Emmanuel Fust?:
> Le 17/06/2019 ? 12:05, Emmanuel Fust? a ?crit?:
> > Le 16/06/2019 ? 22:37, Viktor Dukhovni a ?crit?:
> >> On Sun, Jun 16, 2019 at 05:46:52PM +0200, Stefan Bauer wrote:
> >>
> >>> Some of our users use o365 but would like to use our service for
> >>> outgoing
> >>> mails.? We are offering smtp sending services.? Integrating our
> >>> service in
> >>> o365 is tricky, as one can only specify a smarthost but microsoft
> >>> does not
> >>> offer any kind of authentication for smarthosts.
> >> Are these individual users or cloud-hosted domains?? Who's authorized
> >> to ask Microsoft to route their outbound traffic through your relay?
> >> Can you distinguish one such Office365 sender from another? ...
> >>
> >> What's the point (if I may ask) of having their mail sent through
> >> your relay?? I assume that Microsoft could quite easily send their
> >> outbound traffic directly to its destination.
> >>
> > Cloud-hosted domains is "hosting" service. You have the control on the
> > outbound routing.
> > There is many reason why you want your outbound traffic not directly
> > delivered to its destination.
> > Some want to provide "value added services". In my case is is because
> > the o365 users are only a fraction of my users (hybrid cloud mode) and
> > that inboud/ouboud internet mails policy/routing/delivery is under the
> > control of another infrastructure.
> >
> > Microsoft is always? presenting a client certificate. That the only
> > way to authenticate O365. (the experimental certificate matching will
> > help you)
I suppose that Postfix should not accept arbitrary client certificates,
so this certificate check will need to be configurable.
> > The "proper" Microsoft way is to use their proprietary XOORG SMTP
> > extension used in their hybrid cloud scenario.
> > => after having authenticated o365 with the presented client
> > certificate, if you announce the XOORG extension in the EHLO, o365
> > will provide you the remote o365 organization (in the "MS Exchange"
> > sense) as part of the MAIL FROM verb.
> > MAIL FROM: <m...@my-company.com> OORG=my-organization.com
...
> Replying to myself, attached is the client patch for Postfix.
I suppose that Postfix will need to forward the OORG information
that it received from the Microsoft server, not a name that is
hard-coded in main.cf, and that Postfix will need to send that
information only to systems that should receive it, not to random
systems on the Internet.
Wietse
