OpenCRM offers a free service called POP2OpenCRM, which automatically syncs your Microsoft M365 Emails invisibly to OpenCRM. You can find our set-up guide here.
This article is intended to go into this integration option in a bit more depth and hopes to answer some of the more technical security-orientated questions you might have. If you get to the end of this article and you still have questions, please feel free to get in touch with our Support team, who are always happy to help. You can do this using the Live Chat button at the bottom right of the screen.
At a very high level, POP2OpenCRM requires only three things:
1. Two collector mailboxes with POP3 enabled (see point 3 below for security details). One which you will populate with copies of emails which your organisation receives (the opencrm_inbound@ mailbox in our configuration faq) and one which you populate with copies of emails your organisation sends (the opencrm_outbound@ mailbox in our configuration faq).
2. MailFlow Rules to decide which of your organisation's emails are placed in these mailboxes and hence, which of your organisation's emails are made available to OpenCRM to process.
3. Access granted for OpenCRM to communicate with these two mailboxes.
1. The Collector Mailboxes.
These two mailboxes should be created with strong passwords and with 2FA activated. We won't ask you to supply these passwords via email. Instead, we use a secure service called https://password.link, which lets you share secure notes with a one-time link. These two mailboxes need to have POP access enabled. We recommend that these mailbox accounts have two factor authentication enabled.
We won't ask you to supply 2FA seeds, but during the initial setup process, we will perform an oAuth login and will need to call you and ask for the current 2FA code, which we will only need once and, of course, is only valid for a few seconds.
You can leave POP3 disabled on all your other mailboxes, it only needs to be available on the two accounts Pop2OpenCRM is polling.
We will delete emails we collect from these mailboxes, so at any given point in time, there probably won't be very many emails in these collector mailboxes. We will only collect from the inbox, though, so you may want to turn off Junk/Spam filtering on these mailboxes to make sure that everything your MailFlow rules direct here is made available to OpenCRM to process. We go into this in a bit more detail at the end of our implementation guide.
The mailbox accounts do not need to be part of the same 365 organisation/domain as your users. They could be hosted in a separate 365 tenant if granting Pop2OpenCRM access to your main 365 tenant was a concern. Additionally you could setup mailboxes using a different mail provider outside of 365 entirely, but that comes with it's own security / management risks to consider.
2. MailFlow Rules
If you want to capture every single one of your organisation's emails in OpenCRM then the vanilla scenario described in our setup guide will help you achieve that. It is more likely, however, that you only want to capture a subset of your Emails in OpenCRM, for example, all of your Sales team's emails or all of your HelpDesk emails, but not emails from senior staff. MailFlow rules are where you should implement these decisions. OpenCRM can only process emails copied into the two collector mailboxes, so making sure that your Mailflow rules only place certain emails there and not others are the best way to ensure that sensitive emails don't gain more visibility than they should.
OpenCRM can, as an additional layer of protection, filter out specific email addresses we are given during the setup phase, but this should be thought of as a second line of defence after MailFlow rules. A good point to remember is that you are in control of the Mailflow rules, so you decide what is forwarded for OpenCRM to process.
You also don't have to use mail flow rules at all - but that would then rely on users remembering to manually copy their emails to the relevant mailboxes when sending emails, and no incoming email would be imported into OpenCRM.
3. Access for OpenCRM
OpenCRM is only able to communicate with Microsoft M365 and retrieve emails from the collector mailboxes if you explicitly allow us to. This is the link you are asked to click at the top of the integration guide, and you can revoke this access at any time.
This grants the Pop2OpenCRM application the following access to your 365 tenant:
- offline_access - Delegated - Maintain access to data you have given it access to
- POP.AccessAsUser.All - Delegated - Read and write access to mailboxes via POP.
- User.Read - Delegated - Sign in and read user profile
This is the minimum required for the app to function. Pop2OpenCRM can only access any mailbox using valid authentication, so will only be able to access the mailboxes it is given login details to in order to collect emails.
OpenCRM will initially authenticate with Microsoft M365 via a modern oAuth login with 2FA code, and after that, it will use a secure oAuth token and a secure (via TLS 1.2) POP connection.
Neither Microsoft M365 nor OpenCRM supports the use of Basic Auth or insecure POP.
If you would like, we can supply the IP addresses from which our secure POP connections will originate so that you can lock down access even further.