Proofpoint SMTP Authentication

Created by Abderrahim Ibnou el kadi, Modified on Fri, 10 May 2024 at 01:38 PM by Marc Chouinard

SituationAdmin is traying to set up a SMTP credential, where he can send emails using SMTP Auth credentials.
Solution

See bellow steps to create a SMTP Authentication. How to troubleshot Issues when the new SMTP authentication doesn't work

Overview

SMTP Authentication (SMTP AUTH) improves the trust between a customer's mail server and Essentials to eliminate the risk of spoofing. This feature simply creates an SMTP AUTH username and password pair in Essentials that customers can enter on their email exchange server to authenticate with Essentials.

To enable SMTP authentication:

  1. Navigate to Administration > Account Management > Domains.
  2. Under the SMTP Authentication section, click New Credential.
  3. Enter a label for the credential.
  4. Click Generate Password.
Copy and save Username and Password information. This will be needed later when you enter these credentials in your email exchange and you will not be able to access this screen again after saving.
  1. Click Save.
Note: Please wait up to 60 minutes to start the next step as it may take up to 60 minutes for the credentials to propagate.

 

Troubleshooting

If you cannot remember your SMTP AUTH credentials, simply create a New Credential by repeating the steps above. You may delete unused Credential pairs.

Common Issue

Reviewing SMTP error connection. Customer receiving NDR messages.

Solution:

Connection issues for SMTP, whether inbound or outbound, will reference Proofpoint Essentails servers with the domain ppe-hosted.com. If a server name is not listed, the SMTP transaction from the 'sending' server needs to be reviewed to show the specific hand off. We will require those log details in order to troubleshoot further. If the error message does not contain our domain, the problem is that the sending server is not handing off to the Proofpoint server yet.

Frequently Asked Questions

The following are some common questions asked about the SMTP Authentication feature:

Q: Do customers require the use of a sending server when using SMTP AUTH credentials?

A: No

Q: If you set the force SMTP AUTH, is sending servers still required?

A: If SMTP AUTH is all you use as a customer, you can ignore the Sending Servers section and leave them empty.

Q: How does SMTP AUTH eliminate the risk of spoofing?

A: If you use SMTP AUTH ONLY (i.e., no other Sending Servers configured), it eliminates the spoofing ability originating either NATTED behind the same IP address as the Outbound mail server, or within the same shared IP space of an email service provider.  Assuming the credential is not compromised of course but at least that's a more defendable position.

Q: Is everything over port 25 still?

A: No.  SMTP AUTH Outbound uses port 587 ONLY. In fact, if it is connecting over Port 25 you will see "Relay Access Denied"

Q: What if they have the same sending server IP configured?

A: Telnet test is quite different for SMTP AUTH. Port 587 is reserve exclusively for SMTP AUTH and normal Sending Servers won't do anything on that port

Q: Does SMTP AUTH still do sender checks? 

A: Yes, the sender domain (address in the case when SMTP Discovery is off) still needs to be registered and active

Q: Does this solve mail forwarding issue? (external recipients in distribution groups)

A: No, that's still open as a feature request

Q: Will I need to use TLS?

A: STARTTLS is required before SMTP Auth


IMPORTANT SAFETY TIP:

in a nutshell, if you want to use SMTP Authentication 

a) You need to create the SMTP AUTH user under Account Management > Domains > SMTP AUTH

b) You need to have a user that exist in proofpoint either as an end_user, silent_user or functional account with the same name (should be done automatically when creating the SMTP Auth account)

c) Remember that when you create user or functional account, it can take an hour for it to be live.