Unitrends and Office365

scottalanmiller

@Dashrender said:

Scott, what do you mean disable security? Surely Office 365 does not require TLS for email?
Do you mean that the Unitrends can't act as a client of O365 because it can't send via TLS? So the disabling of security in an on premise Exchange setup you mean to say that you have to allow unauthenticated (or at least plain text authentication) for on prem to work?

Office 365 certainly does require TLS. And on premise should always have to. That's been best practice for a long time.

scottalanmiller

@Dashrender said:

Scott, what do you mean disable security? Surely Office 365 does not require TLS for email?
Do you mean that the Unitrends can't act as a client of O365 because it can't send via TLS? So the disabling of security in an on premise Exchange setup you mean to say that you have to allow unauthenticated (or at least plain text authentication) for on prem to work?

Yes. For Unitrends only clear text works.

scottalanmiller

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

Lots of details are left out. You know that TLS isn't supported. So you know that requiring it has to be disabled. So just put two and two together. You already have the answer, just not spelled out.

scottalanmiller

@Dashrender said:

@ajstringham said:

@Dashrender said:

@ajstringham I bet that it's because the Unitrends box can't do secure POP, only insecure POP. It all hinges on the fact that Unitrends probably doesn't have the features installed to allow TLS connections.

Unitrends has no reason to use POP. It doesn't receive email. Only sends out reports.

Which leads to something I've never really understood. When using POP/SMTP clients, SMTP is used to send the email to a local(ish) server. Why can't the client send directly to the receiving side? This implies some sort of difference in client SMTP vs Server SMTP.

??

I don't follow your question. SMTP is SMTP. What is the client and receiving sides in your question?

Dashrender

If I'm using Thunderbird as an email client, I have to setup a POP3 and a SMTP server - why do I need an SMTP server setup? Why doesn't Thunderbird try to make and SMTP connection directly with the server that's responsible for the email I'm sending to? i.e. I'm sending one to you at NTG why doesn't Thunderbird do an MX lookup for NTG.CO, connect and send?

thanksajdotcom

@Dashrender The SMTP server does that. You're talking about a P2P setup and that's just not possible. SMTP does the sending. No way around that.

thanksajdotcom

@scottalanmiller said:

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

@ajstringham said:

@dashrender

As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspx

As far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.

Lots of details are left out. You know that TLS isn't supported. So you know that requiring it has to be disabled. So just put two and two together. You already have the answer, just not spelled out.

Scott, what I'm saying is I've never seen it anywhere in writing or been verbally told that when a client uses on-premise Exchange that they must disable TLS/security. It seems to me if that was the case that Unitrends would automatically be eliminated as an option by anyone in any kind of field with sensitive data (healthcare, finance, government, etc).

thanksajdotcom

And I know for a fact they have clients with sensitive data. I've done the setup. They had on-premise Exchange. They checked to use authentication against the email server.

Dashrender

@ajstringham I understand that it's P2P but the protocol Thunderbird and tons of other clients is using is called SMTP, the same that Exchange, Domino and every other email server use to send messages to each other.

thanksajdotcom

Then again, perhaps that's why it works with on-premise and not hosted. On-premise may be authenticating locally via AD so Kerberos, etc and bypassing authenticating against SMTP directly. Almost a relay workaround?

Dashrender

@ajstringham said:

And I know for a fact they have clients with sensitive data. I've done the setup. They had on-premise Exchange. They checked to use authentication against the email server.

Sure they use authentication, but it's probably in clear text, not over SSL/TLS.

I'm guessing that on premise Exchange does not require TLS connections from clients by default - you are suppose to enable it because Best Practices tell you to.

I know I use authentication from my copy machines to send email, etc.. but they don't support TLS either, so I know internally my clients don't have to use TLS to connect to Exchange.

thanksajdotcom

@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?

Dashrender

@ajstringham said:

@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?

Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.

Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.

So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?

I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?

thanksajdotcom

@Dashrender said:

@ajstringham said:

@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?

Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.

Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.

So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?

I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?

Ok, I see what you're saying. Let me ask you. What would be the business advantage to this? What would be their motivation? Thunderbird is free so investing in that would be foolish. They are completely free for personal and business. Also, Outlook is by Microsoft who already has their own in Office365 or for a business using on-premise Exchange, that one. Why would they? There is no benefit for them to do so. As far as the SMTP, it won't work. Unless there is literally ZERO authentication against SMTP, to which I would say wtf?!, then your receiving is fine and sending won't go because it won't authenticate. Has nothing to do with port filtering.

thanksajdotcom

@dashrender Also, why would/does anyone use POP3 anymore? It's a dead protocol. Only ones I see using it still are ISPs like TWC, Verizon, etc. Serious email providers like Gmail and all business providers (or almost all) use IMAP. POP3 is just not smart and in the age of multiple devices, POP3 is stupid.

thanksajdotcom

@dashrender you seem to have some things mixed up. You are looking at email domains like AD domains. That's not quite right. Your setup is almost like some weird ad-hoc email SMTP VPN type thing I can't even fathom. None of it makes any sense for dev or especially production environments.

Dashrender

@ajstringham UH WHAT? I'm not sure how adhoc AD came into this?

email is a point to point protocol - sent by you to one or more other points. When you send an email from your Outlook client it goes to an Exchange server who then makes a MX call for the destination server, then connects to said server, who then waits for their client to pick up the mail.

My question is, Why does Outlook (or any end user client) need to send to a local(ish) server first (i.e. Exchange or your ISP's email server, etc) other than providing flow control or SPF abilities or other business related requires (think saving all copies of email sent and received in a company), it isn't required. Outlook can use SMTP to send the email itself to the end users email server directly because it understand how to talk SMTP - which by default has ZERO authentication - (think about it, my exchange server does not authentic with NTG's when I send you an email. At best NTG's server checks a SPF record and allows email to come from my server based on the SPF lookup, otherwise there's no authentication what so ever.)

Now I can understand why a company would want their email clients (outlook/thunderbird, etc) to go through a centralized outbound SMTP because of the aforementioned controls it provides. But what I don't understand is why manufactures like Unitrends don't make life easy for themselves and just install a full blown SMTP server in their devices that can deliver mail without the help of an outside SMTP host/relay.
I suppose some might say - well someone could compromise that unitrends box and start using it to relay spam - is that really that much more of a risk than your Exchange server? Especially when it only sends and doesn't receive therefore there's no reason for any holes in the firewall to gain access to that box?

I could probably go on and on.. but I need to get back to solving my MediaWiki issue.

thanksajdotcom

@Dashrender You're talking about using a program that you use to view email as a server. Outlook is basically just a GUI to Exchange or whoever's email you're connecting. What you're saying just makes no sense. I'm sorry.

scottalanmiller

@Dashrender said:

@ajstringham said:

@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?

Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.

Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.

So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?

I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?

Sorry for the long quote. I'm on a phone. You can do direct SMTP. But no one accepts the connects. So it rarely works. It's unreliable in real life and very impractical. It's too fragile for any real usage.

But all SMTP is the same.

scottalanmiller

@Dashrender said:

@ajstringham UH WHAT? I'm not sure how adhoc AD came into this?

email is a point to point protocol - sent by you to one or more other points. When you send an email from your Outlook client it goes to an Exchange server who then makes a MX call for the destination server, then connects to said server, who then waits for their client to pick up the mail.

My question is, Why does Outlook (or any end user client) need to send to a local(ish) server first (i.e. Exchange or your ISP's email server, etc) other than providing flow control or SPF abilities or other business related requires (think saving all copies of email sent and received in a company), it isn't required. Outlook can use SMTP to send the email itself to the end users email server directly because it understand how to talk SMTP - which by default has ZERO authentication - (think about it, my exchange server does not authentic with NTG's when I send you an email. At best NTG's server checks a SPF record and allows email to come from my server based on the SPF lookup, otherwise there's no authentication what so ever.)

Now I can understand why a company would want their email clients (outlook/thunderbird, etc) to go through a centralized outbound SMTP because of the aforementioned controls it provides. But what I don't understand is why manufactures like Unitrends don't make life easy for themselves and just install a full blown SMTP server in their devices that can deliver mail without the help of an outside SMTP host/relay.
I suppose some might say - well someone could compromise that unitrends box and start using it to relay spam - is that really that much more of a risk than your Exchange server? Especially when it only sends and doesn't receive therefore there's no reason for any holes in the firewall to gain access to that box?

I could probably go on and on.. but I need to get back to solving my MediaWiki issue.

They do have a full blown SMTP server (Sendmail) installed. It is just crippled. They have all the overhead of a full server. Any normal Linux box does.