ACL based on X-Header and TLS certificate (Office 365/Exchange Online)

DanielRiek · ‎05-02-2019

Hi,

we installed a FML in Azure and are looking for best practices configuration regarding the mail routing of mails from internal senders originating from Office 365. Currently we added all Exchange Online IPs/Ranges to ACLs manually for relaying (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges) but this is very confusing.

Is it possible to validate the Office 365 tenant by checking the TLS Certificate for integrity and the Exchange Online Header ("X-OriginatorOrg: <tenantid>.onmicrosoft.com" and "X-MS-Exchange-CrossTenant-Id: <tenant guid>") within an ACL instead of whitelisting all Exchange Online IPs/Ranges? TLS checking can be achieved by using a TLS profile but how to check the headers in an early state?

abelio · ‎05-04-2019

DanielRiek wrote:
Is it possible to validate the Office 365 tenant by checking the TLS Certificate for integrity and the Exchange Online Header ("X-OriginatorOrg: <tenantid>.onmicrosoft.com" and "X-MS-Exchange-CrossTenant-Id: <tenant guid>") within an ACL instead of whitelisting all Exchange Online IPs/Ranges? TLS checking can be achieved by using a TLS profile but how to check the headers in an early state?

I'm afraid not.

The standard approach you've already taken remains valid afaik:

https://cookbook.fortinet.com/how-to-integrate-fortimail-into-office-365/

regards

/ Abel

ACL based on X-Header and TLS certificate (Office 365/Exchange Online)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website