Unitrends and Office365
-
@scottalanmiller said:
@ajstringham said:
As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspxAs far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.
@ajstringham said:
As far as Office365 goes:
http://office.microsoft.com/en-us/outlook-help/settings-for-pop-and-imap-access-HA102908389.aspxAs far as on-premise Exchange goes, I've never seen or been told you have to disable security of any kind. That's what's confusing me. Why would on-premise work but not Office365? Something just isn't adding up. Working on getting definite answers now.
Lots of details are left out. You know that TLS isn't supported. So you know that requiring it has to be disabled. So just put two and two together. You already have the answer, just not spelled out.
Scott, what I'm saying is I've never seen it anywhere in writing or been verbally told that when a client uses on-premise Exchange that they must disable TLS/security. It seems to me if that was the case that Unitrends would automatically be eliminated as an option by anyone in any kind of field with sensitive data (healthcare, finance, government, etc).
-
And I know for a fact they have clients with sensitive data. I've done the setup. They had on-premise Exchange. They checked to use authentication against the email server.
-
@ajstringham I understand that it's P2P but the protocol Thunderbird and tons of other clients is using is called SMTP, the same that Exchange, Domino and every other email server use to send messages to each other.
-
Then again, perhaps that's why it works with on-premise and not hosted. On-premise may be authenticating locally via AD so Kerberos, etc and bypassing authenticating against SMTP directly. Almost a relay workaround?
-
@ajstringham said:
And I know for a fact they have clients with sensitive data. I've done the setup. They had on-premise Exchange. They checked to use authentication against the email server.
Sure they use authentication, but it's probably in clear text, not over SSL/TLS.
I'm guessing that on premise Exchange does not require TLS connections from clients by default - you are suppose to enable it because Best Practices tell you to.
I know I use authentication from my copy machines to send email, etc.. but they don't support TLS either, so I know internally my clients don't have to use TLS to connect to Exchange.
-
@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?
-
@ajstringham said:
@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?
Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.
So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?
I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?
-
@Dashrender said:
@ajstringham said:
@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?
Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.
So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?
I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?
Ok, I see what you're saying. Let me ask you. What would be the business advantage to this? What would be their motivation? Thunderbird is free so investing in that would be foolish. They are completely free for personal and business. Also, Outlook is by Microsoft who already has their own in Office365 or for a business using on-premise Exchange, that one. Why would they? There is no benefit for them to do so. As far as the SMTP, it won't work. Unless there is literally ZERO authentication against SMTP, to which I would say wtf?!, then your receiving is fine and sending won't go because it won't authenticate. Has nothing to do with port filtering.
-
@dashrender Also, why would/does anyone use POP3 anymore? It's a dead protocol. Only ones I see using it still are ISPs like TWC, Verizon, etc. Serious email providers like Gmail and all business providers (or almost all) use IMAP. POP3 is just not smart and in the age of multiple devices, POP3 is stupid.
-
@dashrender you seem to have some things mixed up. You are looking at email domains like AD domains. That's not quite right. Your setup is almost like some weird ad-hoc email SMTP VPN type thing I can't even fathom. None of it makes any sense for dev or especially production environments.
-
@ajstringham UH WHAT? I'm not sure how adhoc AD came into this?
email is a point to point protocol - sent by you to one or more other points. When you send an email from your Outlook client it goes to an Exchange server who then makes a MX call for the destination server, then connects to said server, who then waits for their client to pick up the mail.
My question is, Why does Outlook (or any end user client) need to send to a local(ish) server first (i.e. Exchange or your ISP's email server, etc) other than providing flow control or SPF abilities or other business related requires (think saving all copies of email sent and received in a company), it isn't required. Outlook can use SMTP to send the email itself to the end users email server directly because it understand how to talk SMTP - which by default has ZERO authentication - (think about it, my exchange server does not authentic with NTG's when I send you an email. At best NTG's server checks a SPF record and allows email to come from my server based on the SPF lookup, otherwise there's no authentication what so ever.)
Now I can understand why a company would want their email clients (outlook/thunderbird, etc) to go through a centralized outbound SMTP because of the aforementioned controls it provides. But what I don't understand is why manufactures like Unitrends don't make life easy for themselves and just install a full blown SMTP server in their devices that can deliver mail without the help of an outside SMTP host/relay.
I suppose some might say - well someone could compromise that unitrends box and start using it to relay spam - is that really that much more of a risk than your Exchange server? Especially when it only sends and doesn't receive therefore there's no reason for any holes in the firewall to gain access to that box?I could probably go on and on.. but I need to get back to solving my MediaWiki issue.
-
@Dashrender You're talking about using a program that you use to view email as a server. Outlook is basically just a GUI to Exchange or whoever's email you're connecting. What you're saying just makes no sense. I'm sorry.
-
@Dashrender said:
@ajstringham said:
@dashrender I guess I just don't understand how Gmail would go to NTG without going through an SMTP server. Are you saying that sending to [email protected] from your Gmail would just send it out and ask for NTG's SMTP info and forward from there?
Not really. Let's use your example of Gmail.
Here's a thought experiment.
Install thunderbird and configure the POP3 to Gmail, but do an MX lookup on NTG.co and use that address as your SMTP side.Now send an email to someone at NTG - it SHOULD work (assuming there is no outbound port 25 filtering), of course sending email to anyone else won't work because the NTG server will ask you why in the world are you asking them to relay your email to another domain.
So my question is - in the case of a gmail user, why do I need to use gmail's server to 'relay' my message to the other side? Why doesn't Thunderbird (and the rest) of the client simply make their own MX lookup (just like Exchange does, etc) and send direct?
I suppose one answer would be spam. If you use a SPF record you couldn't possibly list all of the places that people might send a gmail email from, etc. Does using a relay allow for better customer service somehow (basically make it easier on providers)?
Sorry for the long quote. I'm on a phone. You can do direct SMTP. But no one accepts the connects. So it rarely works. It's unreliable in real life and very impractical. It's too fragile for any real usage.
But all SMTP is the same.
-
@Dashrender said:
@ajstringham UH WHAT? I'm not sure how adhoc AD came into this?
email is a point to point protocol - sent by you to one or more other points. When you send an email from your Outlook client it goes to an Exchange server who then makes a MX call for the destination server, then connects to said server, who then waits for their client to pick up the mail.
My question is, Why does Outlook (or any end user client) need to send to a local(ish) server first (i.e. Exchange or your ISP's email server, etc) other than providing flow control or SPF abilities or other business related requires (think saving all copies of email sent and received in a company), it isn't required. Outlook can use SMTP to send the email itself to the end users email server directly because it understand how to talk SMTP - which by default has ZERO authentication - (think about it, my exchange server does not authentic with NTG's when I send you an email. At best NTG's server checks a SPF record and allows email to come from my server based on the SPF lookup, otherwise there's no authentication what so ever.)
Now I can understand why a company would want their email clients (outlook/thunderbird, etc) to go through a centralized outbound SMTP because of the aforementioned controls it provides. But what I don't understand is why manufactures like Unitrends don't make life easy for themselves and just install a full blown SMTP server in their devices that can deliver mail without the help of an outside SMTP host/relay.
I suppose some might say - well someone could compromise that unitrends box and start using it to relay spam - is that really that much more of a risk than your Exchange server? Especially when it only sends and doesn't receive therefore there's no reason for any holes in the firewall to gain access to that box?I could probably go on and on.. but I need to get back to solving my MediaWiki issue.
They do have a full blown SMTP server (Sendmail) installed. It is just crippled. They have all the overhead of a full server. Any normal Linux box does.
-
@ajstringham said:
@Dashrender You're talking about using a program that you use to view email as a server. Outlook is basically just a GUI to Exchange or whoever's email you're connecting. What you're saying just makes no sense. I'm sorry.
Only sort of. Outlook is only unable to send SMTP as hoc peer to peer because it uses a single SMTP destination rather than an MX lookup. Or is a few lines of code away from doing that. But doing so would obviously be bad.
-
@scottalanmiller And that's my point. At best, in the consumer world, you gain nothing. At worst, in the business world, you lose everything. This feature should not exist. If it does, it should never be used.
-
@scottalanmiller said:
@ajstringham said:
@Dashrender You're talking about using a program that you use to view email as a server. Outlook is basically just a GUI to Exchange or whoever's email you're connecting. What you're saying just makes no sense. I'm sorry.
Only sort of. Outlook is only unable to send SMTP as hoc peer to peer because it uses a single SMTP destination rather than an MX lookup. Or is a few lines of code away from doing that. But doing so would obviously be bad.
Exactly. Now I can see how this would be bad from a business perspective, but from a consumer one I don't necessarily agree.
The reason I think the consumer should have the option is because of the possibility of censorship. Your ISP's SMTP server gets to choose what is and isn't forwarded on. If you take them out of it, you gain that control back.
FYI I'm a pretty big personal rights person.
-
I brought all of this up originally thinking that it might make life easier for IT admins if devices like Unitrends box or a fax gateway utilized full SMTP, thinking that you wouldn't have to build accounts on the email server of the company to get those messages because they were only ever incoming. But in thinking about it... you'd probably want the email address to appear to be coming from a specific address that is on your own network, and the good email servers probably deny emails from it's own domain from none authenticated devices... so it's all a moot point.
-
@Dashrender said:
I brought all of this up originally thinking that it might make life easier for IT admins if devices like Unitrends box or a fax gateway utilized full SMTP, thinking that you wouldn't have to build accounts on the email server of the company to get those messages because they were only ever incoming. But in thinking about it... you'd probably want the email address to appear to be coming from a specific address that is on your own network, and the good email servers probably deny emails from it's own domain from none authenticated devices... so it's all a moot point.
Exactly. Unitrends does what you thought. Just not as useful as you'd hoped.
-
@ajstringham Thanks for posting about this. Will you let me know if you run into any challenges?