Home » Kerio User Forums » Kerio Connect » Split domain (KC & O365) SMTP Authentication issues. (Send from O365 to KC "Authentication Required")
  •  
IainC

Messages: 25
Karma: 2
Send a private message to this user
Hi All,

We currently have a project to roll out Office 365 and Exchange Online.

We want to gradually move users over to O365 however I've hit a snag.

I've configured all the connectors in O365 and forwarding in Kerio so that if a user on O365 sends an e-mail to a user that doesn't exist on that platform it will sent it on to Kerio and vice-versa.

Everything works fine until I re-enable Security > Sender Policy > Reject messages with spoofed local domain. Once I do that the SMTP server responds with "Authentication Required" and we see "[23/Aug/2018 10:45:25] SMTP: Message from IP address 23.103.134.150 was rejected because of missing authentication for local domain sender <bob<_at_>mydomain.com>" in the security log. This happens when sending from Exchange online to Kerio Connect. The IP address is one of Microsoft's addresses. (I've removed my domain.)

This of course makes sense however I was hoping that Kerio would look at the SPF record as I have added the entry for Exchange Online to it but unfortunately it doesn't.

My question is do I have to add ALL of Microsoft's published (and constantly changing) IP ranges for Exchange Online to the "Never reject messages from this IP address group." group or is there an easier way I'm missing?

Thanks for you help.

-Iain. Smile
  •  
scottwilkins

Messages: 102
Karma: 7
Send a private message to this user
I'm kind of in the same boat. Our few office workers will use O365 with Exchange, but the majority will stay on Kerio. Seemed like an easy task, but has turned into a super complicated one. I'm only in a testing mode right now and setup my own account for testing. Should have setup a test account, but oh well... The MX record is setup for Kerio to be the main server, because that's where the majority of e-mail will continue to go. I've setup fowarding on my account, and even completed the migration of e-mail into my O365 account, that went smoothly. Contacts imported easily, but Calendar is another problem I've not over come. However, inside of O365 Outlook, there is no way to send to any other user on the same domain. Setting up the connector seems easy, but I hit the same authentication issues that you do. Have you found a way around this yet? I've played with the SMTP Relay Server settings in Kerio and that has not helped yet. Any advise on this would be highly helpful.
  •  
IainC

Messages: 25
Karma: 2
Send a private message to this user
The only way I found to get around it is to create an IP address group and add all of the Exchange Online IP addresses found here.

After that I went to Security > Sender Policy and set it not to reject messages from that group.

It's not ideal but it does work.

[Updated on: Mon, 05 November 2018 09:38]

  •  
scottwilkins

Messages: 102
Karma: 7
Send a private message to this user
I'd seen that address list, and was also concerned at the large number of addresses that opens to the e-mail server with no double checking. I hadn't gone down that path yet, so glad to know it's been tried. Odd thing is that at least one of those addresses is in my Router/Edge Device's blocking range. I'll not remove that block, but went ahead and added all the listed and it worked! Thanks for the assistance. It would be nice if Microsoft had a more definitive list of addresses so we could be more careful and judicious on security.
  •  
scottwilkins

Messages: 102
Karma: 7
Send a private message to this user
One last question, Moving e-mail is easy with O365 built in migration. But it doesn't move contacts or calendar. Contacts are easy with an Outlook export, and then import into O365 Outlook via web. But, I've not figured out a good Calendar move method yet. What do you use for this?
  •  
IainC

Messages: 25
Karma: 2
Send a private message to this user
The only way I've found to do this is quite long-winded and limited.

You need to be logged in to Kerio as the user who's calendar you want to export and use the "Integration with Windows" menu to export their calendar as an ICS file. You can then use Outlook to import it into their O365 account. It needs to be the full desktop Outlook client though as it hasn't worked with the web version for me, it just fails. I think this is because there are certain events in the Kerio calendar that for some reason Outlook doesn't like. The desktop client ignores these and moves on but the web version just fails without importing anything.

I only seem to be able to export the user's primary calendar so any other calendars they've created will be trickier to transfer. The same goes for Shared/Public calendars too.

We'll probably end up writing a little how-to so our users can do this for themselves as I don't fancy doing it 360 times myself.
  •  
scottwilkins

Messages: 102
Karma: 7
Send a private message to this user
I'm starting to wonder if Microsoft has this setup now to where the primary MX record must point to them. Right now I can't seem to sign into Office 365 accounts via Outlook Desktop. Other things I'm seeing point to having the Office 365 the main throughput location, and in a hybrid setup having in-house as the secondary and all message without Office 365 accounts should almost automatically (I think...) forward to in-house e-mail servers, after proper setup.

All DNS records are setup, autodiscovery, SIP, TLS, etc etc. Just the MX records don't point to Microsoft, but point to my in-house.

Anyway, this is turning into an Office 365 issue, not a Kerio issue. Thanks for all the help otherwise.

[Updated on: Mon, 05 November 2018 20:54]

Previous Topic: iCal & attachments
Next Topic: Bitdefender AV is not working (IOTimeout (-2108))
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 21 00:19:45 CET 2018

Total time taken to generate the page: 0.81119 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.