You can configure the connector to only relay messages to your MTA if its (CA issued) cert's CN matches something specific. However, as you note, you also need to trust their Exchange Online IP range too. Now those IPs are not the same as their Azure allocations so the risk is the entire Exchange Online platform being compromised and your MTA specifically targeted, as opposed to a malicious user on a free Azure trial specifically targeting your MTA.
Incidentally, the feature you're looking for (basic authentication for smart hosts) exists in on-premise Exchange. I assumed it existed with the on-line edition too but it does not appear to, at least, any more. Ken. From: mailop <mailop-boun...@mailop.org> On Behalf Of Kevin A. McGrail via mailop Sent: Friday 18 September 2020 15:50 To: mailop@mailop.org Subject: Re: [mailop] [External] Re: How to do Outbound Relay from M365 previously O365 On 9/18/2020 10:18 AM, Ken O'Driscoll via mailop wrote: You need to set up mail flow connectors in Exchange Online. Authentication is certificate and/or IP based. I think this explains it fairly well: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail Thanks, but for outbound FROM m365 to the internet through a smarthost, this wouldn't suffice. We couldn't accept Microsoft's Cert or all of Microsoft's IPs for relay without significant risk of inevitable abuse. I don't think I'm missing something on this but completely open to the fact that I might be. Regards, KAM
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
