On site SMTP relay for use with Office 365

[Allen]

Hey all,

Hope you can help with this one. We recently migrated to Office 365 for Hosted Exchange services, although it was a difficult migration we now seem to be working OK. Ish.

We have several devices on site in a secure network with no direct access to the internet. Some of these devices need to send emails out regularly (monitoring, MFD's, devices such as NetApp with "phone home" services, etc). However, as they don't have direct internet access, they can't use Office 365's SMTP relay. As a band aid fix we have configured the old Exchange server to relay messages to Office 365's SMTP server, but as Exchange is still on SBS (oh the PAIN) it's causing us a bit of an issue with Outlook sometimes trying to connect to Exchange rather than Office 365.

I want to properly decommission Exchange ASAP (and SBS!), but in order to do this, I need to relay the emails from these internal devices to Office 365's SMTP server. I want to create a Linux VM for this job to save on licensing, but not sure which relay to use, nor how to configure it correctly (I've set up normal relays before, but never a relay to a relay, if that's even possible, Google isn't helping me much).

Can anyone shed some light on this for me please? I don't need detailed explanations, just a pointer in the right direction, like which application to use on Linux and maybe a site detailing how to configure it properly.

FYI, I have already set up Office 365 to allow our IP's to send emails to their SMTP server without authorisation so all the Linux VM needs to do is receive the email and forward it to Office 365's SMTP server.

Hope this explains it, if not, I apologise, I have been working steadily for 2 weeks on this and various other projects with very little time off.

Cheers!

[DanceswithUnix]

A pointer? I would use Exim as a mail server because it is pretty easy to set up. For outgoing email it shouldn't take too long.

I run it for a home email server handing a couple of domain names, doing all the spam rejection and virus scanning etc is the hard part. Sending stuff out, you probably just need to make sure that the relay hosts configuration has your local network in it so the sending machines don't just get "we don't relay".

I run it from Centos as it has a very long support period and is aimed as stability.

[peterb]

Postfix is another good one which I use as a maiil transfer agent. It is a send mail replacement, so will work on most *nix systems with minimal configuration. If you need post office facilities, Dovecote provides IMAP and POP3 services, which can be secured if required.

[Allen]

I had heard of Postfix before, so I have given that a whirl. It appears to only send emails from itself, it won't receive emails and then forward them on (unless I am missing something)?

I will give Exim a look, see what it can do, but I'm not sure if these are what I need. I need something which will sit on a server which has internet access to receive emails from servers that do not have internet access and will forward them on to Office 365's SMTP server.

Do I need a full mail server to do this?

[peterb]

You are missing something! Postfix will (and does) operate as a full MTA, but you do need to configure it correctly by editing main.cf, which you will find in /etc/postfix.

The main.cf file is self documenting to an extent, but does need some care. You will probably need an authentication mechanism (unless you are only receiving mail from an internal lan) and you can get SASL to do that for you.

I use postfix on a home server to receive and send emails from internal and external networks, with Dovecote proving post office services.

If you are receiving and sending mail, be very careful with configuration so you don't accidentally create an open relay!

I did - once - in 36 hours I inadvertently relayed over 30,000 e mails...

And that is why Postfix won't act as a relay out of the box, you MUST configure it first.


Just for the avoidance of doubt YOU MUST CONFIGURE IT FIRST!

I think you will find EXIM and other MTAs are the same, for the same reason.

[Allen]

It's behind a firewall and NAT'd to our public IP, so no SMTP connections will get to this server from the outside, only from the internal network.

I have tried searching and searching, the only documents/pages I find explain how to install Postfix very basically. I follow it and run the configuration, which gives me a very small main.cf file. If I try and telnet to localhost on port 25 it will respond and will send emails to the outside world through Office 365 (authentication isn't required, Office 365 allows you to authenticate via the public IP address, and as I said, this server is NAT'd to our public IP), but it won't respond on port 25 to any connections from inside the network. It's not even listening to port 25 other than on "localhost".

Here is my main.cf file:

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = hostname.domain.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
mynetworks = 192.168.0.0/23
relayhost = (truncated).mail.protection.outlook.com
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
home_mailbox = Maildir/
mailbox_command =
inet_protocols = ipv4

[peterb]

I'll go and look at mine.

Do you have the original main.cf file? Did you run a configuration script?

Have a look at www.postfix.org

[Allen]

I followed this: https://help.ubuntu.com/community/Postfix

It's pretty much the same guide that I found on many other sites, none of them mentioned adding any other settings, which is obviously why the relay isn't working. I'll have a look around to see what I can find to explicitly allow relays.

[peterb]

It is a long file with all the comments in! I've edited some of the debugging info - in practice its the relay and authentication directives you need to concentrate on, especially client authentication.

What is the destination? Internal mailboxes or external relay, or deliver direct?

[Allen]

I think I have got there, I just emailed my Gmail account from my laptop whilst telnet'd to the Postfix server, the headers show the email was received from Office 365.

Received: from ***.outbound.protection.outlook.com (***.outbound.protection.outlook.com. [***.***.***.***])

I rolled the server back to before I installed Postfix, re-installed it, this time I selected Internet Site instead of Satellite (the description for Satellite seemed to fit, obviously not). I only changed three lines to get it working:

mydestination = domain.co.uk, hostname, localhost.localdomain, localhost, * (could probably get away with it being just *)
relayhost = ***.protection.outlook.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16

Thanks for your help Peter in pointing me in the right direction, hope I didn't put you out too much going through and removing sensitive information from your config file so I could compare it!

[peterb]

Excellent! It isn't immediately straightforward! There is an excellent book, published by O'Reilly called Postfix - - The definitive guide, which is very useful!

I'll remove the above posts now they have served their purpose.

[bytejunkie]

i know you've got this working, but wouldn't you have been better off considering a CAS server? at least then it'd be able to exist in the exchange organisation, albeit offsite (well onsite).

what way have you got of doing authentication with postfix on a linux box? is it just an ip address thing? so you could potentially still become a relay unwittingly?

i know very little about hosted exchange yet, so genuine questions, not trying to trip you up.

[Splash]

You'd configure Postfix to only allow relay from specific ip addresses, relaying on to the O365 servers. Generally client submission is preferred, but this obviously doesn't work in Allen's case.

More info on your options from a hosted Exchange perspective at http://technet.microsoft.com/en-GB/l...hg.150%29.aspx

Allen - would suggest that it might be an idea to limit the ip addresses that O365 is expecting email from just in case you get a nasty inside your network that tries spewing spam out - you should really only need the ip of your internal relay.

[peterb]

You can (and should, if you are accepting external mail) uses SASL to authenticate inbound clients. SMPT doesn't have an authentication mechanism in the protocol, but SASL was developed to add this simply. You could use TLS or SSL to provide a degree of privacy and authentication, but then you are in a new ball game of getting (or generating) certificates. Not particularly difficult, but tricky, and if you sign your own, you can then run into trust issues.

But for internal mail relay, limiting the IP address range to the internal scope is fine, while blocking port 25 inbound at the router.

[Allen]

i know you've got this working, but wouldn't you have been better off considering a CAS server? at least then it'd be able to exist in the exchange organisation, albeit offsite (well onsite).

what way have you got of doing authentication with postfix on a linux box? is it just an ip address thing? so you could potentially still become a relay unwittingly?

i know very little about hosted exchange yet, so genuine questions, not trying to trip you up.

I wanted to use a Linux box, am trying to limit using Windows servers if I can to save licensing costs.

There is no authentication required as Office 365 allows to you authenticate using the public IP address the SMTP request is coming from.

You'd configure Postfix to only allow relay from specific ip addresses, relaying on to the O365 servers. Generally client submission is preferred, but this obviously doesn't work in Allen's case.

More info on your options from a hosted Exchange perspective at http://technet.microsoft.com/en-GB/l...hg.150%29.aspx

Allen - would suggest that it might be an idea to limit the ip addresses that O365 is expecting email from just in case you get a nasty inside your network that tries spewing spam out - you should really only need the ip of your internal relay.

The current setup is temporary and when we free up an external IP address I will change it so it's the only machine going out on the authorised IP address. Also at present it's accepting any internal IP address to relay emails, so yes it can still be abused, but I didn't have the time to gather all of the IP address of the servers that send out emails (some are monitoring probes sitting on our customers networks and connected to us via VPN). This will also change.

The firewall is blocking incoming SMTP connections to the relay, so at least it's not open to the world!