steve.freegard at fsl.com
Tue Mar 3 17:54:13 GMT 2015
On 03/03/15 13:56, Denis Beauchemin wrote:
> We are about to move our MX to the cloud in Microsoft 365. The way it would work would be to scan the emails there and then deliver them to our servers.
> The problem is that we can't for the moment tell MS365 which email addresses are valid and which are not (the data is in an LDAP server that is not synchronized with our AD). Thus MS365 will be forwarding all harmless emails to our internal servers who will reject invalid email addresses.
> I seem to remember this is really not a good idea but I can't remember why. Can someone shed some light on this please?
It depends if the MX is queue-and-forward or a proxy type.
For a proxy - this situation wouldn't be an issue, provided your backend
servers reject the recipients, it will reject them as a proxy would
simply man-in-the-middle the SMTP conversation filtering the bad stuff.
The issue with that method is that it's not particularly efficient.
If they're a queue-and-forward type, then they'll be accepting the
message (e.g. sending a '250 queued id=....' at the end of data) and
then delivering the message to your backends afterwards. This is more
common and where the problems are:
1) In SMTP - once you've accepted the message you have the
responsibility to either deliver the message to it's destination or to
bounce it back to the return-path. As we all know, the return-path is
trivial to forge and therefore this causes backscatter from the MX.
2) Wasted resources on the MX. Scanning mail for recipients that are
simply going to be rejected at delivery is a waste of I/O.
Both can be considerable issues considering that invalid recipients can
outweigh the valid on some domains.
As you're paying Microsoft to deal with this - you might not really care
about either (in my experience most people don't).
Their mitigation for 1) might be that they simply never send bounces in
this case - that's bad for your users because if someone genuinely
misaddresses a message then they don't get a bounce and never know that
it wasn't delivered (e.g. it goes down a black hole).
You'd have to check the Microsoft terms of service to see what they have
to say about both of these.
More information about the MailScanner