Hey everyone! I'm looking for some advice on setting up email capabilities for our internal multi-function printers (MFPs) at various offices. We have 20 printers and apps that need to send documents to internal users, but we're facing some challenges. With SMTP AUTH being phased out next year and lack of support for OAUTH 2.0 among our devices, we have a couple of questions:
1. If someone knows our public IP internally, how can we prevent them from using it to send emails? Would a firewall rule that only allows SMTP traffic from the printers and apps suffice?
2. Do I need to include NAT IP addresses in the SPF DNS record for both SMTP relay and Direct Send? I have a few NAT IPs and I'm worried about potential security gaps.
3. Is it essential to set up DKIM and DMARC records for SMTP relay, or is that only necessary under certain conditions?
4. I've read about requirements for static unshared IP addresses for SMTP relay—does this mean I need a dedicated NAT IP for our printers and apps? Any insight on these points would be greatly appreciated!
5 Answers
SMTP2GO really is a solid choice. You can set up DKIM and other records on their platform. I normally set it up on a separate subdomain to manage the whitelisting better so that delivery rates are high. It's pretty much a set-and-forget solution once you get it rolling.
We set up a secure local SMTP relay that requires password authentication. Since we use Office 365, we had to create a connector to let our relay send emails to 365. It’s all internal, and we've got all the DMARC settings done right to ensure that outbound traffic meets security requirements. If you're looking at multiple sites, you might need a separate relay for each with its own configuration for 365. We're using Linux with Postfix for our setup, and it works seamlessly!
Great to know that Postfix works well for you! Might have to consider Linux for our SMTP relay too!
Consider using a Linux box as an SMTP relay. Secure it by allowing only the internal IPs of your MFPs and make sure to add your NATted external IP to the SPF record. Just ensure that the ports on that IP from the outside are blocked to prevent SMTP attacks, except for specific authorized IPs that you want to permit sending through that relay.
Regarding your first point, if you configure Microsoft Exchange to accept emails from your public IP, unauthorized devices could potentially misuse it. You should definitely block outbound ports 25/587 on your firewall, allowing just the authorized IPs to send emails. For SPF records, you don’t have to worry as Microsoft handles sending the actual emails. But if you send them directly from your public IP to something like Gmail, then you should add your public IP to the SPF record. Also, DKIM is unnecessary if you're sending through Microsoft, but mandatory if sending directly from your server. About needing a static IP, yes, it’s crucial for proper configuration with Microsoft or any other provider.
Good to know! For the DKIM part, I didn’t realize it wasn’t needed if going through Microsoft, that saves some setup time.
Sounds like the static IP requirement is a bit tricky but necessary to avoid issues. Definitely better to manage everything through one reliable system.
You might want to check out SMTP2GO. It’s free for smaller volumes and supports SMTP AUTH without concerns about future restrictions. They also offer options for IP whitelisting and basic authentication via username and password. A lot of users have had positive experiences with them!
Using a local relay seems like the safest option, especially if you have multiple locations. Thanks for the insight!