining if it is possible that their system can send mails through our CES. Does anyone know if it is possible to configure this? I was thinking about a configuration like the configuration for Microsoft 365. Is that possible, or do I have the search another solution?

most of the message will be routed to the internet, some messages are for recipients in our organization. Is that possible with one sender group?
how can I secure the connection; it's is filtered for the ip-adres in de sender group, and maybe with a secret header. Are there additional settings necessary (username/password)?
what happens when the partners sends a mail with a senderaddress from a domain we don't have? Will that be dropped?

I hope that someone of you give me some more information about this.

Kind regards,
Arjan

Dustin Anderson · ‎06-01-2023

A lot of your questions could be limited by what the vendor can do. The CES/ESA can do a lot of what you are thinking.

What you are talking about is basically setting up an outgoing listener to be talked to from this vendor. you would basically use your firewall to NAT it to an external IP. Since most transfers are on port 25, you would want to use a separate public IP. You would want to limit this with a firewall rule so only their IP could talk to this listener, otherwise you are basically making an open relay.

Since this is a private listener, it will use outbound rules and filters. For your 3rd question, you could do a filter that if it's that listener, and the from address end in @mydomain.com you could drop anything if they send it.

Now, this really depends on your security and such. At our company, we don't allow anyone to send as our root domain, we set them up with subdomains and set separate security for them, such as @marketing.mydomain.com. This keeps management and overhead off of us. all we do is set the DNS SPF/DKIM/DMARK they give us with the caveat SPF is always -all

This is all a security discussion you have to have. Sending it to your system gives you more control, but more bandwidth and overhead as you now send the email in, and back out.

ArjanBroekhuizen · ‎06-02-2023

Hello @Dustin Anderson,

Thanks for your reply. Good to hear that a lot is possible with CES.

About using a firewall. We are using the Cisco cloud solution for mail. Because of that it isn't possible to configure a rule to allow/restrict traffic for only that partner. I think Cisco wouldn't let me configure their firewall ;).

The use of a subdomain is a solution that I didn't think of yet. When working out the configuration we will keep that in mind. Thanks!

Some last questions; is it usefull to use a secret header, like with our setup with Office 365? Or is this only usefull for Office 365, because of limiting connections/messages from other tenants? Is filter on ip-adrdress sufficient in this case?

In the mail flow policy it is possible to use SMTP Authentication. Is usefull to use this? What are the benefits for using this?

Kind regards,
Arjan

Dustin Anderson · ‎06-05-2023

So, the header would be an extra security like o365, but also since office has a lot of servers, it's a lot harder to lock down with a firewall rule. I have not done cloud, right now is 0365 the only thing using the outbound listener?

I know the cloud is more limited as you can't do other ports for listeners, I believe it's an incoming/outgoing listener only on port 25. This would make it hard to limit what could be done. I'm not sure if you could do SMTP auth without it affecting the whole listener. The limitations is why we had to keep out physical on-prem setup for the ability to make more listeners. I believe cloud would need separate instances for more listeners.

ArjanBroekhuizen · ‎06-09-2023

Hi @Dustin Anderson

Thanks again for your reply!
The outbound listener is for 2 sender groups; 1 for O365 and 1 for our internal mailserver. I was thinking to add an additional sender group for the partner connections.

What I see from the possible settings, SMTP authentication is configured for the mail flow policy. So it should be possible to set up SMTP authentication for only the new sender group (with a new mail flow policy).

Kind regards,
Arjan