Per domain Authentication
Sign email received by authenticated server: now DKIM only sign email from authenticated session but you can only defined authentication per user. For example I have Exchange behind SecurityGateway and if I configure authenticaed Send Connector i should also disable "Authentication credentials must match those of the email sender" on security gateway. Doing so if an hacker will stole a single password he will able to send email from any local users....
Thank you for sharing your ideas with us. I have split your ideas into multiple items.
If I’m understanding correctly, you would like an option to exclude domain mail server from the requirement for authentication credentials must match those of the email sender. Is that correct?
I also wanted to mention that Location Screening may help you to secure your server. It allows you to only allow authentication from specific areas of the world. So for example, if all of your users were in Italy, you could restrict SG to only allow SG from within Italy.
consider this scenario:
- Multiple domains on the same system. I cannot configure different SMTP Authentication configuration because local users became “remote” (see my ticket attached to this email)
- Needs to configure SMTP authentication to enable DKIM signing
- Exchange server who uses SG for sending email
In this scenario I need to enable SMTP Authentication and I will configure my Exchange server to authenticate with SG using a dedicates user (for example I create a domain on SG named exchange.diennea.lan with SMTP authentication configured)
If someone steal this credential OK: he could send email from external and I cannot prevent this but I can set up a very strong password to reduce this risk.
But if someone steal just the credential of some generic users he could send email impersonating someone else….
If SG could recognize SMTP Server authentication (instead users SMTP authentication) I can prevent this because I will set up the configuration who prevent user A to send email as user B.
So if a server from specific IP address will authenticate to SG it could sends email as whatever users (and email will be signed by DKIM) but an authenticated user could send email as himself.