Technical Tip: Office365 Secure Relay via FortiMail to avoid unauthorized email relay

A situation arises when FortiMail is configured with a Protected-Domain hosted on Office365 or Google.

Due to the nature of Office365 and Google, it Uses pool of IP addresses to relay email outside. Because of this, it is very difficult to control the legit email from Office365 and Google of the Protected domain to relay to the external domain.

In such a scenario, some configuration can be done on FortiMail to avoid such an issue.

Step 1: Integration of Office365, Google, and FortiMail using the relay to send the email via FortiMail.

• How to integrate FortiMail into Microsoft 365
• Add FortiMail as mail route host in Google Workspace  

Step 2: Creating a proper ACL to control the flow of email traffic from Office365 and Google for the Protected domain.

First ACL for Accepting the relay from Office365 and Google for Protected_domain.

ISDB is used to avoid creating multiple ACLs with a pool of Office365 and Google IP addresses.

Note: An additional policy needs to be configured to reject emails that are not authenticated on FortiMail.

Secondly, add the Authentication status as Authenticated to enforce the User Authentication before Email Relay from FortiMail Protected Customer Domain.

FortiMail Support Many Authentication Method such as LDAP, SMTP, IMAP, and POP3.

Information related to these methods and processes to integrate these methods is available in the FortiMail Admin Guide. 

See Configuring authentication profiles.

Third, Configure and assign an authentication method in IP Policy or Inbound Recipient Policy.

Once those policies are in place, only email from the domain with Proper User Authentication on FortiMail will be relayed to External Domains.