SMTP relay towards M365 best practice, but with STARTTLS
I have a client who has half of their users in my cPanel and the other half in M365, so it is hybrid config.
On the cPanel side the best practice is to relay every mail coming from that user's domain (domain.tld) to M365 and this I achieved with the following extra exim config:
o365_smarthost_dkim:
driver = manualroute
domains = !+local_domains
require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
transport = dkim_remote_smtp
route_data = ${lookup{$sender_address_domain}lsearch{/etc/smarthosts}}
o365_smarthost:
driver = manualroute
domains = !+local_domains
transport = remote_smtp
route_data = ${lookup{$sender_address_domain}lsearch{/etc/smarthosts}}
In /etc/smarthosts I have a line like this:
domain.tld domain-tld.mail.protection.outlook.com::25
All is well, it works great.
But recently I discovered that this should work with STARTTLS too on the same 25 port (checked with s-nail, works like it should), so the connection would be encrypted.
How can I achieve this with the extra addon above?
Thanks,
Dan
-
By default Exim should automatically be attempting a TLS connection. You should be able to see that by doing something like "grep remote_smtp /var/log/exim_mainlog|grep TLS" to show TLS connections, or "grep remote_smtp /var/log/exim_mainlog|grep -v TLS" to show non-TLS connections.
When the cPanel server connects to the remote server, after HELO it then sends a STARTTLS command. Either it gets a response that TLS is available and has started, or it gets a message from the remote server like "500 Unknown or unimplemented command", which means the remote server doesn't support TLS. At that point, unless you have Exim set up to force TLS and not make any connection to remote servers not capable of TLS, it will always try to connect over TLS and will do so as long as the remote server supports TLS and there are matching available SSL/TLS protocols and ciphers available.
0 -
Thank you very much, you are absolutely right!
Case is solved then, thanks for the great answer!
1
Please sign in to leave a comment.
Comments
2 comments