Jump to:navigation, search
Wiki

Mailrelay in front of Outlook / Microsoft 365

From Securepoint Wiki










































































De.png
En.png
Fr.png






  • Note
    This article includes descriptions of third-party software and is based on the status at the time this page was created.
    Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
    All information without warranty.






    • Configuration of the mailrelay in front of the external server of Outlook / Microsoft 365
    New article with version: 12.6.0
    Last updated: 
    01.2024
    notempty
    This article refers to a Resellerpreview

    Access: UTM-IP:Port or UTM-URL:Port
    Port as configured at Network / Appliance Settings / Webserver
    Default-Port: 11115
    i.e.: https://utm.ttt-point.de:11115
    Default: https://192.168.175.1:11115         Applications Mailrelay

    Introduction

    It is possible to run a UTM with mailrelay and mailfilter in front of Outlook / Microsoft 365. As a result, the UTM receives the emails and the mailfilter filters them accordingly. Mailrelay checks the received emails and classifies them into an appropriate category. Based on the category, it is decided whether an email is forwarded to Outlook / Microsoft 365 or not.
    Advantage: Running the UTM with mailrelay and mailfilter in front of Outlook / Microsoft 365 is as follows:

    • Direct control over which emails are forwarded to which Outlook / Microsoft 365 accounts
    • Configuration of the mailfilter and thus the filtering of the emails
    • The virus scanner of the UTM checks the e-mails for possible viruses and malware


    Preconditions

    Settings on the provider side

    UTM Mailrelay Outlook-Office365-en.png
    Receving mails

    E-mail is sent
    DNS A record points to UTM
    Email is delivered to the UTM and processed (mail filter, greylisting, etc.)

    UTM delivers email to Outlook

    Email query from the internal network
    Query is forwarded to Outlook

    In order to ensure a smooth participation in the mail traffic, some conditions must be fulfilled:

    • A fixed IP address
    • An A record on the DNS server of the provider that resolves to this IP (e.g. mail.ttt-point.de).
    • An MX record that determines the address at which the mail server of a domain can be reached (e.g. mail.ttt-point.de).
    • A PTR record that resolves the fixed IP back to the MX record (reverse DNS).


    These are all settings that have to be made by the provider and NOT on the Securepoint Appliance!

    notempty
    Note:
     Da für abgewiesene Mails bzw. Mails, die noch nicht an Outlook zugestellt werden konnten, ein gewisses Maß an Speicherplatz zur Verfügung stehen muss, sollten die Hardware-Anforderungen bzw. die Dimensionierung virtueller Systeme unbedingt berücksichtigt werden!

    Set of rules

    In order to allow Outlook to recieve mail via the mail relay, access to the external interface with the SMTP protocol must be allowed in the packetfilter:
    One rule that allows receiving the emails from the Internet.
    Caption Value Description

    Packetfilter UTMuser@firewall.name.fqdnFirewall Update rules

    # Source Destination Service NAT Action Active
    Dragndrop.png 4 World.svg internet Interface.svg external-interface Tcp.svg smtp Accept On
    Active: On Activate rule so that the packetfilter takes effect
    Source:  Internet Select Internet as the source
    Destination: Interface.svg external-interface Select external-interface as the destination
    Service: Tcp.svg smtp Select smtp as the service
    Action: Accept Mails that meet the corresponding conditions are accepted and forwarded
    Logging: None - Do not log Logging is not required
    In order for Outlook to be able to receive mails via the UTM, a corresponding packetfilter rule must be created.
    This is done by creating a new network object under Firewall Network Objects using the Add Object button.     		Netzwerkobjekt hinzufügen UTMuser@firewall.name.fqdnFirewallNetzwerkobjekte UTM v12.6.0 Firewall Netzwerkobjekt Outlook-en.pngCreation of network object for the Outlook server
    Name: Outlook Choose a suitable name for the network object
    Type: Hostname Select Hostname as type to be able to enter the Outlook server
    Hostname: smtp.office365.com The Outlook server name must be entered here
    Zone: external external should already be set by default
    Groups:     The network object can be added to a group
    This network object is used to create a packetfilter rule for the incoming mails to Outlook.
    Active: On Activate rule so that the packetfilter takes effect

    Packetfilter UTMuser@firewall.name.fqdnFirewall Update rules

    # Source Destination Service NAT Action Active
    Dragndrop.png 5 Interface.svg external-interface Host.svg Outlook Tcp.svg smtp Accept On
    Source: Interface.svg external-interface Source
    Destination: Host.svg Outlook Als Ziel wird das oben erstellte Netzwerkobjekt Outlook ausgewählt
    Service: Tcp.svg smtp Select smtp as the service
    Action: Accept Mails that meet the corresponding conditions are accepted and forwarded
    Logging: None - Do not log Logging is not required
    notempty
    Note
    If there is no other connection available besides the Internet connection with the IP over which the mail is sent, it must be ensured that ONLY the mail server is allowed to send mail via SMTP. Otherwise a single computer in the network compromised by a Trojan could seriously disrupt the sending of mails or even make it completely impossible, because it spreads spam and malware with the public IP and is listed on corresponding blocklists for spammers within a very short time.

    Email address

    Under Network Appliance Settings Global email address: a postmaster address should be configured. Otherwise undeliverable mails will remain on the disk space. This can cause the available memory to become insufficient at some point and mails to no longer be accepted.

    Mailrelay configuration

    The basic configuration of the mailrelay can be found in the corresponding wiki article for Configuration of the Mailrelay.
    Here is described how to configure the mail relay in front of Outlook.

    Relaying

     Relaying list 
    The Add domain/host button adds the domain to Outlook. The following configuration is made.
    Caption Value Description Mailrelay UTMuser@firewall.name.fqdnApplications Mailrelay Log UTM v12.6.0 Mailrelay Relaying vor-Office365-en.pngRelaying settings of the mail relay in front of Outlook
    Option: To The recipient domain is evaluated
    Domain: anyideas.de The domain in Outlook
    Action Relay Mails that meet the corresponding conditions are accepted and forwarded
    Use exact domain name for relaying: can be On activated. Then subdomains or extensions will not receive emails.
    TLS encryption as server: is enabled On.

    SMTP Routes

    The Add SMTP Routing button creates a route to Outlook.
    Caption Value Description UTM v12.6.0 Mailrelay SMTP-Routen vor-Office365-en.png
    SMTP routes settings of the mailrelay in front of Outlook
    Domain: anyideas.de The domain in Outlook
    Mailserver: outlook.office365.com The Outlook mail server

    Configuration of the mail relay for outgoing mails

    UTM Mailrelay Outlook-Office365 Versand-en.png
    Versand von E-Mails

    Eine intern geschriebene E-Mail ist zum Versenden bereit
    Abfrage wird an Outlook weitergeleitet

    Outlook stellt E-Mail an die UTM zu

    E-Mail wird von der UTM verarbeitet (Mailfilter, Greylisting etc.) und versendet
    DNS-A-Record zeigt auf dem Empfänger
    E-Mail wird abgesendet

    To prevent spams or malware from being sent from your own network or from Outlook, the mail relay is also configured for outgoing mails.

    Set of rules

    In order to allow access to the mail relay, Outlook must be allowed access to the corresponding interface of the UTM (depending on the zone in which Outlook is located) via the SMTP protocol. It is important that all applications that are to send mails via the mail relay have the corresponding interface of the firewall entered as SMTP server or smarthost.
    In order for Outlook to be able to send mails via the UTM, a corresponding packetfilter rule must be created.
    The network object previously created under Firewall Network objects is used for this.
    This network object is used to create a packetfilter rule for the outgoing mails from Outlook.

    Caption Value Description

    Packetfilter UTMuser@firewall.name.fqdnFirewall Update rules

    # Source Destination Service NAT Action Active
    Dragndrop.png 6 Host.svg Outlook Interface.svg external-interface Tcp.svg smtp Accept On
    Active: On Activate rule so that the packetfilter takes effect
    Source: Host.svg Outlook Als Quelle wird das oben erstellte Netzwerkobjekt Outlook ausgewählt
    Destination: Interface.svg external-interface Select external-interface as the destination
    Service: Tcp.svg smtp Select smtp as the service
    Action: Accept Mails that meet the corresponding conditions are accepted and forwarded
    Logging: None - Do not log Logging is not required

    Relaying configuration

    In order for the mail relay to accept the mails from Outlook, the settings in the Relaying tab must be supplemented by a corresponding entry via Add domain / host.

    Domain: smtp.office365.com
    As an alternative to the domain, one of the IP addresses of Outlook can be entered.
    Option: None
    Action Relay

    With the settings made in this way, the outgoing mails are also checked by the mail filter for spam, malware and viruses.

    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Mailrelay_vor_Office_365&oldid=90422"