Skip to content

Requirements

Email Service

Lime CRM

  • Lime CRM web client.
  • If Lime Cloud:
    • New Lime Cloud.
    • If new Lime Cloud with customizations enabled: Make sure to run lime-crm 2.935.0 or later.
  • If On-premise:
    • Lime CRM Server 2024.3 or later.
    • Traffic over HTTPS, IMAP, SMTP allowed from the Lime CRM server to the email service, according to the list here.

General Security Practices

The email integration operates by intercepting emails sent to a monitored mailbox, processing them for import to Lime CRM. Further on, the emails will be displayed in a user's browser via an HTML feed. This process opens up for potential security risks. For instance, a malicious actor could send an email containing specially crafted HTML code designed to exploit weaknesses in the browser environment.

The email integration together with the web client implements several layers to prevent security incidents. For example, libraries are used to sanitize the HTML and the attachments, and remove dangerous scripts. However, this is a "best-effort" approach and it is entirely dependent on the reliability of these libraries.

The email integration can not take any responsibilites to prevent security incidents. It is up to the customer to have general security practices in place. Some practices to consider:

  • Mail server should be secured and configured to scan incoming attachments and filter out spam.
  • Antivirus protection.
  • Secure authentication methods for Lime accounts. If they are compromised, they can be used to send emails from the monitored account inside Lime CRM.

Firewall Openings

If Lime CRM is run on-premise, the following needs to be opened in the firewall.

Direction Email service Protocol Host name Port Reason
Outbound All HTTPS postalsys.com 443 Check license for EmailEngine.
Outbound Exchange Online IMAPS outlook.office365.com 993 Read emails.
Outbound Exchange Online SMTPS smtp.office365.com 587 Send emails.
Outbound Exchange Online HTTPS login.microsoftonline.com 443 Authentication.
Outbound Exchange Online HTTPS *.msauth.net 443 Authentication.
Outbound Gmail IMAPS imap.gmail.com 993 Read emails.
Outbound Gmail SMTPS smtp.gmail.com 465 Send emails.

Microsoft Safe Attachment Policies

As mentioned above we highly recommend to have scans for attachments in place. Microsoft has different strategies though on how to response to malware and when to deliver the email within the scanning process. You can find the Safe Attachment configuration here.

Microsoft Safe Attachment Options

In order for the email integration to run smoothly, it's required to implement a block response (shown below) for all monitored accounts, which ensures that an email isn't delivered before the scan was successful and detected malware is quarantined before the delivery.

Microsoft Block response

Of course, you can have other policies with different responses for all other accounts in your organization.