Requirements¶
Email Service¶
- Exchange Online or Gmail.
- OAuth application.
- Shared email account.
- User with access to the shared email account(s) that will be monitored.
- Customers are responsible for the emails they receive.
Lime CRM¶
- Lime CRM web client.
- If Lime Cloud:
- New Lime Cloud.
- If new Lime Cloud with customizations enabled: Make sure to run lime-crm 2.935.0 or later.
- If On-premise:
- Lime CRM Server 2024.3 or later.
- Traffic over HTTPS, IMAP, SMTP allowed from the Lime CRM server to the email service, according to the list here.
General Security Practices¶
The email integration operates by intercepting emails sent to a monitored mailbox, processing them for import to Lime CRM. Further on, the emails will be displayed in a user's browser via an HTML feed. This process opens up for potential security risks. For instance, a malicious actor could send an email containing specially crafted HTML code designed to exploit weaknesses in the browser environment.
The email integration together with the web client implements several layers to prevent security incidents. For example, libraries are used to sanitize the HTML and the attachments, and remove dangerous scripts. However, this is a "best-effort" approach and it is entirely dependent on the reliability of these libraries.
The email integration can not take any responsibilites to prevent security incidents. It is up to the customer to have general security practices in place. Some practices to consider:
- Mail server should be secured and configured to scan incoming attachments and filter out spam.
- If Microsoft Exchange: Block emails with unsafe attachments.
- Antivirus protection.
- Secure authentication methods for Lime accounts. If they are compromised, they can be used to send emails from the monitored account inside Lime CRM.
Firewall Openings¶
If Lime CRM is run on-premise, the following needs to be opened in the firewall.
| Direction | Email service | Protocol | Host name | Port | Reason |
|---|---|---|---|---|---|
| Outbound | All | HTTPS | postalsys.com | 443 | Check license for EmailEngine. |
| Outbound | Exchange Online | IMAPS | outlook.office365.com | 993 | Read emails. |
| Outbound | Exchange Online | SMTPS | smtp.office365.com | 587 | Send emails. |
| Outbound | Exchange Online | HTTPS | login.microsoftonline.com | 443 | Authentication. |
| Outbound | Exchange Online | HTTPS | *.msauth.net | 443 | Authentication. |
| Outbound | Gmail | IMAPS | imap.gmail.com | 993 | Read emails. |
| Outbound | Gmail | SMTPS | smtp.gmail.com | 465 | Send emails. |
Microsoft Safe Attachment Policies¶
As mentioned above we highly recommend to have scans for attachments in place. Microsoft has different strategies though on how to response to malware and when to deliver the email within the scanning process. You can find the Safe Attachment configuration here.
In order for the email integration to run smoothly, it's required to implement a block response (shown below) for all monitored accounts, which ensures that an email isn't delivered before the scan was successful and detected malware is quarantined before the delivery.
Of course, you can have other policies with different responses for all other accounts in your organization.