Unitrends and Office365

thanksajdotcom

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

Dashrender

@ajstringham I bet that it's because the Unitrends box can't do secure POP, only insecure POP. It all hinges on the fact that Unitrends probably doesn't have the features installed to allow TLS connections.

thanksajdotcom

@Dashrender said:

@ajstringham I bet that it's because the Unitrends box can't do secure POP, only insecure POP. It all hinges on the fact that Unitrends probably doesn't have the features installed to allow TLS connections.

Unitrends has no reason to use POP. It doesn't receive email. Only sends out reports.

Dashrender

@ajstringham said:

@Dashrender said:

@ajstringham I bet that it's because the Unitrends box can't do secure POP, only insecure POP. It all hinges on the fact that Unitrends probably doesn't have the features installed to allow TLS connections.

Unitrends has no reason to use POP. It doesn't receive email. Only sends out reports.

Which leads to something I've never really understood. When using POP/SMTP clients, SMTP is used to send the email to a local(ish) server. Why can't the client send directly to the receiving side? This implies some sort of difference in client SMTP vs Server SMTP.

??

scottalanmiller

@Dashrender said:

Scott, what do you mean disable security? Surely Office 365 does not require TLS for email?
Do you mean that the Unitrends can't act as a client of O365 because it can't send via TLS? So the disabling of security in an on premise Exchange setup you mean to say that you have to allow unauthenticated (or at least plain text authentication) for on prem to work?

Office 365 certainly does require TLS. And on premise should always have to. That's been best practice for a long time.

scottalanmiller

@Dashrender said:

Scott, what do you mean disable security? Surely Office 365 does not require TLS for email?
Do you mean that the Unitrends can't act as a client of O365 because it can't send via TLS? So the disabling of security in an on premise Exchange setup you mean to say that you have to allow unauthenticated (or at least plain text authentication) for on prem to work?

Yes. For Unitrends only clear text works.

scottalanmiller

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

Lots of details are left out. You know that TLS isn't supported. So you know that requiring it has to be disabled. So just put two and two together. You already have the answer, just not spelled out.

scottalanmiller

@Dashrender said:

@ajstringham said:

@Dashrender said:

@ajstringham I bet that it's because the Unitrends box can't do secure POP, only insecure POP. It all hinges on the fact that Unitrends probably doesn't have the features installed to allow TLS connections.

Unitrends has no reason to use POP. It doesn't receive email. Only sends out reports.

Which leads to something I've never really understood. When using POP/SMTP clients, SMTP is used to send the email to a local(ish) server. Why can't the client send directly to the receiving side? This implies some sort of difference in client SMTP vs Server SMTP.

??

I don't follow your question. SMTP is SMTP. What is the client and receiving sides in your question?

Dashrender

If I'm using Thunderbird as an email client, I have to setup a POP3 and a SMTP server - why do I need an SMTP server setup? Why doesn't Thunderbird try to make and SMTP connection directly with the server that's responsible for the email I'm sending to? i.e. I'm sending one to you at NTG why doesn't Thunderbird do an MX lookup for NTG.CO, connect and send?

thanksajdotcom

@Dashrender The SMTP server does that. You're talking about a P2P setup and that's just not possible. SMTP does the sending. No way around that.

thanksajdotcom

@scottalanmiller said:

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

Lots of details are left out. You know that TLS isn't supported. So you know that requiring it has to be disabled. So just put two and two together. You already have the answer, just not spelled out.

Scott, what I'm saying is I've never seen it anywhere in writing or been verbally told that when a client uses on-premise Exchange that they must disable TLS/security. It seems to me if that was the case that Unitrends would automatically be eliminated as an option by anyone in any kind of field with sensitive data (healthcare, finance, government, etc).

thanksajdotcom

And I know for a fact they have clients with sensitive data. I've done the setup. They had on-premise Exchange. They checked to use authentication against the email server.

Dashrender

@ajstringham I understand that it's P2P but the protocol Thunderbird and tons of other clients is using is called SMTP, the same that Exchange, Domino and every other email server use to send messages to each other.

thanksajdotcom

Then again, perhaps that's why it works with on-premise and not hosted. On-premise may be authenticating locally via AD so Kerberos, etc and bypassing authenticating against SMTP directly. Almost a relay workaround?

Dashrender

@ajstringham said:

And I know for a fact they have clients with sensitive data. I've done the setup. They had on-premise Exchange. They checked to use authentication against the email server.

Sure they use authentication, but it's probably in clear text, not over SSL/TLS.

I'm guessing that on premise Exchange does not require TLS connections from clients by default - you are suppose to enable it because Best Practices tell you to.

I know I use authentication from my copy machines to send email, etc.. but they don't support TLS either, so I know internally my clients don't have to use TLS to connect to Exchange.

thanksajdotcom

@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?

Dashrender

@ajstringham said:

@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?

Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.

Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.

So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?

I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?

thanksajdotcom

@Dashrender said:

@ajstringham said:

@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?

Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.

Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.

So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?

I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?

Ok, I see what you're saying. Let me ask you. What would be the business advantage to this? What would be their motivation? Thunderbird is free so investing in that would be foolish. They are completely free for personal and business. Also, Outlook is by Microsoft who already has their own in Office365 or for a business using on-premise Exchange, that one. Why would they? There is no benefit for them to do so. As far as the SMTP, it won't work. Unless there is literally ZERO authentication against SMTP, to which I would say wtf?!, then your receiving is fine and sending won't go because it won't authenticate. Has nothing to do with port filtering.

thanksajdotcom

@dashrender Also, why would/does anyone use POP3 anymore? It's a dead protocol. Only ones I see using it still are ISPs like TWC, Verizon, etc. Serious email providers like Gmail and all business providers (or almost all) use IMAP. POP3 is just not smart and in the age of multiple devices, POP3 is stupid.

thanksajdotcom

@dashrender you seem to have some things mixed up. You are looking at email domains like AD domains. That's not quite right. Your setup is almost like some weird ad-hoc email SMTP VPN type thing I can't even fathom. None of it makes any sense for dev or especially production environments.