Loading ...
Sorry, an error occurred while loading the content.
 

Outbound gateway for Google Apps or Exchange online, how to authenticate?

Expand Messages
  • martijn.list
    Hi, Google Apps and Exchange online allows you to relay all outgoing email through an external mail server. Google Apps calls this an Outbound mail gateway :
    Message 1 of 3 , Mar 27, 2014
      Hi,

      Google Apps and Exchange online allows you to relay all outgoing email
      through an external mail server.

      Google Apps calls this an "Outbound mail gateway":

      https://support.google.com/a/answer/178333

      And Microsoft calls this "Outbound Smart Hosting":

      http://technet.microsoft.com/en-us/library/jj723128%28v=exchg.150%29.aspx

      Both options however do not seem support any kind of authentication
      (like username/password, or client side certificates). To only way to
      make sure that only the Google apps or Microsoft online server is
      allowed to relay it seems that you need to approve the IP ranges used by
      Google and Microsoft.

      The problem is that in principle this IP range might change every now
      and then. I belief Google publishes their IP ranges in an SPF record so
      in principle this IP range can be looked up. Not sure about Microsoft
      though.

      Even if you only only allow Google Apps or Exchange online ip ranges,
      you still have the problem that someone else might configure your relay
      servers IP as their outbound gateway. Since in that case the email comes
      from Google or Microsoft, the external relay will accept the email. So
      just checking for IP ranges is not enough. I guess the only solution
      would be to check for sender domain and refuse to relay users from
      another domain.

      Has anyone on this list has any experience in setting up an outbound
      gateway for Google Apps and/or Exchange online?

      If so any ideas how to make sure this will work without any problems?

      Kind regards,

      Martijn Brinkers

      --
      DJIGZO email encryption
    • Robert Schetterer
      ... whatever microsoft or google does, it maybe ok to allow relay outbound with postfix for fixed trusted and controlled ips and nets, for dynamic ips,
      Message 2 of 3 , Mar 27, 2014
        Am 27.03.2014 08:45, schrieb martijn.list:
        > as anyone on this list has any experience in setting up an outbound
        > gateway for Google Apps and/or Exchange online?
        >
        > If so any ideas how to make sure this will work without any problems?

        whatever microsoft or google does, it maybe ok to allow relay outbound
        with postfix for fixed "trusted" and "controlled" ips and nets, for
        dynamic ips, only allow relay with auth sasl, and maybe limit to sender
        domain etc.

        If relayed mails bounce by i.e forwarding strict spf domains at
        recipient mailserver it works like designed.


        Best Regards
        MfG Robert Schetterer

        --
        [*] sys4 AG

        http://sys4.de, +49 (89) 30 90 46 64
        Franziskanerstraße 15, 81669 München

        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
        Vorstand: Patrick Ben Koetter, Marc Schiffbauer
        Aufsichtsratsvorsitzender: Florian Kirstein
      • Viktor Dukhovni
        ... I set up Google Apps some years back, but have switched jobs since and have forgotten some of the details. We definitely put in counter-measures that
        Message 3 of 3 , Mar 27, 2014
          On Thu, Mar 27, 2014 at 08:45:01AM +0100, martijn.list wrote:

          > Has anyone on this list has any experience in setting up an outbound
          > gateway for Google Apps and/or Exchange online?

          I set up Google Apps some years back, but have switched jobs since
          and have forgotten some of the details. We definitely put in
          counter-measures that prevent other Google Apps customers from
          relaying via our outbound servers. Google should be able to tell
          you about available options for that. At the very least we had:

          * Google Apps outbound flow was to port 587 with STARTTLS via
          a dedicated set of Postfix machines.

          * The envelope sender domain was restricted to our Google
          Apps domain, and we used reject_unlisted_sender.

          * We were "big enough" to ask them to use client certificates
          to authenticate to the outbound server. We had a long-standing
          feature request to allow us to provision these by uploading a
          PKCS12 or similar key + cert bundle via the domain administrator
          interface, so that client certs would be per customer, not global
          for Google Apps. Without this feature they notified us before
          deploying new client certs (which was a nuisance for them and
          us). Don't know whether the requested client cert support got
          implemented. So $previous_employer may still be relying on
          Google's default client certs (which unlike the sender domain
          are not client specific).

          * We also asked Google to authenticate our server's TLS cert.

          * We also operated our own inbound MX hosts, and used Google
          Apps only as a mailstore, not an MX provider. Envelope
          rewriting rules kept the mail flows from looping (the
          internal mailbox address of a Google Apps user was
          a custom domain, which was rewritten back to the
          primary address in smtp_generic_maps during hand-off
          to Google's relay).

          That was all then, things may be different now, ideally better,
          with more options available, but things don't always improve.
          Sometimes the simplest options for the mass-market become the only
          options.

          --
          Viktor.
        Your message has been successfully submitted and would be delivered to recipients shortly.