On 2022-01-29 09:15:02 +0000, Matthew Richardson via mailop wrote:
> As a thought (probably wrong) could this be caused by your O365 users
> forwarding INCOMING email to them FROM outlook.com and/or mail.alokind.com
> to external addresses?
Since all mail flows through Exchange 365, O365 would have to allow my users to
preserve
the FROM address, which seems like a security flaw. The only reasonable time
I've seen
this preservation is for forwarded calendar invites, which in my exim config
have their
own special rewrite rules, and did not trigger.
Side note: forwarded calendar invites break DKIM due to this preservation.
> > * Are there any safeguards in place from preventing one tenant from using
> > another
> > tenant's connectors?
>
> It is not certain that this is what is occurring. For example, your setup
> would not preclude other tenants pointing their outgoing email to your Exim
> (not that this would be sensible for them).
Precisely! I'm looking for restrictions on O365's end to prevent another tenant
from
using my connector. I have yet to find any, but maybe I'm not looking hard
enough.
> You may wish to have some authentication between O365 and Exim. The MS
> document linked discusses how to do this with certificates.
The certificate setup listed at that page did not provide settings for outbound
connector client certificates. From what I've found and done, I've set up a
server-side
certificate, which is used for legitimate connections (times UTC, fields
obfuscated):
Jan 29 14:04:54 webmail exim[2482103]: 1nDoLW-00APhv-Bk <= a...@e.sc
H=mail-dm6nam12lp20206.outbound.protection.outlook.com
(NAM12-DM6-obe.outbound.protection.outlook.com) [2a01:111:f400:fe59::206]:17704
P=esmtps L. X=TLS1.2:ECDHE_SECP384R1__ECDSA_SHA256__AES_256_GCM:256 CV=no
SNI=ipv6.e.sc K S=162589 M8S=0 RT=0.202s
id=79e8610b9a6e43c29cf1833a821ed...@mn2pr08mb6272.namprd08.prod.outlook.com
T="FW: BBB" from <a...@e.sc> for c...@ddd.ee
Comparing that to the fields in the original blocked connection:
Jan 28 10:38:40 webmail exim[2145158]:
H=mail-mw2nam10olkn2087.outbound.protection.outlook.com
(NAM10-MW2-obe.outbound.protection.outlook.com) [40.92.42.87]:62109
X=TLS1.2:ECDHE_SECP384R1__ECDSA_SHA256__AES_256_GCM:256 CV=no rejected MAIL
<sylviaqyplina...@outlook.com>: prohibited sender domain
There are these things to note from exim's log format [0]:
* TLS was negotiated in both cases: `X` field
* no `SNI` was provided in the blocked case
* no client certificate valiation was done from exim to O365: `CV` field
The `CV` field is the last thing I can control, but I don't believe that
provides any
authentication of valid email domains, only a lesser authentication that it's
O365
connecting to me, which is already guaranteed by the IP ACLs.
I appreciate the look,
--
Alex
[0] https://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
