Cloud-based scanning

Steve Freegard steve.freegard at fsl.com
Tue Mar 3 17:54:13 GMT 2015


Hi Denis,

On 03/03/15 13:56, Denis Beauchemin wrote:
> Hello,
>
> We are about to move our MX to the cloud in Microsoft 365. The way it would work would be to scan the emails there and then deliver them to our servers.
>
> The problem is that we can't for the moment tell MS365 which email addresses are valid and which are not (the data is in an LDAP server that is not synchronized with our AD). Thus MS365 will be forwarding all harmless emails to our internal servers who will reject invalid email addresses.
>
> I seem to remember this is really not a good idea but I can't remember why. Can someone shed some light on this please?
>
> Thanks.
>
> Denis
>

It depends if the MX is queue-and-forward or a proxy type.

For a proxy - this situation wouldn't be an issue, provided your backend 
servers reject the recipients, it will reject them as a proxy would 
simply man-in-the-middle the SMTP conversation filtering the bad stuff. 
  The issue with that method is that it's not particularly efficient.

If they're a queue-and-forward type, then they'll be accepting the 
message (e.g. sending a '250 queued id=....' at the end of data) and 
then delivering the message to your backends afterwards.   This is more 
common and where the problems are:

1)  In SMTP - once you've accepted the message you have the 
responsibility to either deliver the message to it's destination or to 
bounce it back to the return-path.   As we all know, the return-path is 
trivial to forge and therefore this causes backscatter from the MX.

2)  Wasted resources on the MX.  Scanning mail for recipients that are 
simply going to be rejected at delivery is a waste of I/O.

Both can be considerable issues considering that invalid recipients can 
outweigh the valid on some domains.

As you're paying Microsoft to deal with this - you might not really care 
about either (in my experience most people don't).

Their mitigation for 1) might be that they simply never send bounces in 
this case - that's bad for your users because if someone genuinely 
misaddresses a message then they don't get a bounce and never know that 
it wasn't delivered (e.g. it goes down a black hole).

You'd have to check the Microsoft terms of service to see what they have 
to say about both of these.

Kind regards,
Steve.


More information about the MailScanner mailing list