Meraki

Community

Allowing IMAP to cloud CRM with on premise Exchange

Nolster
New here
‎Aug 14 2023 7:39 AM
‎Aug 14 2023 7:39 AM

Allowing IMAP to cloud CRM with on premise Exchange

Hello all,

 

I apologize in advance if this is a simple answer. I probably am over thinking this issue but thought I would ask before a created a mess.

 

We have an on-premise exchange server. This has the Proofpoint email filter server in front of it for inbound and outbound mail filtering/security. We route all email connections through that service for various security reasons.

 

However, we are implementing a cloud-based CRM (Bitrix24 if it matters). It has built in IMAP capabilities. The wrinkle is that Bitrix has a set of virtual mail servers hosted in AWS. Those servers seem to have dynamic IP addresses (probably as new VMs are spun up). This implementation has shown a seemingly unending list of AWS IP addresses attempting to access our Meraki. There is a pool of five MTA records that tie to IP addresses. (example mta-us-001.bitrix24.com) These records expire every 5 minutes.

 

Currently we have a port forwarding rule to the email server setup allowing specific IP addresses on port 993. I would rather not open access to several AWS A IP blocks. There has to be a method to allow inbound connections using the published MTA records. However, my brain is not helping me here. Thanks in advance. 

Labels:
0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 14 2023 1:35 PM
‎Aug 14 2023 1:35 PM

I'm having difficulty answering your question because I have fundamental concerns about your overall system.

 

The reason why IMAP is disabled (by default) in services like Office 365 is because of weak authentication.  Something like 99% of account compromises occurs through basic authentication via POP3, IMAP and SMTP authentication.

 

And then, there is the use of on-premise exchange.  One of the most compromised platforms out there.

 

 

If I were looking at the big picture, I would say migrate to Office 365; then you can use the built-in secure OUATH2 support built into Bitrix24.
https://helpdesk.bitrix24.com/open/16697760/ 

 

 

I do not believe you will be able to implement a solution to do what you have described that won't result in an account compromise within 6 months.

 

I wish I had something more positive to offer.

0 Kudos
Nolster
New here
‎Aug 14 2023 2:06 PM
‎Aug 14 2023 2:06 PM

Migrating to office 365 is not an option due to various applications requiring on premise exchange. We would love to change to 365, but we would need to revise 60%+ of our business processes due to removal of tools. 

In response to Nolster
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 15 2023 2:05 AM
‎Aug 15 2023 2:05 AM

What about running hybrid mode?  Keep the mailboxes on-premise for those things that need it, and move everything else to Office 365.

0 Kudos
Hygiswot
Just browsing
‎Apr 12 2024 1:57 AM
‎Apr 12 2024 1:57 AM

It sounds like you're dealing with a complex setup involving on-premise Exchange and a cloud-based CRM like Bitrix24. Integrating the two can be tricky, especially when dealing with dynamic IP addresses from AWS.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.