| Split domain (KC & O365) SMTP Authentication issues. [message #140695] |
Thu, 23 August 2018 15:22  |
IainC
Messages: 25
Registered: April 2011
Location: Plymouth, UK
|
|
|
|
Hi All,
We currently have a project to roll out Office 365 and Exchange Online.
We want to gradually move users over to O365 however I've hit a snag.
I've configured all the connectors in O365 and forwarding in Kerio so that if a user on O365 sends an e-mail to a user that doesn't exist on that platform it will sent it on to Kerio and vice-versa.
Everything works fine until I re-enable Security > Sender Policy > Reject messages with spoofed local domain. Once I do that the SMTP server responds with "Authentication Required" and we see "[23/Aug/2018 10:45:25] SMTP: Message from IP address 23.103.134.150 was rejected because of missing authentication for local domain sender <bob<_at_>mydomain.com>" in the security log. This happens when sending from Exchange online to Kerio Connect. The IP address is one of Microsoft's addresses. (I've removed my domain.)
This of course makes sense however I was hoping that Kerio would look at the SPF record as I have added the entry for Exchange Online to it but unfortunately it doesn't.
My question is do I have to add ALL of Microsoft's published (and constantly changing) IP ranges for Exchange Online to the "Never reject messages from this IP address group." group or is there an easier way I'm missing?
Thanks for you help.
-Iain. 
|
|
|
|
| Re: Split domain (KC & O365) SMTP Authentication issues. [message #144377 is a reply to message #140695] |
Fri, 02 November 2018 21:53  |
scottwilkins
Messages: 103
Registered: May 2006
Location: Tulsa, OK
|
|
|
|
|
I'm kind of in the same boat. Our few office workers will use O365 with Exchange, but the majority will stay on Kerio. Seemed like an easy task, but has turned into a super complicated one. I'm only in a testing mode right now and setup my own account for testing. Should have setup a test account, but oh well... The MX record is setup for Kerio to be the main server, because that's where the majority of e-mail will continue to go. I've setup fowarding on my account, and even completed the migration of e-mail into my O365 account, that went smoothly. Contacts imported easily, but Calendar is another problem I've not over come. However, inside of O365 Outlook, there is no way to send to any other user on the same domain. Setting up the connector seems easy, but I hit the same authentication issues that you do. Have you found a way around this yet? I've played with the SMTP Relay Server settings in Kerio and that has not helped yet. Any advise on this would be highly helpful.
|
|
|
|
|
|
| Re: Split domain (KC & O365) SMTP Authentication issues. [message #144388 is a reply to message #144386] |
Mon, 05 November 2018 14:10 |
scottwilkins
Messages: 103
Registered: May 2006
Location: Tulsa, OK
|
|
|
|
|
I'd seen that address list, and was also concerned at the large number of addresses that opens to the e-mail server with no double checking. I hadn't gone down that path yet, so glad to know it's been tried. Odd thing is that at least one of those addresses is in my Router/Edge Device's blocking range. I'll not remove that block, but went ahead and added all the listed and it worked! Thanks for the assistance. It would be nice if Microsoft had a more definitive list of addresses so we could be more careful and judicious on security.
|
|
|
|
|
|
| Re: Split domain (KC & O365) SMTP Authentication issues. [message #144390 is a reply to message #144389] |
Mon, 05 November 2018 14:58 |
IainC
Messages: 25
Registered: April 2011
Location: Plymouth, UK
|
|
|
|
The only way I've found to do this is quite long-winded and limited.
You need to be logged in to Kerio as the user who's calendar you want to export and use the "Integration with Windows" menu to export their calendar as an ICS file. You can then use Outlook to import it into their O365 account. It needs to be the full desktop Outlook client though as it hasn't worked with the web version for me, it just fails. I think this is because there are certain events in the Kerio calendar that for some reason Outlook doesn't like. The desktop client ignores these and moves on but the web version just fails without importing anything.
I only seem to be able to export the user's primary calendar so any other calendars they've created will be trickier to transfer. The same goes for Shared/Public calendars too.
We'll probably end up writing a little how-to so our users can do this for themselves as I don't fancy doing it 360 times myself.
|
|
|
|
| Re: Split domain (KC & O365) SMTP Authentication issues. [message #144395 is a reply to message #144390] |
Mon, 05 November 2018 20:53 |
scottwilkins
Messages: 103
Registered: May 2006
Location: Tulsa, OK
|
|
|
|
I'm starting to wonder if Microsoft has this setup now to where the primary MX record must point to them. Right now I can't seem to sign into Office 365 accounts via Outlook Desktop. Other things I'm seeing point to having the Office 365 the main throughput location, and in a hybrid setup having in-house as the secondary and all message without Office 365 accounts should almost automatically (I think...) forward to in-house e-mail servers, after proper setup.
All DNS records are setup, autodiscovery, SIP, TLS, etc etc. Just the MX records don't point to Microsoft, but point to my in-house.
Anyway, this is turning into an Office 365 issue, not a Kerio issue. Thanks for all the help otherwise.
[Updated on: Mon, 05 November 2018 20:54] Report message to a moderator |
|
|
|
Members
Search
Help
Register
Login
Home
