Page 1 of 1

relaying mail to Office 365 with certificate to auth ?

Posted: 2020-10-06 17:24
by pbr
hi all,
I have set up hmailserver as an internal SMTP Relay to Office 365. It works fine in TLS1.2 with O365, and it is identified by Microsoft authorized server by it's public IP.
I would like to authorize it with an SSL Certificate. I can't find where I should set it in hmailserver to work ?
I don't want my clients to connect with SSL on port 25, but only my relay with O365.
thanks for your help

Re: relaying mail to Office 365 with certificate to auth ?

Posted: 2020-10-06 18:59
by mikedibella
Not sure I fully understand your scenario. Are you wanting hMailServer to present a client authentication certificate to the Office 365 SMTP mail submission port 587? And then your internal clients will connect to hMailServer to submit messages for relay on port 25 without authentication or TLS?

Re: relaying mail to Office 365 with certificate to auth ?

Posted: 2020-10-06 20:30
by pbr
clients will contact smtp hmailserver on port 25, no auth, no SSL.
and then hmailserver relay to O365 with TLS on port 25 also (that works)
In the Microsoft Connector set up on O365, you choose if you want to identify your relay/server with its IP address or with certificate. This is the second option I'd like to implement.
thanks

Re: relaying mail to Office 365 with certificate to auth ?

Posted: 2020-10-06 21:31
by mikedibella
Got it.

You will need to use stunnel or a similar tool to proxy the outbound connection from hMailServer. Stunnel can make the connection to Office 365 from your HMS host and present the client certificate to Office 365 for authentication. HMS will connect to stunnel (on the local or another host on your local network) and stunnel will connect to O365 using TLS wth client auth.

See: https://www.stunnel.org/auth.html for general information.

Stunnel config might look something like this:

[O365-connector]
client = yes
; accept mail for Office 365 on port 2525
accept = 127.0.0.1:2525
; O365 connector
connect = connector.office365.com:25
; client certificate in Base64 PEM format
cert = client.pem
; key with password in Base 64 PEM format
key = client.key

Re: relaying mail to Office 365 with certificate to auth ?

Posted: 2020-10-07 02:22
by mikedibella
Well, this looks like it might be trickier than I thought.

It looks like the client certificate validation takes place during the STARTTLS verb processing after the initial connection to Office 365 is made over an unencrypted TCP connection. The whole facility appears to be designed specifically to interface with an on-premise Exchange Send Connector created using the following Powershell command syntax:

Code: Select all

New-SendConnector -Name <DescriptiveName> -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts <YourDomain>-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation
Stunnel in client mode (client = yes) requires the remote server to support TLS on connection, not using the STARTTLS verb, so I don't think you are going to be able to use it in this way.

Re: relaying mail to Office 365 with certificate to auth ?

Posted: 2020-10-07 12:09
by pbr
ok, that's close my research :D
if it's only for on prem Exchange, I'll leave the identification by IP Address
thanks for your time !!