ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to receive e-mail alerts from internal devices

    Scheduled Pinned Locked Moved IT Discussion
    smtpsmtp relaypostfixlog managementemail alerts
    51 Posts 6 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @zachary715
      last edited by

      @zachary715 said in How to receive e-mail alerts from internal devices:

      @jaredbusch said in How to receive e-mail alerts from internal devices:

      @zachary715 said in How to receive e-mail alerts from internal devices:

      Well this is part of my initial question is DO I NEED IT TO RELAY TO OFFICE365 AT ALL if it'll all be internal devices? You could make the argument I guess that eventually there may be an external device I wanted to use this for so set it up this way, but this is what I'm trying to uncover. Complete noob here.

      How is the email "internal"? Do you have a local email server hosting email?
      I do not think you even understand what you are asking here.

      Yeah good point. It has to go external since I'm using Office 365. My point though was simply do I need to relay to Office 365 to get what I need, or is a simple postfix server sufficient?

      You have to SEND to O365 always. You have no local mail server to send to. It is not necessarily a "relay". It can just send to anyone, your own MX included.

      zachary715Z 1 Reply Last reply Reply Quote 0
      • zachary715Z
        zachary715 @JaredBusch
        last edited by

        @jaredbusch said in How to receive e-mail alerts from internal devices:

        @zachary715 said in How to receive e-mail alerts from internal devices:

        @jaredbusch said in How to receive e-mail alerts from internal devices:

        @zachary715 said in How to receive e-mail alerts from internal devices:

        Well this is part of my initial question is DO I NEED IT TO RELAY TO OFFICE365 AT ALL if it'll all be internal devices? You could make the argument I guess that eventually there may be an external device I wanted to use this for so set it up this way, but this is what I'm trying to uncover. Complete noob here.

        How is the email "internal"? Do you have a local email server hosting email?
        I do not think you even understand what you are asking here.

        Yeah good point. It has to go external since I'm using Office 365. My point though was simply do I need to relay to Office 365 to get what I need, or is a simple postfix server sufficient?

        You have to SEND to O365 always. You have no local mail server to send to. It is not necessarily a "relay". It can just send to anyone, your own MX included.

        I understand what you're saying. Step Q of your guide is what I've skipped thus far and I'm trying to determine if/when it's needed. I haven't connected this postfix server to any SMTP connectors with Office365. As far as Office 365 is concerned, this postfix server doesn't exist and isn't interacting, other than when it sends email to one of its recipients.

        In what scenario would I need/want to connect the postfix server to an SMTP connector with Office 365? What functionality, security, or otherwise do I gain?

        1 Reply Last reply Reply Quote 0
        • zachary715Z
          zachary715 @Obsolesce
          last edited by

          @tim_g said in How to receive e-mail alerts from internal devices:

          @zachary715 said in How to receive e-mail alerts from internal devices:

          @black3dynamite said in How to receive e-mail alerts from internal devices:

          To have postfix relay to Office 365, you would need to setup postfix to use TLS.

          If you are using Fedora make sure you have these packages installed:

          sudo dnf -y install postfix cyrus-sasl cyrus-sasl-plain mailx
          

          Installing cyrus-sasl and cyrus-sasl-plain is needed if you want to configure postfix to use TLS.

          Start at the section where it talks about configuring postfix to use TLS.
          https://gordan.jandreoski.me/how-to-configure-postfix-relay-to-office365-on-ubuntu-14-04/

          Well this is part of my initial question is DO I NEED IT TO RELAY TO OFFICE365 AT ALL if it'll all be internal devices? You could make the argument I guess that eventually there may be an external device I wanted to use this for so set it up this way, but this is what I'm trying to uncover. Complete noob here.

          You don't need a relay if whatever is sending alerts/emails does full authentication by itself. The problem is that many things do not, and many do not even do authentication at all and just have a spot for server and port only.

          Ahh so I skipped over this. The device I'm sending from now doesn't require authentication, although it is available. I have skipped it. Should I desire authentication for security reasons? Are there other devices I'll likely run into which will require authentication, therefore requiring me to connect to Office365?

          ObsolesceO 1 Reply Last reply Reply Quote 0
          • ObsolesceO
            Obsolesce @zachary715
            last edited by

            @zachary715 said in How to receive e-mail alerts from internal devices:

            @tim_g said in How to receive e-mail alerts from internal devices:

            @zachary715 said in How to receive e-mail alerts from internal devices:

            @black3dynamite said in How to receive e-mail alerts from internal devices:

            To have postfix relay to Office 365, you would need to setup postfix to use TLS.

            If you are using Fedora make sure you have these packages installed:

            sudo dnf -y install postfix cyrus-sasl cyrus-sasl-plain mailx
            

            Installing cyrus-sasl and cyrus-sasl-plain is needed if you want to configure postfix to use TLS.

            Start at the section where it talks about configuring postfix to use TLS.
            https://gordan.jandreoski.me/how-to-configure-postfix-relay-to-office365-on-ubuntu-14-04/

            Well this is part of my initial question is DO I NEED IT TO RELAY TO OFFICE365 AT ALL if it'll all be internal devices? You could make the argument I guess that eventually there may be an external device I wanted to use this for so set it up this way, but this is what I'm trying to uncover. Complete noob here.

            You don't need a relay if whatever is sending alerts/emails does full authentication by itself. The problem is that many things do not, and many do not even do authentication at all and just have a spot for server and port only.

            Ahh so I skipped over this. The device I'm sending from now doesn't require authentication, although it is available. I have skipped it. Should I desire authentication for security reasons? Are there other devices I'll likely run into which will require authentication, therefore requiring me to connect to Office365?

            Well you can send an email to whoever you want without authentication.

            The issue is "sending as".

            For example, you cannot send an email to someone using my O365 email address (spoofing) because most mail services check for that. Also, in order to send as a legit O365 email address, you would of course need to authenticate through O365. (smtp authentication)

            That's why you can send an email to yourself from "root@servername.local"..., but you can't send it legitimately as an O365 email.

            It really depends on your email settings. Microsoft or Google may not accept an email like that unless you allow that sender first.

            I use an O365 relay because we have a lot of notifications that go out from different softwares and systems that need to use legitimate emails to send as, and to be received by a lot of different people over different email services. So everything needs to be officially sent via O365.

            JaredBuschJ 2 Replies Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @Obsolesce
              last edited by

              @tim_g said in How to receive e-mail alerts from internal devices:

              For example, you cannot send an email to someone using my O365 email address (spoofing) because most mail services check for that.

              This is totally not true. I can 100% send as you and it will go through almost everywhere. Very few places spam things on SPF rules.

              @tim_g said in How to receive e-mail alerts from internal devices:

              Also, in order to send as a legit O365 email address, you would of course need to authenticate through O365. (smtp authentication)

              Also not true.

              ObsolesceO 1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @Obsolesce
                last edited by

                @tim_g said in How to receive e-mail alerts from internal devices:

                It really depends on your email settings. Microsoft or Google may not accept an email like that unless you allow that sender first.

                We tested this back a few months ago, and I was perfectly able to send mail to my Gmail account from a different gmail account from postfix system with zero authentication and no spam marking.

                1 Reply Last reply Reply Quote 0
                • ObsolesceO
                  Obsolesce @JaredBusch
                  last edited by Obsolesce

                  @jaredbusch said in How to receive e-mail alerts from internal devices:

                  @tim_g said in How to receive e-mail alerts from internal devices:

                  For example, you cannot send an email to someone using my O365 email address (spoofing) because most mail services check for that.

                  This is totally not true. I can 100% send as you and it will go through almost everywhere. Very few places spam things on SPF rules.

                  @tim_g said in How to receive e-mail alerts from internal devices:

                  Also, in order to send as a legit O365 email address, you would of course need to authenticate through O365. (smtp authentication)

                  Also not true.

                  Send an email to my outlook.com email from my google.com email.

                  I'll PM you the addresses.

                  Will you?

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @Obsolesce
                    last edited by

                    @tim_g said in How to receive e-mail alerts from internal devices:

                    @jaredbusch said in How to receive e-mail alerts from internal devices:

                    @tim_g said in How to receive e-mail alerts from internal devices:

                    For example, you cannot send an email to someone using my O365 email address (spoofing) because most mail services check for that.

                    This is totally not true. I can 100% send as you and it will go through almost everywhere. Very few places spam things on SPF rules.

                    @tim_g said in How to receive e-mail alerts from internal devices:

                    Also, in order to send as a legit O365 email address, you would of course need to authenticate through O365. (smtp authentication)

                    Also not true.

                    Send an email to my outlook.com email from my google.com email.

                    I'll PM you the addresses.

                    Will you?

                    I no longer have that system set up.

                    This was discussed in a thread about dnf-automatic and how it sends mail.

                    ObsolesceO 1 Reply Last reply Reply Quote 0
                    • ObsolesceO
                      Obsolesce @JaredBusch
                      last edited by

                      @jaredbusch said in How to receive e-mail alerts from internal devices:

                      @tim_g said in How to receive e-mail alerts from internal devices:

                      @jaredbusch said in How to receive e-mail alerts from internal devices:

                      @tim_g said in How to receive e-mail alerts from internal devices:

                      For example, you cannot send an email to someone using my O365 email address (spoofing) because most mail services check for that.

                      This is totally not true. I can 100% send as you and it will go through almost everywhere. Very few places spam things on SPF rules.

                      @tim_g said in How to receive e-mail alerts from internal devices:

                      Also, in order to send as a legit O365 email address, you would of course need to authenticate through O365. (smtp authentication)

                      Also not true.

                      Send an email to my outlook.com email from my google.com email.

                      I'll PM you the addresses.

                      Will you?

                      I no longer have that system set up.

                      This was discussed in a thread about dnf-automatic and how it sends mail.

                      Yes I kinda remember it, but I must still not understand it.

                      At my company, we've tackled, in the past, email spoofing. So I do know it's possible to make it look like an email is coming from an email address that it's not actually coming from.

                      This no longer happens through O365. So, as a made up example, a CFO is no longer getting money transfer company email requests (via O365 email) from the CEO.

                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                      • ObsolesceO
                        Obsolesce
                        last edited by

                        So what I"m thinking, is that unless the outgoing email server is a trusted server, O365 won't allow it into it's system to be delivered to my email.

                        I can send an email from me@gmail.com, to me@outlook.com, because the email is coming from a trusted gmail server.

                        But if i set up some outgoing email server myself, and try to send an email from me@gmail.com to me@outlook.com, I believe O365 will not let it through.

                        This is the point I was trying to make.

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @Obsolesce
                          last edited by

                          @tim_g said in How to receive e-mail alerts from internal devices:

                          At my company, we've tackled, in the past, email spoofing. So I do know it's possible to make it look like an email is coming from an email address that it's not actually coming from.

                          Ah, I think that I see your confusion. You can easily generate an email that is not one email pretending to be from another address. It is simply "from" your address. The only technical thing that can be keyed on is the sending server not being your server. But this is not a restriction that email is designed to handle except with SPF.

                          @tim_g said in How to receive e-mail alerts from internal devices:

                          This no longer happens through O365. So, as a made up example, a CFO is no longer getting money transfer company email requests (via O365 email) from the CEO.

                          Correct, you can implement stricter controls, but they are not default, and most places to not have them. Generally SPF records are set to soft fail which increases the recipient systems chance to add it to SPAM, but only increases the chance.

                          Even if you set SPF to hard fail, many system never check it. So it would have no affect on the recipient.

                          In your case, with inbound email, you have restricted it beyond SPF by telling that system that, unless an email from one of your domains to one of your domains was authenticated, it will be killed.

                          1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @Obsolesce
                            last edited by JaredBusch

                            @tim_g said in How to receive e-mail alerts from internal devices:

                            So what I"m thinking, is that unless the outgoing email server is a trusted server, O365 won't allow it into it's system to be delivered to my email.

                            This is impossible, well not technically impossible, but would never be implemented. How are you defining trusted? SPF? See my above reply. Because what if I have no SPF record and I have internal Exchange at my Jared's Fucking Consulting Services? Are you saying that you will not receive my email?

                            But if i set up some outgoing email server myself, and try to send an email from me@gmail.com to me@outlook.com, I believe O365 will not let it through.

                            I do not recall what services were tested other than Gmail, but yes, it will.

                            Your work domain will not because you have specifically told it to use SPF I assume.

                            This is a different issue than someone trying to send form a company email to a company email.

                            ObsolesceO 1 Reply Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @JaredBusch
                              last edited by

                              @jaredbusch said in How to receive e-mail alerts from internal devices:

                              @tim_g said in How to receive e-mail alerts from internal devices:

                              So what I"m thinking, is that unless the outgoing email server is a trusted server, O365 won't allow it into it's system to be delivered to my email.

                              This is impossible, well not technically impossible, but would never be implemented. How are you defining trusted? SPF? See my above reply. Because what if I have no SPF record and I have internal Exchange at my Jared's Fucking Consulting Services? Are you saying that you will not receive my email?

                              But if i set up some outgoing email server myself, and try to send an email from me@gmail.com to me@outlook.com, I believe O365 will not let it through.

                              I do not recall what services were tested other than Gmail, but yes, it will.

                              Your work domain will not because you have specifically told it to use SPF I assume.

                              This is a different issue than someone trying to send form a company email to a company email.

                              Okay I think I understand now.

                              It's different for me because I am specifically taking steps to block emails whose "from address" is not from a verified server... meaning if someone sends an email from someone@gmail.com, it will be blocked unless it actually came from a gmail.com email server?

                              JaredBuschJ 1 Reply Last reply Reply Quote 0
                              • JaredBuschJ
                                JaredBusch @Obsolesce
                                last edited by

                                @tim_g said in How to receive e-mail alerts from internal devices:

                                @jaredbusch said in How to receive e-mail alerts from internal devices:

                                @tim_g said in How to receive e-mail alerts from internal devices:

                                So what I"m thinking, is that unless the outgoing email server is a trusted server, O365 won't allow it into it's system to be delivered to my email.

                                This is impossible, well not technically impossible, but would never be implemented. How are you defining trusted? SPF? See my above reply. Because what if I have no SPF record and I have internal Exchange at my Jared's Fucking Consulting Services? Are you saying that you will not receive my email?

                                But if i set up some outgoing email server myself, and try to send an email from me@gmail.com to me@outlook.com, I believe O365 will not let it through.

                                I do not recall what services were tested other than Gmail, but yes, it will.

                                Your work domain will not because you have specifically told it to use SPF I assume.

                                This is a different issue than someone trying to send form a company email to a company email.

                                Okay I think I understand now.

                                It's different for me because I am specifically taking steps to block emails whose "from address" is not from a verified server... meaning if someone sends an email from someone@gmail.com, it will be blocked unless it actually came from a gmail.com email server?

                                Assuming that gmail.com is actually companydomain.com, yes you are correct.

                                1 Reply Last reply Reply Quote 0
                                • zachary715Z
                                  zachary715
                                  last edited by

                                  Yes we have our SPF record setup that if I try to send these alerts via UPS@mydomain.com, it will get blocked. I don't require it to be from my domain though at this time. I'm perfectly satisfied with it being from internaldomain.local just as long as I get the reports I need.

                                  ObsolesceO 1 Reply Last reply Reply Quote 0
                                  • ObsolesceO
                                    Obsolesce @zachary715
                                    last edited by

                                    @zachary715 said in How to receive e-mail alerts from internal devices:

                                    Yes we have our SPF record setup that if I try to send these alerts via UPS@mydomain.com, it will get blocked. I don't require it to be from my domain though at this time. I'm perfectly satisfied with it being from internaldomain.local just as long as I get the reports I need.

                                    Yeah then you won't need any authentication.

                                    1 Reply Last reply Reply Quote 0
                                    • JaredBuschJ
                                      JaredBusch
                                      last edited by

                                      @Tim_G I just changed my laptop's dnf-automatic setting as follows.

                                      0_1521731675450_421f29a8-23e2-4a45-84bb-02d4f742d614-image.png

                                      The server there is in my colo and is in the SPF for my company domain bundystl.com but obviously, I cannot change Gmail's SPF.

                                      0_1521731785434_6861af55-e029-4f05-991b-f3769686b0ee-image.png

                                      Now Google did soft check it.
                                      But it still hit my inbox.
                                      0_1521731839292_b78664c3-6bff-489d-8d59-e20f9d6b6220-image.png

                                      0_1521731872094_1e8423e3-29dd-4264-a9a1-a84dc079f193-image.png

                                      Here is the full header (redacted).

                                      Delivered-To: sorvani@gmail.com
                                      Received: by 10.103.62.65 with SMTP id l62csp1114442vsa;
                                              Thu, 22 Mar 2018 08:08:41 -0700 (PDT)
                                      X-Google-Smtp-Source: AG47ELs+6VQ7n+SHAtV9m4uOLgmv8vpQF4hFx6jJTiF0/7+D9fL9bUtFWE0UcMw1/FJjmE/+6IvQ
                                      X-Received: by 2002:a24:bcc4:: with SMTP id n187-v6mr9355606ite.26.1521731321402;
                                              Thu, 22 Mar 2018 08:08:41 -0700 (PDT)
                                      ARC-Seal: i=1; a=rsa-sha256; t=1521731321; cv=none;
                                              d=google.com; s=arc-20160816;
                                              b=URXPlYi9YdJzlBGcevx/J53Ip1Ht0MP05i0n2WK1dXHbCYaXtmqG416NR0wlVWAe8Q
                                               mPTRB99J1AY6vo74dlJvDDQ9Fuj2AIndnq6zYztk0IMYa5Qfr0ZZvkXM67OBqrvsczdh
                                               3jScUQfbkfqoTktrNnwgtNz8Q20eYuTKbtbC5lSjRCBjzeIMg1NY4tTcw1xqgs3KvLKe
                                               SmT4s9pjux6vr5/7QOmCQyff0rTSgEhqF/l9tdrQI3BN3uwkSIAvqAKeW8MiX/p/wTKS
                                               C+HhTNgqQpFswivTfoXjaFUpOsfpGsvPj5DYnKeXD6pXfw7eObwGopdUKb2AV/ix+3Hw
                                               PzfQ==
                                      ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
                                              h=message-id:to:subject:from:date:content-transfer-encoding
                                               :mime-version:arc-authentication-results;
                                              bh=q5rj1FQFBZzNVe2kH8xvcqgQOwTh8q2EHL6ugR/7+BY=;
                                              b=Up+IsW9uxbxk3HQiojNEPiWZ6Vv88Y91fA07To2N+5jVZkuJATk0rPYu20hvG7Mr6O
                                               J/nEVoKT98hFhmwXasHupRvqIIJWr/u5zHrA77hADKCXGN6xbSvotp2TBH9wrtIsWKbx
                                               EwREMYwi05cSNFpeEe67UeskvWvOK2ex1OcTTtyg1FEoN33OHajOe5x4BEy5a4WjR2b6
                                               ru2WKdQniQO7mzOUUw5zykTY9EuokThOMBxpLOgPlMiXdppt91x4bmlapxnfa9RgKCsC
                                               xPhp++C81ziNMps+82mhYds8VJgoOXmpuadtVu8tjPRC/WNOdAVNWgU43dG+jl5Pa8XS
                                               jxrQ==
                                      ARC-Authentication-Results: i=1; mx.google.com;
                                             spf=softfail (google.com: domain of transitioning sorvani@gmail.com does not designate 207.XXX.XXX.XXX as permitted sender) smtp.mailfrom=sorvani@gmail.com;
                                             dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
                                      Return-Path: <sorvani@gmail.com>
                                      Received: from postfix.ad.domain.com (remote.domain.com. [207.XXX.XXX.XXX])
                                              by mx.google.com with ESMTPS id u71-v6si5370770ita.89.2018.03.22.08.08.41
                                              for <sorvani@gmail.com>
                                              (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
                                              Thu, 22 Mar 2018 08:08:41 -0700 (PDT)
                                      Received-SPF: softfail (google.com: domain of transitioning sorvani@gmail.com does not designate 207.XXX.XXX.XXX as permitted sender) client-ip=207.XXX.XXX.XXX;
                                      Authentication-Results: mx.google.com;
                                             spf=softfail (google.com: domain of transitioning sorvani@gmail.com does not designate 207.XXX.XXX.XXX as permitted sender) smtp.mailfrom=sorvani@gmail.com;
                                             dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
                                      Received: from lt-jared.jaredbusch.com (unknown [10.254.103.22]) by postfix.ad.domain.com (Postfix) with ESMTP id EB72BC0C7991 for <sorvani@gmail.com>; Thu, 22 Mar 2018 10:08:39 -0500 (CDT)
                                      MIME-Version: 1.0
                                      Content-Transfer-Encoding: 7bit
                                      Content-Type: text/plain; charset="utf-8"
                                      Date: Thu, 22 Mar 2018 15:08:39 -0000
                                      From: sorvani@gmail.com
                                      Subject: Updates applied on 'lt-jared.jaredbusch.com'.
                                      To: sorvani@gmail.com
                                      Message-ID: <152173131956.27006.3260010512062988891@lt-jared.jaredbusch.com>
                                      
                                      ObsolesceO 1 Reply Last reply Reply Quote 1
                                      • JaredBuschJ
                                        JaredBusch
                                        last edited by JaredBusch

                                        I should have turned off the actual apply of the updates. then I could have reran it with various email settings.

                                        1 Reply Last reply Reply Quote 0
                                        • ObsolesceO
                                          Obsolesce @JaredBusch
                                          last edited by Obsolesce

                                          @jaredbusch

                                          Yes, this is exactly what I was talking about:
                                          0_1521732498256_846c027a-04dd-41ef-a72a-98ac4ca7732e-image.png

                                          Which can be seen here:
                                          0_1521732532850_c9bd686c-54be-4c92-80e1-7c33d0ebc5da-image.png

                                          I wasn't aware Google/MS allow that kind of thing through, but at least it's warning you.

                                          This is why I use the O365 relay, to make the emails "official or legit".

                                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                                          • JaredBuschJ
                                            JaredBusch @Obsolesce
                                            last edited by

                                            @tim_g said in How to receive e-mail alerts from internal devices:

                                            @jaredbusch

                                            Yes, this is exactly what I was talking about:
                                            0_1521732498256_846c027a-04dd-41ef-a72a-98ac4ca7732e-image.png

                                            Which can be seen here:
                                            0_1521732532850_c9bd686c-54be-4c92-80e1-7c33d0ebc5da-image.png

                                            I wasn't aware Google/MS allow that kind of thing through, but at least it's warning you.

                                            This is why I use the O365 relay, to make the emails "official or legit".

                                            Right, normally, I had my laptop sending from bundystl.com to bundystl.com and it is in the SPF. So always legit. Still not authenticated, but I do have the IP in as a connector in O365.

                                            ObsolesceO 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 1 / 3
                                            • First post
                                              Last post