Cloud-based scanning

Denis Beauchemin Denis.Beauchemin at
Tue Mar 3 18:13:31 GMT 2015

Thanks Steve and all the others.

My server will act as a proxy and will reject invalid addresses in the connect phase so I should be safe. I will be testing this RSN with an alternate domain name, in case something goes wrong...


-----Message d'origine-----
De : mailscanner-bounces at [mailto:mailscanner-bounces at] De la part de Steve Freegard
Envoyé : 3 mars 2015 13:02
À : MailScanner discussion
Objet : Re: Cloud-based scanning

Hi Denis,

On 03/03/15 13:56, Denis Beauchemin wrote:
> Hello,
> We are about to move our MX to the cloud in Microsoft 365. The way it would work would be to scan the emails there and then deliver them to our servers.
> The problem is that we can't for the moment tell MS365 which email addresses are valid and which are not (the data is in an LDAP server that is not synchronized with our AD). Thus MS365 will be forwarding all harmless emails to our internal servers who will reject invalid email addresses.
> I seem to remember this is really not a good idea but I can't remember why. Can someone shed some light on this please?
> Thanks.
> Denis

It depends if the MX is queue-and-forward or a proxy type.

For a proxy - this situation wouldn't be an issue, provided your backend servers reject the recipients, it will reject them as a proxy would simply man-in-the-middle the SMTP conversation filtering the bad stuff. 
  The issue with that method is that it's not particularly efficient.

If they're a queue-and-forward type, then they'll be accepting the message (e.g. sending a '250 queued id=....' at the end of data) and 
then delivering the message to your backends afterwards.   This is more 
common and where the problems are:

1)  In SMTP - once you've accepted the message you have the responsibility to either deliver the message to it's destination or to 
bounce it back to the return-path.   As we all know, the return-path is 
trivial to forge and therefore this causes backscatter from the MX.

2)  Wasted resources on the MX.  Scanning mail for recipients that are simply going to be rejected at delivery is a waste of I/O.

Both can be considerable issues considering that invalid recipients can outweigh the valid on some domains.

As you're paying Microsoft to deal with this - you might not really care about either (in my experience most people don't).

Their mitigation for 1) might be that they simply never send bounces in this case - that's bad for your users because if someone genuinely misaddresses a message then they don't get a bounce and never know that it wasn't delivered (e.g. it goes down a black hole).

You'd have to check the Microsoft terms of service to see what they have to say about both of these.

Kind regards,
MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website! 

More information about the MailScanner mailing list