Skip to content

Instantly share code, notes, and snippets.

@matthewfeickert
Last active September 1, 2023 09:32
Show Gist options
  • Save matthewfeickert/309739109bd383cfed0f5dc003205237 to your computer and use it in GitHub Desktop.
Save matthewfeickert/309739109bd383cfed0f5dc003205237 to your computer and use it in GitHub Desktop.
Use GMail's SMTP servers to use CERN email account as an alias

Use GMail's SMTP servers to use CERN email account as an alias

  1. Enable forwarding of emails from Outlook to GMail

    1. In Outlook select Settings > Mail > Forwarding.
    2. Select "Enable forwarding".
    3. Enter your GMail address in the box under "Forward my email to:".
    4. (Optional, but recommended) Select "Keep a copy of forwarded messages"

outlook-view

  1. Create a Google app password

    1. Follow the instructions on Google Support's page on Sign in with app passwords to generate a 16-character authentication code.
    2. (Optional, but recommended) Save this authentication code in a password manager.
  2. In GMail add your CERN email as an alias

    1. In GMail select Settings > See all settings > Accounts and Import.
    2. In the "Send mail as:" section select Add another email address.
    3. In the window that pops up enter your name and then the email address you want to send email from.
    4. Select "Treat as an alias".
    5. Select "Next step".
    6. If this is the first time setting this up select Send verification.
    7. Enter in the following information for the requested fields:
      • SMTP Server: smtp.gmail.com
      • Port: 587 (I think(?) this is arbitrary)
      • Username: Your full GMail address (e.g.: [email protected])
      • Password: Your 16-character Google app authentication code
      • Secured connection using: TLS
    8. Select Add Account (or Save Changes)
    9. Open your CERN webmail, find the verification email sent from Google, and click the link in the email verifying that this email address belongs to you.

gmail-add-address

gmail-smtp-server

How does this work exactly?

I need to learn more about this, but according to people who know more

SMTP is an old protocol. You can use it to forge any email [you have ownership over].

So you're using SMTP to first authenticate that you own the CERN email address and then forge any outgoing mail as that email address.

Is this in violation of the CERN Computing Rules?

No, there is no violation as a CERN user's password is never stored in any step. This is simply forging emails sent from GMail to appear as if they are coming from CERN.

Update: Maybe yes, but this is ridiculously petulant.

Dear Matthew Feickert,

YOUR ACTION IS REQUIRED, by changing the way that you send emails using your [email protected] address. CERN emails must originate from the CERN mail service. Detailed documentation on the usage of the CERN mail service can be found at https://mailservices.docs.cern.ch/ExchangeOnline/

As announced in the CERN Bulletin article https://home.cern/news/news/computing/computer-security-fighting-spam-boss-level and on the Service Status Board at https://cern.service-now.com/service-portal?id=outage&n=OTG0079164 in order to improve the security of CERN mailboxes, the Computer Security Team and the Mail Team are in the process of deploying a new anti-spam filtering system (xorlab ActiveGuard) complementing the existing Microsoft Exchange Online Protection. By the end of October 2023 the whole of CERN will be protected by this new anti-spam filtering system.

This new anti-spam filtering system comes with security enhancements based on commonly used industry standards, namely DMARC validation. The DMARC email authentication protocol protects domains from unauthorised use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat acOCtivities.

Currently all emails sent with your CERN email address ([email protected]) are in fact originating from Google's infrastructure, i.e. being sent from your personal Gmail account by spoofing the sender email address of CERN. Spoofing emails in such a way and routing the email flow via a third party (Google) is in violation of CERN Computing Rules (OC5) and the CERN Data Privacy Protection Policy (OC11). Also, all emails sent in such a way to anyone which is protected by CERN's new anti-spam filtering system are being quarantined.

Yours sincerely, CERN Computer Security Team and the CERN Mail Team https://cern.ch/security

Will this work forever?

Maybe? Others have tried this in the past and let me know that

I used this approach when FNAL first migrated to O365. It worked for a while, but then they tightened DMARC restrictions and everything I sent was blocked or sent to spam. CERN's settings aren't as tight as FNAL's right now, but CERN IT is rather unpredictable, so there's no way to know when they'll change.

Acknowledgements

This process was explained to me by the amazing Gilles Louppe!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment