This article includes descriptions of third-party software and is based on the status at the time this page was created.
Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
All information without warranty.
New article with version: 12.6.0
Introduction
It is possible to run a UTM with mailrelay and mailfilter in front of Outlook / Microsoft 365. As a result, the UTM receives the emails and the mailfilter filters them accordingly. Mailrelay checks the received emails and classifies them into an appropriate category. Based on the category, it is decided whether an email is forwarded to Outlook / Microsoft 365 or not.
Advantage: Running the UTM with mailrelay and mailfilter in front of Outlook / Microsoft 365 is as follows:
- Direct control over which emails are forwarded to which Outlook / Microsoft 365 accounts
- Configuration of the mailfilter and thus the filtering of the emails
- The virus scanner of the UTM checks the e-mails for possible viruses and malware
Preconditions
Settings on the provider side
➊ E-mail is sent
➋ DNS A record points to UTM
➌ Email is delivered to the UTM and processed (mail filter, greylisting, etc.)
- ➍
➎ Email query from the internal network
➏ Query is forwarded to Outlook
In order to ensure a smooth participation in the mail traffic, some conditions must be fulfilled:
- A fixed IP address
- An A record on the DNS server of the provider that resolves to this IP (e.g. mail.ttt-point.de).
- An MX record that determines the address at which the mail server of a domain can be reached (e.g. mail.ttt-point.de).
- A PTR record that resolves the fixed IP back to the MX record (reverse DNS).
These are all settings that have to be made by the provider and NOT on the Securepoint Appliance!
Set of rules
| In order to allow Outlook to recieve mail via the mail relay, access to the external interface with the SMTP protocol must be allowed in the packetfilter: One rule that allows receiving the emails from the Internet. | |||||||||||||||||||||
| Caption | Value | Description |
UTMuser@firewall.name.fqdnFirewall
| ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Active: | On | Activate rule so that the packetfilter takes effect | |||||||||||||||||||
| Source: | Internet | Select Internet as the source | |||||||||||||||||||
| Destination: |  external-interface |
Select external-interface as the destination | |||||||||||||||||||
| Service: |  smtp |
Select smtp as the service | |||||||||||||||||||
| Action: | Mails that meet the corresponding conditions are accepted and forwarded | ||||||||||||||||||||
| Logging: | Logging is not required | ||||||||||||||||||||
| In order for Outlook to be able to receive mails via the UTM, a corresponding packetfilter rule must be created. This is done by creating a new network object under using the button. |
UTMuser@firewall.name.fqdnFirewallNetzwerkobjekte  Creation of network object for the Outlook server
| ||||||||||||||||||||
| Name: | Outlook | Choose a suitable name for the network object | |||||||||||||||||||
| Type: | Hostname | Select Hostname as type to be able to enter the Outlook server | |||||||||||||||||||
| Hostname: | smtp.office365.com | The Outlook server name must be entered here | |||||||||||||||||||
| Zone: | external | external should already be set by default | |||||||||||||||||||
| Groups: | The network object can be added to a group | ||||||||||||||||||||
| This network object is used to create a packetfilter rule for the incoming mails to Outlook. | |||||||||||||||||||||
| Active: | On | Activate rule so that the packetfilter takes effect |
UTMuser@firewall.name.fqdnFirewall
| ||||||||||||||||||
| Source: | external-interface |
Source | |||||||||||||||||||
| Destination: |  Outlook |
The network object Outlook created above is selected as the target | |||||||||||||||||||
| Service: | smtp |
Select smtp as the service | |||||||||||||||||||
| Action: | Mails that meet the corresponding conditions are accepted and forwarded | ||||||||||||||||||||
| Logging: | Logging is not required | ||||||||||||||||||||
| notempty Note If there is no other connection available besides the Internet connection with the IP over which the mail is sent, it must be ensured that ONLY the mail server is allowed to send mail via SMTP. Otherwise a single computer in the network compromised by a Trojan could seriously disrupt the sending of mails or even make it completely impossible, because it spreads spam and malware with the public IP and is listed on corresponding blocklists for spammers within a very short time.
| |||||||||||||||||||||
Email address
Under Global email address: a postmaster address should be configured. Otherwise undeliverable mails will remain on the disk space. This can cause the available memory to become insufficient at some point and mails to no longer be accepted.
Mailrelay configuration
The basic configuration of the mailrelay can be found in the corresponding wiki article for Configuration of the Mailrelay.
Here is described how to configure the mail relay in front of Outlook.
Relaying | |||
| Relaying list | |||
| The button adds the domain to Outlook. The following configuration is made. | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnApplications  Relaying settings of the mail relay in front of Outlook
|
|---|---|---|---|
| Option: | The recipient domain is evaluated | ||
| Domain: | anyideas.de | The domain in Outlook | |
| Action | Mails that meet the corresponding conditions are accepted and forwarded | ||
| Use exact domain name for relaying: can be On activated. Then subdomains or extensions will not receive emails. | |||
| TLS encryption as server: is enabled On. | |||
SMTP Routes | |||
| The button creates a route to Outlook. | |||
| Caption | Value | Description |  |
| Domain: | anyideas.de | The domain in Outlook | |
| Mailserver: | outlook.office365.com | The Outlook mail server | |