Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanielRiek
New Contributor

ACL based on X-Header and TLS certificate (Office 365/Exchange Online)

Hi,

 

we installed a FML in Azure and are looking for best practices configuration regarding the mail routing of mails from internal senders originating from Office 365. Currently we added all Exchange Online IPs/Ranges to ACLs manually for relaying (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges) but this is very confusing.

 

Is it possible to validate the Office 365 tenant by checking the TLS Certificate for integrity and the Exchange Online Header ("X-OriginatorOrg: <tenantid>.onmicrosoft.com" and "X-MS-Exchange-CrossTenant-Id: <tenant guid>") within an ACL instead of whitelisting all Exchange Online IPs/Ranges? TLS checking can be achieved by using a TLS profile but how to check the headers in an early state?

1 REPLY 1
abelio
Valued Contributor

DanielRiek wrote:

Is it possible to validate the Office 365 tenant by checking the TLS Certificate for integrity and the Exchange Online Header ("X-OriginatorOrg: <tenantid>.onmicrosoft.com" and "X-MS-Exchange-CrossTenant-Id: <tenant guid>") within an ACL instead of whitelisting all Exchange Online IPs/Ranges? TLS checking can be achieved by using a TLS profile but how to check the headers in an early state?

I'm afraid not.

The standard approach you've already taken remains valid afaik:

https://cookbook.fortinet.com/how-to-integrate-fortimail-into-office-365/

regards




/ Abel

regards / Abel
Top Kudoed Authors