Scribd
Upload
935 views4 pages

Proofpoint SER App Onboarding Guide v1.4

SER is a cloud-based SMTP relay that secures transactional email for applications. It DKIM signs and scans email for spam and viruses. To use it, application owners request credentials and configure their application. DNS admins publish DKIM keys and add SER IPs to SPF records. Troubleshooting tips address authentication, encryption, sending limits, and Proofpoint gateway configurations.

Uploaded by

RobertJ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
935 views4 pages

Proofpoint SER App Onboarding Guide v1.4

SER is a cloud-based SMTP relay that secures transactional email for applications. It DKIM signs and scans email for spam and viruses. To use it, application owners request credentials and configure their application. DNS admins publish DKIM keys and add SER IPs to SPF records. Troubleshooting tips address authentication, encryption, sending limits, and Proofpoint gateway configurations.

Uploaded by

RobertJ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

SECURE EMAIL RELAY

OVERVIEW OF SECURE EMAIL RELAY (SER)


Updated May 31, 2023

SER is a cloud-based SMTP relay that secures application transactional email using your company's domains. Internal or 3rd party
applications connect to SER in a secure manner and all email is DKIM-signed and scanned with Proofpoint anti-spam/anti-virus
technology prior to being distributed to the Internet.

INSTRUCTIONS FOR APPLICATION OWNERS


STEP 1:
Request SMTP Authentication credentials by emailing ser-support@proofpoint.com and providing the following information:
• Application / system name (e.g. “ServiceNow”)
• Envelope From / Header From sending address combination(s). For example:
• Envelope From: noreply@companydomain.com
Header From: {wildcard}@companydomain.com

• Multiple Envelope From: / Header From: combinations with domains your company owns can be specified for the same SER
SMTP Credential
• SMTP Authentication credentials are restricted to use with specific combinations of Envelope From (a.k.a. RFC 5321 /
MFROM) and Header From (a.k.a. RFC 5322 / HFROM) sending addresses.

The domains of the addresses must be owned by your company/organization and the user-portion (to the left of the “@”)
can be “wildcard”.
Subdomains must be explicitly specified.
• Email address of the individual to send the credentials to: Email address (SMTP Authentication credentials will be sent via
Proofpoint SecureShare)
• Sending IP address(es) (optional; the SMTP Authentication credentials can be locked down to this IP(s) / CIDR)
• Maximum Message Size: default max is 5MB. Max possible is 50MB. Recommend requesting higher than expected maximum
size. There is no additional charge for higher limit.

STEP 2:
Configure your application to connect to SER using the following information / configurations:

• SMTP hostname: authnz.proofpoint.com


Note: Salesforce requires using sfauthnz.c15.proofpoint.com
• The SMTP Authentication credentials provided as part of STEP 1 (note: the SMTP Authentication UID should be used for the “username”)
• SMTP AUTH PLAIN or LOGIN
• TLS v1.2/STARTTLS (the SMTP communication must be encrypted prior to credentials being exchanged)
• Ports 25, 587, or 465

1
SECURE EMAIL RELAY

INSTRUCTIONS FOR DNS ADMINISTRATORS


DKIM:
Publish the DKIM key(s) generated (or imported) in SER POD. This Support article describes the format of the keys.

SPF:
Add the POD SER IP addresses to the SPF records of the Envelope From domain(s) being used by applications (see 'INSTRUCTIONS
FOR APPLICATION OWNERS" (above). Refer to Welcome Letter for the SER POD IP addresses.

For IP warmup purposes, adding SER Shared IP addresses may be recommended by Professional Services consultant.

2
SECURE EMAIL RELAY

TROUBLESHOOTING TIPS

SMTP AUTHENTICATION CONNECTIONS


Note: to understand error codes received by SER over an SMTP connection, please see this Support article.
Are firewalls properly configured to allow connections to SER?

If connecting from internal network, connectivity must be allowed through firewall to the following:
authnz.proofpoint.com
205.220.188.0/24
205.220.189.0/24.

As far as CNAMES are concerned...


• authnz.proofpoint.com
o authnz.proofpoint.com is an alias for authnz.c15.proofpoint.com.
o authnz.c15.proofpoint.com is an alias for authnz.prod-c15a-awsuse.proofpoint.com.
o authnz.prod-c15a-awsuse.proofpoint.com has address 205.220.189.192
o authnz.prod-c15a-awsuse.proofpoint.com has address 205.220.189.150
o authnz.prod-c15a-awsuse.proofpoint.com has address 205.220.189.171
o authnz.prod-c15a-awsuse.proofpoint.com mail is handled by 10 authnz.prod-c15a-awsusw.proofpoint.com.
o authnz.prod-c15a-awsuse.proofpoint.com mail is handled by 10 authnz.prod-c15a-awsuse.proofpoint.com.
• sfauthnz.c15.proofpoint.com
o sfauthnz.c15.proofpoint.com has address 205.220.188.159
o sfauthnz.c15.proofpoint.com has address 205.220.188.149
o sfauthnz.c15.proofpoint.com has address 205.220.188.163
o sfauthnz.c15.proofpoint.com mail is handled by 10 authnz.proofpoint.com.
o sfauthnz.c15.proofpoint.com mail is handled by 20 authnz.proofpoint.com.

Note: the prod-c15a-awsuse also match prod-c15a-awsusw

Are connections being initiated via Ports 25, 465, or 587?

Is TLS v1.1+ being used? Only TLv1.2 is supported.

Is an authorized Envelope / Header From combination being used?

SMTP Authentication credentials are restricted to use with specific combinations of Envelope From (a.k.a. RFC 5321 / MFROM) and
Header From (a.k.a. RFC 5322 / HFROM) sending addresses. Any failures related to this will be communicated over the SMTP
connection as 5XX errors.

Is the email coming from authorized IP(s)?


SMTP Authentication credentials have an optional configuration that restricts their use to emails coming from a
specific IP(s) / CIDR. Any failures related to this will be communicated over the SMTP connection as 5XX errors.

3
SECURE EMAIL RELAY

TROUBLESHOOTING TIPS (CONT.)

Are emails too big?

SMTP Authentication credentials have a default configuration that limits emails to 5MB (base64 encoded). This limit can be
increased up to 50MB upon request of ser-support@proofpoint.com. Any failures related to this will be communicated over the
SMTP connection as 5XX errors.

Is the application attempting to TLS-encrypt the SMTP connection with an unsupported cipher?

Please confirm there's compatibility between the ciphers being negotiated. Below are the ciphers supported by SER:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA

AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
RC4-SHA
DES-CBC3-SHA

(Note: No SSLv2 / SSLv3)

PROOFPOINT GATEWAY CONFIGURATIONS

This applies to email being routed from SER to a Proofpoint Gateway (i.e. emails originating externally and being sent to employees).

In general, is there anything configured on the Gateway that could be blocking email? Is the Proofpoint "Anti-Spoof"
rule, specifically, configured and blocking email?

In this case, please create an exception for email coming from SER IPs (see Page 1)

proofpoint.com

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy