Routing of outgoing mail to dedicated TLS Mailserver for specific domains

Hi Fabian,

I am not completely sure but configure a smarthost, maybe that can help. Just my two cent worth.

Thanks

Optoon 1) What if you create an SNMP profile as if it is an internal server?

Downside is that UTM would relay any traffic that arrives from internet and addressed to them.  

Option 2,  could you create an MX record in DNS for them?

Note that UTM implements the TLS-required attribute asymmetrically.   For outbound mail, the requirement is configured to specific hosts, but not to domains.   For inbound mail, the requirement is applied to a sender domain but not to a host.  

Similarly, outbound mail needs to be directed to an MX host, while incoming mail can originate from any host in the their SPF list.   (In this absence of an SPF list, it could come from anywhere at all.)   Since reply mail could include one of your messages with sensitive content, you need to ensure TLS encryption in both directions.

Outbound Mail from you to the other entity:

• The problem with my Option 2 is that UTM does not allow you to create an MX record.
  
  
• If all of the entiy's MX records support at least StartTLS, then adding all of the MX hosts to the Require TLS list should be sufficient.
  
  
• I assume you have considered that approach, and your problem is that some of the entity mail servers support TLS and some do not, so if you require TLS, you will have mail delayed and possibly returned because you cannot predict how UTM will select from their MX list.   For that situation, I would create a DNAT record to redirect traffic for the non-TLS MX servers to a non-existent address in your DMZ.  That should cause UTM to quickly conclude that the servers are offline and move on to the one that is reachable.   You should still put that server in the TLS-required hosts list.

Incoming Mail:

• Your only option is to add the domain to the TLS-Required sender domains list.   They may get NDRs if their mail system cannot learn how to ensure that mail for you gets sent from a TLS-enabled sender.   This might be inconvenient or it might cause them to fix their configuration.

Personally, I see no excuse for having a mail server on the Internet that cannot support at least STARTLS with certificate errors ignored.

Hello sachingurung.

Yes, I was skimming around the smarthost option too.....I will give it another look.

Thanks and have a nice day.

Fabian

Hello Douglas.

Thank you very much for your in-depth answer, I really appreciate this.

The other entity in this scenario is a major, major, MAJOR insurance company. The requirement for a dedicated route to their TLS mail gateway is included in their standard form for requesting TLS. I can even see that their normal mail gateway supports TLS, but they insist on directing to the TLS gateway.

So, no MX record. I will give the SNMP profile a try (and SmartHosts which Sachin recommended)

Thanks again Douglas.

Fabian

As far as I can tell, there is no way to configure a smarthost for one domain.  You will certainly have a mess if UTM tries to relay all of your outbound mail through them.

It should certainly work to use your Exchange Send Connector rule to bypass UTM for this situation.

Hello Douglas.

After a discussion with one of the insurance company's techs, we DID establish a TLS connection based on MX records.

I think I got the wrong impression that a dedicated mail route was kind of non-optional.

Thanks everybody, have a nice day.

Fabian

Unknown said:

After a discussion with one of the insurance company's techs, we DID establish a TLS connection based on MX records.

I think I got the wrong impression that a dedicated mail route was kind of non-optional.

Hello Fabian,

I think the company is Al***z ;-) Wanted to migrate this from our exchange and having the same problem, I think. Could you be so kind and explain your solution a little more in depth? Are you using their public mx records or a kind of pinpoint DNS?

Best

Alex

Hey guys,

Agreed that this can't be done with smart host or an MX record in the UTM.

Given Fabian's original scenario, he could have looked up the MX record for abcd.com and then created a Host definition in the UTM for the FQDN, so that it would resolve to the IP of tls.abcd.com.  Note that this "trick" only works if you have configured as in DNS best practice.

However, the original scenario you described didn't sound reasonable, Fabian, so I was glad to see that there was simply a misunderstanding.

Cheers - Bob

I have run into a similar problem and need to find a workable permanent solution for this.

We are using our UTM as our outbound mail relay for our web application servers to prevent availability issues and other service disruptions if our Exchange servers are offline.  This works for the most part, but we have an email-to-fax service that is reached using a custom subdomain, and the only way I've found to re-route outbound email through the UTM is to create a custom SMTP profile that is routed to the fax server.  The problem with this is that it technically creates an open relay to these destinations, which we'd prefer to be unreachable from the Internet.  (They're not published, so someone would have to have extensive information about our organization or really good luck to exploit it, but either way, it's a gap we need to close.)

We also have *many* partners with whom we are required to configure mandatory TLS, and many of them use products like Office 365 that have somewhat ephemeral destination gateways... we really need to be able to configure outbound TLS enforcement at the domain name level, not just the SMTP host.