SMTP Authenticated Secure Email Relay sending

• Applications or devices must be capable of SMTP authenticated sending on port 25, 587 or 465 using a Username/Password
• Supports TLS 1.2
• Known Envelope From and Header From
  Note: There is a limit of 10 From addresses. The From address(es) must be a valid service account email address and UW-Madison must be authorized to send as that address.
• Uses static IP address(es)
• Messages less than 5MB in size
• Limit of 100 emails per SMTP session

• The authenticated relay is only available to systems or services that are under contract with UW-Madison and sending email in support of UW-Madison Teaching, Research or Administrative activities.
• Follow the UW System guidelines for Acceptable Use of Information Technology Resources.
• Use of the service is explicitly prohibited for sending spam, phishing or email with offensive content.
• The relay service should not be used to send unencrypted HIPAA protected data (Protected Health Information, PHI) to non-UW-controlled email addresses. For more information, see UW-Madison Policy regarding Email Communications Involving Protected Health Information.
• This is a paid service provided by Proofpoint and is priced based on hourly peak and yearly total throughput. If any single campus group or application results in UW-Madison exceeding its contracted mail volume thresholds they will be charged for any cost increase accrued by the service.

• Administrators routinely monitor the volume of mail sent for system management purposes.
• Usage may also be subject to security testing and monitoring.
• If the University receives a credible report that a violation of the Terms of Use has occurred, or if, in the course of managing the service, discovers evidence of a violation, then the matter will be referred for investigation, University disciplinary action, and/or criminal prosecution.

If you have a 3rd party service or off-campus device that sends email, you can request access to the authenticated secure email relay service using our Google form. We will review your use case and determine whether it is a good fit for the SER service. Please be prepared to supply the following information:

• Name of the School, College, Division, Group or Service requesting credentials.
• UW-Madison Service Owner
• Envelope From address(es) used in the mail messages. You can specify multiple From addresses for use with the application but not whole domains (e.g. *@doit.wisc.edu).
• Header From if it will be different from the Envelope From.
• IP address(es) of the sending systems.
• Name of the application or device that will use the credentials.
• Who is the audience for the email sent from your application/service?

Once the form is submitted we will contact you within 3 business days.

If we determine that your use case is a good fit for the authenticated secure email relay service, we will provide you with credentials for connecting to the service. You will need to configure your application using the following information:

• SER Servername: authnz.proofpoint.com
• Authentication Method: SER Username/Password provided by PCS
  Note: Vendor documentation frequently assumes that the Username is in the form of an email address. The SER Username is not an email address and should not be confused with the authorized From address(es).
• Connection Security: TLS/STARTTLS
• Port: 25, 587 or 465
• Validate the SPF record for the domain used in the Envelope From address includes the WiscMail SPF record: “include:_spf.wiscmail.wisc.edu”

If the sending application is behind a firewall that restricts outbound traffic, you may need to add rules to allow traffic to the following IP addresses in order to connect to authnz.proofpoint.com:

• 205.220.188.149
• 205.220.188.159
• 205.220.188.163
• 205.220.188.149
• 205.220.188.159
• 205.220.188.163

The Authenticated Secure Email Relay service is provided by Proofpoint and we do not have direct access to the authentication logs. If you are unsuccessful in sending mail through Proofpoint SER you should validate the setup by checking the following:

• Are connections being initiated via Ports 25, 465, or 587?
• Is TLS v1.2 (or better) being used?
• Are the authorized Envelope and Header FROM Addresses being used?
• Is the email coming from the authorized IP(s)?
• Are the emails too big? Messages must be less than 5MB in total size.
• Is the software that is generating the email attempting to TLS-encrypt the SMTP connection with an unsupported cipher?
  Support Ciphers
  

  
  ECDHE-RSA-AES256-GCM-SHA384
  ECDHE-RSA-AES128-GCM-SHA256
  ECDHE-RSA-AES256-SHA384
  ECDHE-RSA-AES128-SHA256
  ECDHE-RSA-AES256-SHA
  ECDHE-RSA-AES128-SHA
  
  AES256-GCM-SHA384
  AES128-GCM-SHA256
  AES256-SHA256
  AES128-SHA256
  AES256-SHA
  AES128-SHA
  RC4-SHA
  DES-CBC3-SHA
  
  

• Are there firewall rules that might be blocking outbound connections to Proofpoint or the connection ports?

Any abuse of this service will result in removal of relaying privileges for the offending application.

In Q4 2023 Proofpoint will upgrade the Secure Email Relay (SER) infrastructure to their version 2 architecture. When that occurs, traffic to authnz.proofpoint.com will be redirected to smtp-us.ser.proofpoint.com. Any firewall rules will need to be updated to allow traffic to the following SERv2 IP addresses:

• 34.225.17.174
• 52.202.205.232
• 54.68.130.227
• 52.89.187.57

The migration is expected to be transparent to current Secure Email Relay applications. Post migration, we will contact system owners to update their connection information to use smtp-us.ser.proofpoint.com.

If you have any questions or would like to discuss relaying options, please contact smtp.relay@doit.wisc.edu.