Norbert Schmidt via Postfix-users:
> Hello,
>
> We've got a single user needing Micro$oft Teams. This users mailaccount
> u...@contenso.com is configured on our server AND within Microsoft365 as
> sending address for the invitations.
> All other mail accounts are local and send via postfix.
> With blimmen Microsoft365 the invitation mails are directly send out to the
> internet with the u...@contenso.com sender address. These mails get bounced
> quite often because neither are the Microsoft365 Servers configured within
> SPF nor is Microsoft365 configured to DKIM sign these mails.
> I've configured a SMTP connector on the Microsoft side to route all mail
> through our postfix system. The SMTP connector is unable to use
> authentication or to be configured to use a different port. So, to make this
> work I had to add the Microsoft365 sending IP CIDR Ranges to the
> smtpd_recipient_restrictions by using "check_client_access
> cidr:/etc/postfix/microsoft365_cidr"
> The postfix server now is accepting the mail, but when relaying it to the
> internet the reciving server says: " 550 5.7.26 Message rejected per DMARC
> policy by contonso.com"
> I suppose this is either because the the originating server was not listed
> in the SPF entry or because the mail is not DKIM signed.
>
> My questions:
> - Would postfix be an almost open relay using this configuration as all
> users of Micro$oft365 would be able to send mail through my server to the
> internet?
> - Is there a safe way to configure the M365-SMTP-Connector to send mail
> through my postfix mailserver (and only my mail, not the mail of any other
> Microsoft 365 user)???
> - How to DKIM sign these mails with "dkimproxy" as these mails are received
> via port 25 smtpd they would be checked by dkimproxy if they are destined to
> our users but not signed when relayed to the internet?
You could configure a Postfix SMTP daemon with a dedicated IP address
or port to forward and sign email only from Microsoft, and only
from a specific sender address.
This daemon would have its own Postfix settings for access control
and DKIM signing.
The example assumes that you can configure an additional IP address
or port to receive mail with the existing Postfix host.
master.cf:
a.b.c.d:25 inet n - n - - smtpd
# Require an expected Microsoft client IP address
-o { mynetworks = p.q.r.s/24 }
-o { smtpd_client_restrictions = permit_mynetworks, reject }
-o { smtpd_recipient_restrictions = permit_mynetworks, reject }
# Require an expected sender address
-o { smtpd_sender_restrictions =
check_sender_access inline:{{ u...@contonso.com = permit }}, reject }
# Override main.cf settings with empty value
-o { smtpd_helo_restrictions = }
-o { smtpd_relay_restrictions = }
# Sign with dkimproxy
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
Then, you would have to change nothing on the standard port 25
service (os port 587 or 465).
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
