On Thu, Mar 27, 2014 at 08:45:01AM +0100, martijn.list wrote:
> Has anyone on this list has any experience in setting up an outbound
> gateway for Google Apps and/or Exchange online?
I set up Google Apps some years back, but have switched jobs since
and have forgotten some of the details. We definitely put in
counter-measures that prevent other Google Apps customers from
relaying via our outbound servers. Google should be able to tell
you about available options for that. At the very least we had:
* Google Apps outbound flow was to port 587 with STARTTLS via
a dedicated set of Postfix machines.
* The envelope sender domain was restricted to our Google
Apps domain, and we used reject_unlisted_sender.
* We were "big enough" to ask them to use client certificates
to authenticate to the outbound server. We had a long-standing
feature request to allow us to provision these by uploading a
PKCS12 or similar key + cert bundle via the domain administrator
interface, so that client certs would be per customer, not global
for Google Apps. Without this feature they notified us before
deploying new client certs (which was a nuisance for them and
us). Don't know whether the requested client cert support got
implemented. So $previous_employer may still be relying on
Google's default client certs (which unlike the sender domain
are not client specific).
* We also asked Google to authenticate our server's TLS cert.
* We also operated our own inbound MX hosts, and used Google
Apps only as a mailstore, not an MX provider. Envelope
rewriting rules kept the mail flows from looping (the
internal mailbox address of a Google Apps user was
a custom domain, which was rewritten back to the
primary address in smtp_generic_maps during hand-off
to Google's relay).
That was all then, things may be different now, ideally better,
with more options available, but things don't always improve.
Sometimes the simplest options for the mass-market become the only
options.
--
Viktor.
