[mailop] Exchange 365 outbound connector being used as a relay

Fri, 28 Jan 2022 16:58:46 -0800 

Hello all,

This info may be better reserved for a Microsoft support ticket, but I figure 
there are
a few people here who could help short circuit the process, or offer insight 
into my
issue.

My mail service currently uses Exchange 365 as the data store, with an exim 
outbound
connector [0] hosted on AWS infra.

The setup for outbound mail is as follows:

    MUA --> Exchange 365 MTA --> connector MTA --> Internet

I've added ACLs on my connector to only accept port 25 TCP traffic from 
Exchange 365 IPs
[1], and added an allowlist on my connector MTA to only accept mail for domains 
I own.

During some log spelunking, I've received 3 curious entries (times UTC):

    Jan 28 10:38:40 webmail exim[2145158]: 
H=mail-mw2nam10olkn2087.outbound.protection.outlook.com 
(NAM10-MW2-obe.outbound.protection.outlook.com) [40.92.42.87]:62109 
X=TLS1.2:ECDHE_SECP384R1__ECDSA_SHA256__AES_256_GCM:256 CV=no rejected MAIL 
<sylviaqyplina...@outlook.com>: prohibited sender domain
    Jan 28 21:52:03 webmail exim[2281852]: 
H=mail-ma1ind01hn2225.outbound.protection.outlook.com 
(IND01-MA1-obe.outbound.protection.outlook.com) [52.100.187.225]:5171 
X=TLS1.2:ECDHE_SECP384R1__ECDSA_SHA256__AES_256_GCM:256 CV=no rejected MAIL 
<t...@mail.alokind.com>: prohibited sender domain
    Jan 28 23:22:58 webmail exim[2300338]: 
H=mail-bmxind01hn2226.outbound.protection.outlook.com 
(IND01-BMX-obe.outbound.protection.outlook.com) [52.100.219.226]:17370 
X=TLS1.2:ECDHE_SECP384R1__ECDSA_SHA256__AES_256_GCM:256 CV=no rejected MAIL 
<t...@mail.alokind.com>: prohibited sender domain

Meaning that domains `outlook.com` and `mail.alokind.com` have managed to use 
Exchange
365 infrastructure to try and route email through my connector.

My questions are:

  * Is this expected?
  * Are there any safeguards in place from preventing one tenant from using 
another
    tenant's connectors?
  * (!) `outlook.com` was somehow routed to my connector, how did that happen?
  * What are the suggested methods for preventing other tenants from using 
connectors
    with IP allowlists (i.e. are domain allowlists the way to go, are there 
other
    methods)?

Thanks,
--
Alex

[0] 
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail
[1] 
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to