On 5/14/2018 11:23 PM, Roger Goh wrote: > > There is an external app server (that is our service provider) that > we want them > to blast emails to a team/department in our organization (email > domain @xyz.com <http://xyz.com>) > but these emails will have the sender to be in same domain as us ie > @xyz.com <http://xyz.com>. > > What are the risks of permitting such bypass (ie disable Norelay) in > our MTA > (it's MS Exchange) & if we have to permit it, what mitigations we > can put in place? > > > Roger
This is not relaying. DO NOT disable any anti-relay controls. If the service provider sends mail to your internal team with a From: header indicating it's an internal mail, you probably already allow this and don't need to do anything. If the service provider also sets the envelope sender address to your internal domain, AND you use SPF/DKIM/DMARC to prevent spoofing, then you'll need to exempt the service provider from those tests. -- Noel Jones
