SMTP Authenticated Secure Email Relay sending

This document describes the requirements and expectations for applications that would like to use the campus Authenticated Secure Email Relay (SER) service.

Application Requirements

  • Applications or devices must be capable of SMTP authenticated sending on port 25, 587 or 465 using a Username/Password
  • Supports TLS 1.2
  • Known Envelope From and Header From
    Restrictions:
    • There is a limit of 10 From addresses.
    • The From address(es) must be a valid service account email address in a subdomain of *.wisc.edu (e.g. doit.wisc.edu).
    • The Campus Relay Service must be authorized to send as that address in the domain SPF record.
    • The address can not be an @wisc.edu address.
  • Uses static IP address(es)
  • Messages less than 5MB in size
  • Limit of 100 emails per SMTP session

Terms of Use

  • The authenticated relay is only available to systems or services that are under contract with UW-Madison and sending email in support of UW-Madison Teaching, Research or Administrative activities.
  • Only paid UW-Madison faculty or staff may request access to the authenticated relay services.
  • Follow the UW System guidelines for Acceptable Use of Information Technology Resources.
  • Use of the service is explicitly prohibited for sending spam, phishing or email with offensive content.
  • The relay service should not be used to send unencrypted HIPAA protected data (Protected Health Information, PHI) to non-UW-controlled email addresses. For more information, see UW-Madison Policy regarding Email Communications Involving Protected Health Information.
  • This is a paid service provided by Proofpoint and is priced based on hourly peak and yearly total throughput. If any single campus group or application results in UW-Madison exceeding its contracted mail volume thresholds they will be charged for any cost increase accrued by the service.

Privacy Statement

  • Administrators routinely monitor the volume of mail sent for system management purposes.
  • Usage may also be subject to security testing and monitoring.
  • If the University receives a credible report that a violation of the Terms of Use has occurred, or if, in the course of managing the service, discovers evidence of a violation, then the matter will be referred for investigation, University disciplinary action, and/or criminal prosecution.

Requesting access to the authenticated secure email relay service

If you have a 3rd party service or off-campus device that sends email, you can request access to the authenticated secure email relay service using our Google form. We will review your use case and determine whether it is a good fit for the SER service. Please be prepared to supply the following information:

  • Name of the School, College, Division, Group or Service requesting credentials.
  • UW-Madison Service Owner
  • Envelope From address(es) used in the mail messages. You can specify up to 10 From addresses for use with the application but not whole domains (e.g. *@doit.wisc.edu).
  • Header From if it will be different from the Envelope From.
  • IP address(es) of the sending systems.
  • Name of the application or device that will use the credentials.
  • Who is the audience for the email sent from your application/service?

Once the form is submitted we will contact you within 3 business days.

Configure your application to connect to SER

If we determine that your use case is a good fit for the authenticated secure email relay service, we will provide you with credentials for connecting to the service. You will need to configure your application using the following information:

  • SER Servername: smtp-us.ser.proofpoint.com
  • Authentication Method: SER Username/Password provided by PCS
    Note: Vendor documentation frequently assumes that the Username is in the form of an email address. The SER Username is not an email address and should not be confused with the authorized From address(es).
  • Connection Security: TLS/STARTTLS
  • Port: 25, 587 or 465
  • Validate the SPF record for the domain used in the Envelope From address includes the WiscMail SPF record: “include:_spf.wiscmail.wisc.edu”

If the sending application is behind a firewall that restricts outbound traffic, you may need to add rules to allow traffic to the following IP addresses in order to connect to smtp-us.ser.proofpoint.com:

  • 34.225.17.174
  • 52.202.205.232
  • 54.68.130.227
  • 52.89.187.57

Is DKIM signing available?

All email that passes through the campus relay service is DKIM signed for the relay.mail.wisc.edu domain. The relay service does not support custom DKIM signing for specific domains. The application sending the mail will need to DKIM sign those messages if you need to sign for a different domain.

One-click Unsubscribe

If you are sending newsletters, calls for research participation, surveys or other forms of bulk mail, your messages need to offer support for one-click unsubscribe. Your application will need to add the appropriate headers to the email messages and handle unsubscribe requests. This is not a feature of the relay service.

Troubleshooting

The Authenticated Secure Email Relay service is provided by Proofpoint and we do not have direct access to the authentication logs. If you are unsuccessful in sending mail through Proofpoint SER you should validate the setup by checking the following:

  • Are connections being initiated via Ports 25, 465, or 587?
  • Is TLS v1.2 (or better) being used?
  • Are the authorized Envelope and Header FROM Addresses being used?
  • Is the email coming from the authorized IP(s)?
  • Are the emails too big? Messages must be less than 5MB in total size.
  • Is the software that is generating the email attempting to TLS-encrypt the SMTP connection with an unsupported cipher?
    Support Ciphers


    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES256-SHA384
    ECDHE-RSA-AES128-SHA256
    ECDHE-RSA-AES256-SHA
    ECDHE-RSA-AES128-SHA

    AES256-GCM-SHA384
    AES128-GCM-SHA256
    AES256-SHA256
    AES128-SHA256
    AES256-SHA
    AES128-SHA
    RC4-SHA
    DES-CBC3-SHA

  • Are there firewall rules that might be blocking outbound connections to Proofpoint or the connection ports?

Abuse

Any abuse of this service will result in removal of relaying privileges for the offending application.

Secure Email Relay v2

On February 1, 2024 Proofpoint completed the upgrade of the Secure Email Relay (SER) infrastructure to their version 2 architecture. With that transition, traffic to authnz.proofpoint.com has been temporarily redirected to smtp-us.ser.proofpoint.com. Application owners should update their configuration to connect to smtp-us.ser.proofpoint.com instead of authnz.proofpoint.com. Proofpoint plans to deprecate support for authnz.proofpoint.com in the future.

Any outbound firewall rules will need to be updated to allow traffic to the following SERv2 IP addresses:

  • 34.225.17.174
  • 52.202.205.232
  • 54.68.130.227
  • 52.89.187.57

The firewall updates must be completed by May 30, 2024.

Questions

If you have any questions or would like to discuss relaying options, please contact smtp.relay@doit.wisc.edu.



Keywords:
relay relaying smtp.wiscmail.wisc.edu relay.mail.wisc.edu authenticated smtp 
Doc ID:
130833
Owned by:
O365 S. in Microsoft 365
Created:
2023-09-05
Updated:
2024-10-29
Sites:
DoIT Help Desk, DoIT Staff, Microsoft 365