Authentication Bypass in MailboxImportServlet vulnerability (reminder)
https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/

Allow relay from O365

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
jeremywatco
Posts: 18
Joined: Sat Sep 13, 2014 3:52 am

Allow relay from O365

Postby jeremywatco » Wed Sep 21, 2022 3:45 pm

Hi all,

We have a split domain and have had it working great for past 5 years or so. Traditionally we had mail flow from our 3rd party Spam/AV gateway > Zimbra > Office 365 and then for outbound Office 365 has a connector back to the Spam/AV. So in or out it all follows this flow. Worked great. Now we have a specific business need to reverse the flow and have the mail go from our Spam/AV > Office 365 > Zimbra. For inbound messages this is working fine. The issue is for outbound messages originating from Office 365.... We want those messages to flow through the Zimbra server and out to the Spam/AV and NOT go direct to the Spam/AV.

My issue is with Zimbra I can't figure out the best way to allow for a relay from Office 365. The host name it sends from is never the same. The IP it sends from is never the same. Thoughts?


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2457
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Allow relay from O365

Postby L. Mark Stone » Wed Sep 21, 2022 7:38 pm

jeremywatco wrote:Hi all,

We have a split domain and have had it working great for past 5 years or so. Traditionally we had mail flow from our 3rd party Spam/AV gateway > Zimbra > Office 365 and then for outbound Office 365 has a connector back to the Spam/AV. So in or out it all follows this flow. Worked great. Now we have a specific business need to reverse the flow and have the mail go from our Spam/AV > Office 365 > Zimbra. For inbound messages this is working fine. The issue is for outbound messages originating from Office 365.... We want those messages to flow through the Zimbra server and out to the Spam/AV and NOT go direct to the Spam/AV.

My issue is with Zimbra I can't figure out the best way to allow for a relay from Office 365. The host name it sends from is never the same. The IP it sends from is never the same. Thoughts?


Wouldn't an Outbound Connector in 365 solve the issue?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
jeremywatco
Posts: 18
Joined: Sat Sep 13, 2014 3:52 am

Re: Allow relay from O365

Postby jeremywatco » Wed Sep 21, 2022 9:29 pm

The Outbound connector back to Zimbra is just fine. Zimbra is just rejecting the relay. So I need to find a way to allow relaying from O365 through Zimbra. The O365 setup is straight forward and already done. It seems I can only relay by IP address. I know its not the best way to do it but is there a way within zimbra to say allow relay from *.outlook.com or something wildcarded like that?
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2457
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Allow relay from O365

Postby L. Mark Stone » Thu Sep 22, 2022 12:09 am

jeremywatco wrote:The Outbound connector back to Zimbra is just fine. Zimbra is just rejecting the relay. So I need to find a way to allow relaying from O365 through Zimbra. The O365 setup is straight forward and already done. It seems I can only relay by IP address. I know its not the best way to do it but is there a way within zimbra to say allow relay from *.outlook.com or something wildcarded like that?


If the mailbox exists in Zimbra, Zimbra should accept the email from M365 for delivery locally (assuming it passes through amavis...)

Why not provide logs from Zimbra showing the rejects? Hard to help further without specifics...
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
jeremywatco
Posts: 18
Joined: Sat Sep 13, 2014 3:52 am

Re: Allow relay from O365

Postby jeremywatco » Fri Sep 23, 2022 1:41 pm

Correct, and that works just fine.

What i need is an O365 user that sends an email to lets say @yahoo.com. I need that message to flow through the Zimbra MTA and then out.
phoenix
Ambassador
Ambassador
Posts: 27081
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Allow relay from O365

Postby phoenix » Fri Sep 23, 2022 2:21 pm

jeremywatco wrote:What i need is an O365 user that sends an email to lets say @yahoo.com. I need that message to flow through the Zimbra MTA and then out.
OK, I'll bite. :) Why do you need to relay messages from O365 through another server?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
jeremywatco
Posts: 18
Joined: Sat Sep 13, 2014 3:52 am

Re: Allow relay from O365

Postby jeremywatco » Fri Sep 23, 2022 3:25 pm

Because!

No, because we have a strange issue that neither Barracuda (Spam Appliance) or Microsoft can figure out. We need all in/out mail routed through our Barracuda Appliance for compliancy reasons (encryption, content checking, etc). When an office 365 message gets sent out from Office 365 through the barracuda its great works fine. Zimbra the same. But when a O365 origin message destined to a different O365 tenant is sent out the barracuda appliance and O365 on the other tenant start to fight and creates a mail loop for unknown reasons finally ending up in a bounce back. It's weird.

Strangely enough if I route that O365 message through Zimbra first and then to the barracuda appliance this fight doesnt happen and everything is great. Again.. Barracuda support & Microsoft are just left puzzled.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 26 guests