Allowing IMAP to cloud CRM with on premise Exchange
I apologize in advance if this is a simple answer. I probably am over thinking this issue but thought I would ask before a created a mess.
We have an on-premise exchange server. This has the Proofpoint email filter server in front of it for inbound and outbound mail filtering/security. We route all email connections through that service for various security reasons.
However, we are implementing a cloud-based CRM (Bitrix24 if it matters). It has built in IMAP capabilities. The wrinkle is that Bitrix has a set of virtual mail servers hosted in AWS. Those servers seem to have dynamic IP addresses (probably as new VMs are spun up). This implementation has shown a seemingly unending list of AWS IP addresses attempting to access our Meraki. There is a pool of five MTA records that tie to IP addresses. (example mta-us-001.bitrix24.com) These records expire every 5 minutes.
Currently we have a port forwarding rule to the email server setup allowing specific IP addresses on port 993. I would rather not open access to several AWS A IP blocks. There has to be a method to allow inbound connections using the published MTA records. However, my brain is not helping me here. Thanks in advance.
I'm having difficulty answering your question because I have fundamental concerns about your overall system.
The reason why IMAP is disabled (by default) in services like Office 365 is because of weak authentication. Something like 99% of account compromises occurs through basic authentication via POP3, IMAP and SMTP authentication.
And then, there is the use of on-premise exchange. One of the most compromised platforms out there.
Migrating to office 365 is not an option due to various applications requiring on premise exchange. We would love to change to 365, but we would need to revise 60%+ of our business processes due to removal of tools.