Configuring a Proper SMTP Relay for Exchange On-Prem and Exchange Online Jeff Guillet, MVP | MCSM | CISSP.

Slides:



Advertisements
Similar presentations
Eloqua Providing Industry-Leading Management Tools.
Advertisements

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Microsoft Ignite /16/2017 1:30 PM
Microsoft Ignite /16/2017 1:31 PM
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Configuring Hybrid Exchange the Easy Way
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Archiving in the Cloud with Exchange Online Archiving BHARAT SUNEJA SR TECHNICAL WRITER | EXCHANGE MICROSOFT CORPORATION EXL301.
TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Introduction 4 FeatureSimpleHybrid Mail routing between on-premises and cloud (recipients on either side) Mail routing with shared namespace (if desired)
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving –borne viruses.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Module 8: Managing Client Configuration and Connectivity.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring Protection Configuring.
IT:Network:Applications.  How messaging servers work  Initial tips for success Exchange management  Server roles  Exchange Server Management  Message.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Exchange Online Protection. About Speaker Prabhat Nigam Microsoft MVP: Exchange Server MCSE: Messaging 2013, MCITP 2010/2007, MS Ex – Microsoft Exchange.
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
Module 4 Planning and Deploying Client Access Services in Microsoft® Exchange Server 2010 Presentation: 120 minutes Lab: 90 minutes After completing.
Module 5 Managing Message Transport. Module Overview Overview of Message Transport Configuring Message Transport.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
Module 7: Managing Message Transport. Overview Introduction to Message Transport Implementing Message Transport.
Module 5 Managing Message Transport. Module Overview Overview of Message Transport Configuring Message Transport.
Module 12 Integrating Exchange Server 2010 with Other Messaging Systems.
Module 2: Overview of IIS 7.0 Application Server.
Module 5 Planning and Deploying Message Transport in Microsoft® Exchange Server 2010.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Exchange Hybrid: Deployment, best practices, and what’s new
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Troubleshooting Exchange Transport Service Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
SaaS apps.
Improving Your Application with IntelliTrace #ITDevConnections.
Architecting Enterprise Workloads on AWS Mike Pfeiffer.
1] MTNL ID user with/without static IP
CompTIA Network+ Certification Exam
Planning and Configuring Message Hygiene
Exchange Online Protection for Exchange On-Premises
Office 365 Migration – Understanding Migrations Part 1
Moving to Configuration Manager Current Branch
Autodiscover is Hero of Exchange Motherland!
Microsoft Active Directory Certificate Services and System Center Configuration Manager Internet Based Client Management.
Securing the Network Perimeter with ISA 2004
Azure RMS Deep Dive.
CompTIA Network+ Certification Exam
IIS.
Domain-based Authentication, Reporting, and Conformance
Migrating to Office 365 from Google mail and exchange
06 | Planning Exchange Online and Configuring DNS Records
Configuring Internet-related services
SharePoint Online Hybrid – Configure Outbound Search
1/16/2019 4:44 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Pavel Dobrý Engineering Director
Designing IIS Security (IIS – Internet Information Service)
System Center Configuration Manager Cloud Services – Cloud Distribution Point Presented By: Ginu Tausif.
Slides Credit: Sogand Sadrhaghighi
Securing web applications Externally
Presentation transcript:

Configuring a Proper SMTP Relay for Exchange On-Prem and Exchange Online Jeff Guillet, MVP | MCSM | CISSP

CONFIGURING A PROPER SMTP RELAY Overview How to setup and configure an SMTP relay properly, both on- prem and for Office 365 SMTP relays allow on-prem appliances and application servers to send s and alerts to internal and/or external users Proper configuration helps protect your organization and SMTP namespaces #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Types of SMTP Relays Internal Relays – Internal s to internal users External Relays – Internal s to internal/external users Open Relays – External s that relay to other SMTP domains = BAD #ITDevConnections

CONFIGURING A PROPER SMTP RELAY On-Prem Only Customers Use on-prem Exchange servers for relay – Opportunistic TLS Use RRDNS or MX records for HA. Don't load balance. Other options: – Dedicated IIS server (usually non-TLS) – SMTP gateway (usually non-TLS) Set-TransportConfig -InternalSMTPServers #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Relay via On-Prem Exchange #ITDevConnections More control Single relay source Allows external No spam filtering Opportunistic TLS 1.0+ Uses TCP 25

CONFIGURING A PROPER SMTP RELAY Hybrid Customers Use Exchange hybrid/management server – TLS by default Use RRDNS or MX records for HA. Don't load balance. Other options: – Dedicated IIS server (usually non-TLS) – SMTP gateway (usually non-TLS) – Direct to O365 (more on this later) Set-TransportConfig –InternalSMTPServers #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Relay via Hybrid Server #ITDevConnections More control Single relay source Allows external Bypasses header firewall No spam filtering Uses TLS 1.0+ Uses TCP 25

CONFIGURING A PROPER SMTP RELAY Cloud-Only Customers Create an SMTP Relay – Exchange Server (Edge or Hybrid) – Dedicated IIS server (usually non-TLS) – SMTP gateway (usually non-TLS) – Or…. Direct to O365 (more on this later) Use RRDNS or MX records for HA. Don't load balance. #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Configuring Relay Services 1.Configure relay namespace in internal DNS (relay.contoso.com) 2.Configure the relay – Exchange Receive/Send Connectors – SMTP gateway – IIS server 3.Identify devices and app servers that relay 4.Reconfigure devices and app servers #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Configuring IIS Relay Server Works with any Windows Server Install SMTP Server feature and IIS 6.0 Manager Install SSL certificate Configure SMTP Server properties (IPs, auth, limits, TLS) Add remote domain for smtp.office365.com Restart IIS and SMTP Server Detailed steps at configure-internal-smtp-relay.htmlhttp:// configure-internal-smtp-relay.html #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Relay Directly to Office 365 Best for small orgs Requires no on-prem relay Configure on-prem devices to use the tenant target address (i.e. - contoso.mail.oe.outlook.com) Important Notes: – Firewall must allow TCP 25 or 587 outbound from all devices – Devices are treated as anonymous senders unless authenticated to send through a mailbox – Does not use TLS #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Relay via Client Submission #ITDevConnections Less control Multiple relay sources Allows external Requires TLS 1.0+ No spam filtering Uses TCP 587 (or 25)

CONFIGURING A PROPER SMTP RELAY Relay via Direct Send #ITDevConnections Less control Multiple relay sources Internal only No TLS Subject spam filtering Uses TCP 25 Should add IP to SPF record

CONFIGURING A PROPER SMTP RELAY Office 365 Relay Limits O365 was designed for and meant for actual people, not mass mailing software/services – Limited to 30 messages per minute, and 10,000 recipients per day ( us/library/exchange-online-limits.aspx#MessageLimits) us/library/exchange-online-limits.aspx#MessageLimits For transactional, marketing, or any other bulk , use a third-party service #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Determine SMTP Talkers Download and install LogParser 2.2 ( us/download/details.aspx?id=24659) us/download/details.aspx?id=24659 Exchange 2007: – Set Logs=C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive\*.log Exchange 2010/2013: – Set Logs= %ExchangeInstallPath%\TransportRoles\Logs\ProtocolLog\SmtpReceive\*.log Exchange 2016: – Set Logs=%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log Execute from Elevated CMD prompt (not PowerShell): – "%ProgramFiles(x86)%\Log Parser 2.2\LogParser.exe" "SELECT EXTRACT_PREFIX(remote-endpoint,0,':') as IP,REVERSEDNS(EXTRACT_PREFIX(remote-endpoint,0,':')) as Name,Count(*) as Hits from '%Logs%' WHERE data LIKE '%EHLO%' GROUP BY IP ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1" #ITDevConnections

DEMO

CONFIGURING A PROPER SMTP RELAY TLS Connections What is TLS? Required for Client Submission relay and Hybrid TLS Requirements – Resolvable FQDN namespace – Third-party SSL certificate Must be valid and trusted Name must match namespace CRL must be reachable #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Overview of Connectors Receive Connectors – Frontend Receive Connectors – Client facing – Hub Transport Receive Connectors - Backend – Scoping – IPs allowed to use the connector – Security – Authentication methods – Optional external relay permissions: Get-ReceiveConnector “External Relay E15MB1" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient Send Connectors – DNS delivery – Smart hosting #ITDevConnections

CONFIGURING A PROPER SMTP RELAY SMTP Banners Set SMTP banners on all Receive Connectors – Get-ReceiveConnector | % {Set-ReceiveConnector $_.Identity -Banner "220 $_"} #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Testing the Relay Telnet Client PowerShell – Send-MailMessage -From " " -to " " - Subject "PowerShell Relay Test" -Body "Testing 1-2-3" -SmtpServer ex16a CMD line utilities like POSTIE #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Blacklisting Avoid at all costs Protect your corporate domain SMTP namespace and IPs – Use dedicated public IP for relaying – Use EOP for relaying – Use 3 rd party for relaying – Use dedicated relay namespace – Configure SPF / DKIM Add SMTP relay IP address to your SPF record, if necessary SPF records and DKIM – One and only one SPF record – No more than 10 lookups including referrals – SPF: records are deprecated, use TXT: records – Ignore the O365 Portal’s "important" recommendations Test O365 relaying to confirm IP is not blocked – Telnet test – How to remove #ITDevConnections

CONFIGURING A PROPER SMTP RELAY Recommendations Use Exchange servers for SMTP relays – Cloud/hybrid users – use your hybrid or management server Use SMTP Talkers script to identify devices that relay Use dedicated Receive Connectors for Internal and External relays Configure internal IP ranges as internal SMTP servers Scope relay connectors to IPs or ranges Set SMTP Banners and use Telnet for testing Always test your SMTP relays Protect your SMTP namespace #ITDevConnections

Rate This Session Now! Rate with Mobile App: Select the session from the Agenda or Speakers menus Select the Actions tab Click Rate Session Rate with Website: Register at Go to Select this session from the list and rate it Tell Us What You Thought of This Session Be Entered to WIN Prizes! #ITDevConnections