Proofpoint SMTP Authentication

Created by Abderrahim Ibnou el kadi, Modified on Tue, 19 Nov at 10:11 AM by Yves Lacombe

SituationAdmin is traying to set up a SMTP credential, where he can send emails using SMTP Auth credentials.
Solution

See bellow steps to create a SMTP Authentication. How to troubleshot Issues when the new SMTP authentication doesn't work

Overview

SMTP Authentication (SMTP AUTH) improves the trust between a customer's mail server and Essentials to eliminate the risk of spoofing. This feature simply creates an SMTP AUTH username and password pair in Essentials that customers can enter on their email exchange server to authenticate with Essentials.

To enable SMTP authentication:

  1. Navigate to Administration > Account Management > Domains.
  2. Under the SMTP Authentication section, click New Credential.
  3. Enter a label for the credential.
  4. Click Generate Password.
Copy and save Username and Password information. This will be needed later when you enter these credentials in your email exchange and you will not be able to access this screen again after saving.
  1. Click Save.
Note: Please wait up to 60 minutes to start the next step as it may take up to 60 minutes for the credentials to propagate.

 

Troubleshooting

If you cannot remember your SMTP AUTH credentials, simply create a New Credential by repeating the steps above. You may delete unused Credential pairs.

Common Issue

Reviewing SMTP error connection. Customer receiving NDR messages.

Solution:

Connection issues for SMTP, whether inbound or outbound, will reference Proofpoint Essentails servers with the domain ppe-hosted.com. If a server name is not listed, the SMTP transaction from the 'sending' server needs to be reviewed to show the specific hand off. We will require those log details in order to troubleshoot further. If the error message does not contain our domain, the problem is that the sending server is not handing off to the Proofpoint server yet.

Frequently Asked Questions

The following are some common questions asked about the SMTP Authentication feature:

Q: Do customers require the use of a sending server when using SMTP AUTH credentials?

A: Yes

Q: If you set the force SMTP AUTH, is sending servers still required?

A: If SMTP AUTH is all you use as a customer, you will still require a sending server address for relay.

Q: How does SMTP AUTH eliminate the risk of spoofing?

A: If you use SMTP AUTH ONLY (i.e., no other Sending Servers configured), it eliminates the spoofing ability originating either NATTED behind the same IP address as the Outbound mail server, or within the same shared IP space of an email service provider.  Assuming the credential is not compromised of course but at least that's a more defendable position.

Q: Is everything over port 25 still?

A: No.  SMTP AUTH Outbound uses port 587 ONLY. In fact, if it is connecting over Port 25 you will see "Relay Access Denied"

Q: What if they have the same sending server IP configured?

A: Telnet test is quite different for SMTP AUTH. Port 587 is reserve exclusively for SMTP AUTH and normal Sending Servers won't do anything on that port

Q: Does SMTP AUTH still do sender checks? 

A: Yes, the sender domain (address in the case when SMTP Discovery is off) still needs to be registered and active

Q: Does this solve mail forwarding issue? (external recipients in distribution groups)

A: No, that's still open as a feature request

Q: Will I need to use TLS?

A: STARTTLS is required before SMTP Auth


TO SUMMARIZE:


1- Printer must be able to use SMTP Authentication over port 587

2- Obviously port 587 outbound must be open at your firewall level.

3- Your printer must support TLS 1.2

4-  The "From:" address used by the printer must be in one of your domains (ie: scanner@yourdomain.com for instance)

5-  The user in the "From" address must exist in the proofpoint user list (ie: scanner@yourdomain.com)

6-  That user will also be the same user that you will use to create a set of credentials in proofpoint -> domains -> smtp authentication

7- Don't forget the one hour delay after creation of any of the above


Header-From should be same as Envelope-From should be the same as the Authenticated user email address should be the same as an existing user (silent-user/end-user/functional-account) in proofpoint.