relaying mail to Office 365 with certificate to auth ?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
pbr
New user
New user
Posts: 3
Joined: 2020-10-06 17:09

relaying mail to Office 365 with certificate to auth ?

Post by pbr » 2020-10-06 17:24

hi all,
I have set up hmailserver as an internal SMTP Relay to Office 365. It works fine in TLS1.2 with O365, and it is identified by Microsoft authorized server by it's public IP.
I would like to authorize it with an SSL Certificate. I can't find where I should set it in hmailserver to work ?
I don't want my clients to connect with SSL on port 25, but only my relay with O365.
thanks for your help

mikedibella
Normal user
Normal user
Posts: 230
Joined: 2016-12-08 02:21

Re: relaying mail to Office 365 with certificate to auth ?

Post by mikedibella » 2020-10-06 18:59

Not sure I fully understand your scenario. Are you wanting hMailServer to present a client authentication certificate to the Office 365 SMTP mail submission port 587? And then your internal clients will connect to hMailServer to submit messages for relay on port 25 without authentication or TLS?

pbr
New user
New user
Posts: 3
Joined: 2020-10-06 17:09

Re: relaying mail to Office 365 with certificate to auth ?

Post by pbr » 2020-10-06 20:30

clients will contact smtp hmailserver on port 25, no auth, no SSL.
and then hmailserver relay to O365 with TLS on port 25 also (that works)
In the Microsoft Connector set up on O365, you choose if you want to identify your relay/server with its IP address or with certificate. This is the second option I'd like to implement.
thanks

mikedibella
Normal user
Normal user
Posts: 230
Joined: 2016-12-08 02:21

Re: relaying mail to Office 365 with certificate to auth ?

Post by mikedibella » 2020-10-06 21:31

Got it.

You will need to use stunnel or a similar tool to proxy the outbound connection from hMailServer. Stunnel can make the connection to Office 365 from your HMS host and present the client certificate to Office 365 for authentication. HMS will connect to stunnel (on the local or another host on your local network) and stunnel will connect to O365 using TLS wth client auth.

See: https://www.stunnel.org/auth.html for general information.

Stunnel config might look something like this:

[O365-connector]
client = yes
; accept mail for Office 365 on port 2525
accept = 127.0.0.1:2525
; O365 connector
connect = connector.office365.com:25
; client certificate in Base64 PEM format
cert = client.pem
; key with password in Base 64 PEM format
key = client.key

mikedibella
Normal user
Normal user
Posts: 230
Joined: 2016-12-08 02:21

Re: relaying mail to Office 365 with certificate to auth ?

Post by mikedibella » 2020-10-07 02:22

Well, this looks like it might be trickier than I thought.

It looks like the client certificate validation takes place during the STARTTLS verb processing after the initial connection to Office 365 is made over an unencrypted TCP connection. The whole facility appears to be designed specifically to interface with an on-premise Exchange Send Connector created using the following Powershell command syntax:

Code: Select all

New-SendConnector -Name <DescriptiveName> -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts <YourDomain>-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation
Stunnel in client mode (client = yes) requires the remote server to support TLS on connection, not using the STARTTLS verb, so I don't think you are going to be able to use it in this way.

pbr
New user
New user
Posts: 3
Joined: 2020-10-06 17:09

Re: relaying mail to Office 365 with certificate to auth ?

Post by pbr » 2020-10-07 12:09

ok, that's close my research :D
if it's only for on prem Exchange, I'll leave the identification by IP Address
thanks for your time !!

Post Reply