GMAIL SMTP Setup for Scanners and SPAM

[Jeff Thoman]

Has anyone else had problems pointing MFPs with scan to email functionality to GMail effectively?  This had been working for us on our copiers which are behind a dynamic NAT, authenticated using SSL until recently.  Just last week our dynamic pool of addresses was flagged by the CBL for a possible infection.  I have turned this feature off for now, and things have subsided, but how can I get this feature working again?

[Ryan Collins]

On Monday, October 12, 2015 at 2:34:01 PM UTC-4, Jeff Thoman wrote:

Has anyone else had problems pointing MFPs with scan to email functionality to GMail effectively?  This had been working for us on our copiers which are behind a dynamic NAT, authenticated using SSL until recently.  Just last week our dynamic pool of addresses was flagged by the CBL for a possible infection.  I have turned this feature off for now, and things have subsided, but how can I get this feature working again?

I set up a Linux box on our local network and use it to relay email. In the admin panel, I then whitelist the IP address for our network. 

[Jeffrey Blais]

We recently ran into a problem where are copier just stopped sending out scanned documents to our e-mail.  I don't know for sure if you ever resolved the problem you were having but it turns out we needed to turn on the ability for the Gmail access to allow "Less Secure" logins.  https://support.google.com/accounts/answer/6010255?hl=en

On Monday, October 12, 2015 at 2:34:01 PM UTC-4, Jeff Thoman wrote:

[Devon Jacobs]

Just posted this to CBSchools before I read this one here but it may help for those with SMTP fail here too.

several issues here with scan==>email on copiers. mostly to do with the new TLS / encryption requirements.  we're very rural out here and the copier guys had no idea what to do with it. copiers just started randomly giving generic failure to connect to SMTP server errors. I finally tracked it to this issue. Konica's solution is a full firmware upgrade which in our case with a 5 year old copier failed and nearly bricked it.

The workaround if you REALLY need to use it is to set up relay in your domain restricted to your IP address. Not the preferred method if you can upgrade firmware or replace devices instead, but here you go:

in Admin Console, move your copier account(s) to it's own OU (I use an OU called Copiers)

in admin console go to apps>gmail

advanced settings

select your Copier OU on the left

scroll down to Routing>SMTP relay service and click on configure

choose User based relay

choose only addresses in my domain

under authentication:

choose Only accept mail from the specified IP addresses

specify your public IP from which the emails will originate

- no TLS

- no SMTP authentication

on the copier or device use smtp-relay-gmail.com as the outgoing server, and send as the copier user.

THIS COULD BE A SECURITY RISK. If you're not careful you can end up being an open relay.

Make sure you restrict this rule to addresses in your domain

Make sure you only apply this rule to the OU containing your copier email accounts!

Make sure you restrict the rule to your outgoing IP!

[Jaymon Lefebvre]

Cheers to a very thorough response, though you should remember, this is not *possibly* a security risk, it is very much likely a confidentiality problem.

When you setup SMTP relaying without authentication, TLS, SSL etc, then you are relaying in clear text to Google SMTP servers.  They do have the option of using port 465 for optional TLS, but if you go 25 and remove all authorization options, I believe that you will be relaying all your SMTP via clear text.  Any transit operator between you and Google would have traffic visibility.

Google did announce last year that all mail would be encryption by default and I havent broken out wireshark to test smtp-relay.gmail.com on port 25, but I suspect it is clear text.

Something to consider from a privacy aspect before you just remove all the security protocols and relay via 25. 

[Devon Jacobs]

True that! 

Thus the previous warnings... and this one:

As Jaymon points out, the workaround I posted only works because there is NO ENCRYPTION. This is a TEMPORARY workaround until you can solve the root issues (i.e update or replace your device to meet the new security requirements) and should not be left in place for extended periods. 

Needless to say, we only used this until we were able to successfully upgrade the firmware.

[Ryan Collins]

No one should be using email for anything that should be confidential. There is no guarantee your mail will be encrypted while in transit between sites.

On Thursday, January 28, 2016 at 3:00:32 PM UTC-5, Jaymon Lefebvre wrote: