I'm reviewing email headers to determine if an email sent via SMTP is using TLS 1.2. Depending on where I send the email, it goes 3-5 hops to different servers.
The first connection appears to be secured with TLS 1_2. The second shows MAPI, and the third again shows TLS 1_2.
I am not sending the mail via a software MAPI client (Outlook). I'm curious why the MAPI option is showing up. Even if I send "internally" via Exchange Online/0365, it still shows MAPI after first TLS 1_2 connection. I don't understand why.
Can anyone offer any insight? Thank you in advance.
These are received headers - email is send with O365 SMTP. They are in order of transport as they appear, so top is the most recent where bottom is original. In this case, the middle "received" portion is that which is confusing. I'm sure its something boneheaded
Received: from BL0PR04MB4866.namprd04.prod.outlook.com (2603:10b6:208:2a::17)
by MN2PR04MB6654.namprd04.prod.outlook.com (2603:10b6:208:1f1::22) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.21; Tue, 29 Sep
2020 22:22:59 +0000
Received: from BL0PR04MB4866.namprd04.prod.outlook.com
([fe80::b6:a4a1:2f36:8284]) by BL0PR04MB4866.namprd04.prod.outlook.com
([fe80::b6:a4a1:2f36:8284%7]) with mapi id 15.20.3412.029; Tue, 29 Sep 2020
22:22:59 +0000
Received: from <PC> (<source IP>) by MN2PR08CA0016.namprd08.prod.outlook.com (2603:10b6:208:239::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.22 via Frontend Transport; Tue, 29 Sep 2020 22:22:59 +0000
Interestingly when sending from outlook.com webmail (not business), the first header entry is MAPI and then shows two TLS connections before using ESMTP/SMTP (see below). In reviewing other headers historically, I don't recall seeing MAPI in the middle.
Received: by 2002:a05:6214:162a:0:0:0:0 with SMTP id e10csxxxxxx6qvw;
Wed, 30 Sep 2020 03:38:37 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10olkn2021.outbound.protection.outlook.com. [IP address])
by mx.google.com with ESMTPS id g19si655816qko.42.2020.09.30.03.38.37
for <email address>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 30 Sep 2020 03:38:37 -0700 (PDT)
Received: from BN7NAM10FT037.eop-nam10.prod.protection.outlook.com (2a01:111:e400:7e8f::47) by BN7NAM10HT019.eop-nam10.prod.protection.outlook.com (2a01:111:e400:7e8f::240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.34; Wed, 30 Sep 2020 10:38:37 +0000
Received: from MN2PR11MB4334.namprd11.prod.outlook.com (2a01:111:e400:7e8f::41) by BN7NAM10FT037.mail.protection.outlook.com (2a01:111:e400:7e8f::265) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.34 via Frontend Transport; Wed, 30 Sep 2020 10:38:37 +0000
Received: from MN2PR11MB4334.namprd11.prod.outlook.com ([fe80::29f4:11b4:4c66:6f98]) by MN2PR11MB4334.namprd11.prod.outlook.com ([fe80::29f4:11b4:4c66:6f98%6]) with mapi id 15.20.3433.032; Wed, 30 Sep 2020 10:38:37 +0000
