Environment with outgoing and incoming gateways where primary server is not visible in MX configuration - bounces
Question asked by Webio - 4/7/2020 at 10:47 PM
Unanswered
Hello,

does someone has environment where:

  • primary server is not visible in domains MX configuration
  • outgoing gateway is being used
  • incoming gateway is being used

For mentioned configuration I'm experiencing issues with message bounces and status deliveries.

Bottom line issue is where bounce or delivery status notification is generated on outgoing notification then this notification/bounce is being passed to MX configuration so it will be incoming gateway which tries to deliver this bounce/delivery notification to primary server and here is issue because during SMTP session outgoing gateway and then incoming gateway is using sender email address as FROM email address and since this is incoming connection primary SmarterMail thinks that this is spoofing attempt since domain used in FROM is configured locally and so primary server is creating another bounce with 550 error Authentication is required for relay and local user is getting this message instead of real bounce or delivery notification status message.

In SM configuration section -> System Messages we can set From address for various system messages but this address is being used only in message content. In SMTP session during passing system message there is still original sender email address being used just like I've mentioned above.

Setting on primary server in whitelist section SMTP Auth Bypass for incoming gateway IP addresses will cause spam scoring to be skipped because of skipped authentication.

So .. this is not so unusual configuration and I'm wondering if anyone else is experiencing this issue.

Thanks

15 Replies

Reply to Thread
0
Sébastien Riccio Replied
Hello,

I'm not sure I totally get the mail flow you're describing, but when a gateway bounces a message, shouldn't it use something like mailer-daemon@hostname as from and <> as Return-Path ?

In that case I don't understand why your incoming gateway or smartermail would think it's coming from a local domain. But again maybe I don't understand your setup correctly.

For the auth issue when the from is a local domain, I think it maybe related to this:


I guess you have it enabled. This prevent mail that are both and  from the same domain to be accepted if the sender is unauthenticated.
This prevent spam with "from" spoofed with the same domain as the recipient. It is usefull but there is some side effects like the one you're having.

But again, I don't get it why an outgoing gateway would use the original sender as a from for a bounce.

Kind regards.
Sébastien Riccio
System & Network Admin

0
Merle Wait Replied
So we have...
MX-iN-1 -------+                                                                                                               +Out-1
MX-IN-2 -------+======= ALL GO TO MAIN SERVER, Then out to OUTBOUND ==> +Out-2
MX-IN-3 -------+                                                                                                               +Out-3 

To where the main server is not mentioned or listed in the MX...

.. And to answer your question - not aware of that issue.
However, all of our servers are still on Sm15.x

0
Sébastien Riccio Replied
For us, same setup as yours, Merle, but with latest SM version prior to MAPI beta (7242)
Sébastien Riccio
System & Network Admin

0
Webio Replied
So. Here you have real life scenario (logs below).

User VALID@EMAIL.COM is sending email to NOTEXISTING@gmail.com to cause no such user here on gmail side. As you can see gmail is bouncing with this error. Outgoing gateway OUTGOINGGATEWAYIP is creating bounce and delivers it to incoming gateway INCOMINGGATEWAYHOST.

And here we have interesting observation because bounce has:

2020.04.08 09:33:59.291 [OUTGOINGGATEWAYIP][8752592] cmd: MAIL FROM:<VALID@EMAIL.COM> RET=HDRS ENVID=092ddad7-50d5-4154-8211-42d73216e764 SIZE=3513
while bounce in mail header has

2020.04.08 09:33:59.385 [OUTGOINGGATEWAYIP][8752592] senderEmail(2): SYSTEM@ADMIN.COM parsed using: "System Administrator Out 1" <SYSTEM@ADMIN.COM>
Then we see that incoming gateway INCOMINGGATEWAYLOCALIP is trying to deliver this message to PRIMARYSMLOCALIP with:

2020.04.08 09:34:16.373 [59392] CMD: MAIL FROM:<VALID@EMAIL.COM> RET=HDRS ENVID=092ddad7-50d5-4154-8211-42d73216e764 SIZE=3735
which is causing spoofing protection:

2020.04.08 09:34:16.405 [59392] RSP: 550 Authentication is required for relay
bacause domain for VALID@EMAIL.COM is created locally so any remote delivery is rejected with 550 error.

Yes I have "Enable Domain's SMTP auth setting for local deliveries". Does disabling this param will also not create some kind of open relay server?

Enable Domain's SMTP auth setting for local deliveries - Toggle the slider to the right to enforce SMTP authentication for all local deliveries. For example, mail from user1@example.com to user2@example.com must be authenticated even though the message is bound for local delivery.

outgoing gateway delivery log

2020.04.08 09:33:26.865 [85967] Delivery started for VALID@EMAIL.COM at 09:33:26
2020.04.08 09:33:38.865 [85967] Added to SpamCheckQueue (0 queued; 1/30 processing)
2020.04.08 09:33:38.865 [85967] [SpamCheckQueue] Begin Processing.
2020.04.08 09:33:38.865 [85967] Starting Spam Checks.
2020.04.08 09:33:38.865 [85967] Skipping spam checks: No local recipients
2020.04.08 09:33:38.865 [85967] Spam Checks completed.
2020.04.08 09:33:38.865 [85967] Removed from SpamCheckQueue (0 queued or processing)
2020.04.08 09:33:41.881 [85967] Added to RemoteDeliveryQueue (1 queued; 2/200 processing)
2020.04.08 09:33:41.881 [85967] [RemoteDeliveryQueue] Begin Processing.
2020.04.08 09:33:41.881 [85967] Sending remote mail for VALID@EMAIL.COM
2020.04.08 09:33:41.881 [85967] Spam check results: 
2020.04.08 09:33:41.881 [85967] MxRecord count: '5' for domain 'gmail.com'
2020.04.08 09:33:41.881 [85967] Attempting MxRecord Host Name: 'gmail-smtp-in.l.google.com', preference '5', Ip Count: '1'
2020.04.08 09:33:41.881 [85967] Attempting to send to MxRecord 'gmail-smtp-in.l.google.com' ip: '173.194.73.27'
2020.04.08 09:33:41.881 [85967] Sending remote mail to: NOTEXISTING@gmail.com
2020.04.08 09:33:41.881 [85967] Initiating connection to 173.194.73.27
2020.04.08 09:33:41.881 [85967] Connecting to 173.194.73.27:25 (Id: 1)
2020.04.08 09:33:41.881 [85967] Binding to local IP OUTGOINGGATEWAYIP (Id: 1)
2020.04.08 09:33:41.912 [85967] Connection to 173.194.73.27:25 from OUTGOINGGATEWAYIP:10967 succeeded (Id: 1)
2020.04.08 09:33:41.959 [85967] RSP: 220 mx.google.com ESMTP y16si3664322ljy.202 - gsmtp
2020.04.08 09:33:41.959 [85967] CMD: EHLO OUTGOINGGATEWAYHOST
2020.04.08 09:33:42.006 [85967] RSP: 250-mx.google.com at your service, [OUTGOINGGATEWAYIP]
2020.04.08 09:33:42.006 [85967] RSP: 250-SIZE 157286400
2020.04.08 09:33:42.006 [85967] RSP: 250-8BITMIME
2020.04.08 09:33:42.006 [85967] RSP: 250-STARTTLS
2020.04.08 09:33:42.006 [85967] RSP: 250-ENHANCEDSTATUSCODES
2020.04.08 09:33:42.006 [85967] RSP: 250-PIPELINING
2020.04.08 09:33:42.006 [85967] RSP: 250-CHUNKING
2020.04.08 09:33:42.006 [85967] RSP: 250 SMTPUTF8
2020.04.08 09:33:42.006 [85967] CMD: STARTTLS
2020.04.08 09:33:42.068 [85967] RSP: 220 2.0.0 Ready to start TLS
2020.04.08 09:33:42.099 [85967] CMD: EHLO OUTGOINGGATEWAYHOST
2020.04.08 09:33:42.178 [85967] RSP: 250-mx.google.com at your service, [OUTGOINGGATEWAYIP]
2020.04.08 09:33:42.178 [85967] RSP: 250-SIZE 157286400
2020.04.08 09:33:42.178 [85967] RSP: 250-8BITMIME
2020.04.08 09:33:42.178 [85967] RSP: 250-ENHANCEDSTATUSCODES
2020.04.08 09:33:42.178 [85967] RSP: 250-PIPELINING
2020.04.08 09:33:42.178 [85967] RSP: 250-CHUNKING
2020.04.08 09:33:42.178 [85967] RSP: 250 SMTPUTF8
2020.04.08 09:33:42.178 [85967] CMD: MAIL FROM:<VALID@EMAIL.COM> SIZE=4269
2020.04.08 09:33:42.240 [85967] RSP: 250 2.1.0 OK y16si3664322ljy.202 - gsmtp
2020.04.08 09:33:42.240 [85967] CMD: RCPT TO:<NOTEXISTING@gmail.com>
2020.04.08 09:33:42.303 [85967] RSP: 550-5.1.1 The email account that you tried to reach does not exist. Please try
2020.04.08 09:33:42.303 [85967] RSP: 550-5.1.1 double-checking the recipient's email address for typos or
2020.04.08 09:33:42.303 [85967] RSP: 550-5.1.1 unnecessary spaces. Learn more at
2020.04.08 09:33:42.303 [85967] RSP: 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser y16si3664322ljy.202 - gsmtp
2020.04.08 09:33:42.303 [85967] CMD: QUIT
2020.04.08 09:33:42.365 [85967] RSP: 221 2.0.0 closing connection y16si3664322ljy.202 - gsmtp
2020.04.08 09:33:42.365 [85967] Attempt to ip, '173.194.73.27' success: 'True'
2020.04.08 09:33:42.365 [85967] Delivery for VALID@EMAIL.COM to NOTEXISTING@gmail.com has bounced. Reason: Remote host said: 550 5.1.1 The email account that you tried to reach does not exist. Please try
2020.04.08 09:33:42.365 [85967] DSN email written to -1548961585971 with status failed to NOTEXISTING@gmail.com
2020.04.08 09:33:42.365 [85967] Process delivery status notification step from recipient success. Recipient: [NOTEXISTING@gmail.com], Notify: [failure], LastError: [550 5.1.1 The email account that you tried to reach does not exist. Please try
2020.04.08 09:33:42.365 [85967] Delivery for VALID@EMAIL.COM to NOTEXISTING@gmail.com has completed (Bounced)
2020.04.08 09:33:42.365 [85967] Removed from RemoteDeliveryQueue (2 queued or processing)
2020.04.08 09:33:44.881 [85967] Removing Spool message: Killed: False, Failed: False, Finished: True
2020.04.08 09:33:44.881 [85967] Delivery finished for VALID@EMAIL.COM at 09:33:44	[id:-1548961585967]

Incoming gateway smtp log

2020.04.08 09:33:58.948 [OUTGOINGGATEWAYIP][8752592] rsp: 220 INCOMINGGATEWAYHOST
2020.04.08 09:33:58.948 [OUTGOINGGATEWAYIP][8752592] connected at 2020-04-08 09:33:58
2020.04.08 09:33:58.948 [OUTGOINGGATEWAYIP][8752592] Country code: PL
2020.04.08 09:33:58.948 [OUTGOINGGATEWAYIP][8752592] IP in whitelist
2020.04.08 09:33:58.948 [OUTGOINGGATEWAYIP][8752592] IP in authentication bypass
2020.04.08 09:33:58.979 [OUTGOINGGATEWAYIP][8752592] cmd: EHLO OUTGOINGGATEWAYHOST
2020.04.08 09:33:58.979 [OUTGOINGGATEWAYIP][8752592] rsp: 250-INCOMINGGATEWAYHOST Hello [OUTGOINGGATEWAYIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5 NTLM250-STARTTLS250-8BITMIME250-DSN250 OK
2020.04.08 09:33:59.026 [OUTGOINGGATEWAYIP][8752592] cmd: STARTTLS
2020.04.08 09:33:59.026 [OUTGOINGGATEWAYIP][8752592] rsp: 220 Start TLS negotiation
2020.04.08 09:33:59.276 [OUTGOINGGATEWAYIP][8752592] cmd: EHLO OUTGOINGGATEWAYHOST
2020.04.08 09:33:59.276 [OUTGOINGGATEWAYIP][8752592] rsp: 250-INCOMINGGATEWAYHOST Hello [OUTGOINGGATEWAYIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5 NTLM250-8BITMIME250-DSN250 OK
2020.04.08 09:33:59.291 [OUTGOINGGATEWAYIP][8752592] cmd: MAIL FROM:<VALID@EMAIL.COM> RET=HDRS ENVID=092ddad7-50d5-4154-8211-42d73216e764 SIZE=3513
2020.04.08 09:33:59.291 [OUTGOINGGATEWAYIP][8752592] senderEmail(1): VALID@EMAIL.COM parsed using: <VALID@EMAIL.COM>
2020.04.08 09:33:59.291 [OUTGOINGGATEWAYIP][8752592] rsp: 250 OK <VALID@EMAIL.COM> Sender ok
2020.04.08 09:33:59.291 [OUTGOINGGATEWAYIP][8752592] Sender accepted. Weight: 0. Block threshold: 90. 
2020.04.08 09:33:59.323 [OUTGOINGGATEWAYIP][8752592] cmd: RCPT TO:<VALID@EMAIL.COM> NOTIFY=FAILURE
2020.04.08 09:33:59.323 [OUTGOINGGATEWAYIP][8752592] rsp: 250 OK <VALID@EMAIL.COM> Recipient ok
2020.04.08 09:33:59.354 [OUTGOINGGATEWAYIP][8752592] cmd: DATA
2020.04.08 09:33:59.354 [OUTGOINGGATEWAYIP][8752592] Performing PTR host name lookup for OUTGOINGGATEWAYIP
2020.04.08 09:33:59.354 [OUTGOINGGATEWAYIP][8752592] PTR host name for OUTGOINGGATEWAYIP resolved as OUTGOINGGATEWAYHOST
2020.04.08 09:33:59.354 [OUTGOINGGATEWAYIP][8752592] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
2020.04.08 09:33:59.385 [OUTGOINGGATEWAYIP][8752592] senderEmail(2): SYSTEM@ADMIN.COM parsed using: "System Administrator Out 1" <SYSTEM@ADMIN.COM>
2020.04.08 09:33:59.603 [OUTGOINGGATEWAYIP][8752592] rsp: 250 OK
2020.04.08 09:33:59.603 [OUTGOINGGATEWAYIP][8752592] Received message size: 3518 bytes
2020.04.08 09:33:59.603 [OUTGOINGGATEWAYIP][8752592] Successfully wrote to the HDR file. (D:\Poczta\Spool\SubSpool5\-1587934859392.hdr)
2020.04.08 09:33:59.603 [OUTGOINGGATEWAYIP][8752592] Data transfer succeeded, writing mail to -1587934859392.eml (MessageID: <80bb30f8aaa84c0ba892d8e13f76d405@gmail.com>)
2020.04.08 09:33:59.619 [OUTGOINGGATEWAYIP][8752592] cmd: QUIT
2020.04.08 09:33:59.619 [OUTGOINGGATEWAYIP][8752592] rsp: 221 Service closing transmission channel
2020.04.08 09:33:59.619 [OUTGOINGGATEWAYIP][8752592] disconnected at 2020-04-08 09:33:59

incoming gateway delivery log

2020.04.08 09:34:00.992 [59392] Delivery started for VALID@EMAIL.COM (via bypass) at 09:34:00
2020.04.08 09:34:13.160 [59392] Added to SpamCheckQueue (0 queued; 1/30 processing)
2020.04.08 09:34:13.160 [59392] [SpamCheckQueue] Begin Processing.
2020.04.08 09:34:13.160 [59392] Starting Spam Checks.
2020.04.08 09:34:13.160 [59392] Skipping spam checks: User authenticated
2020.04.08 09:34:13.160 [59392] Spam Checks completed.
2020.04.08 09:34:13.160 [59392] Removed from SpamCheckQueue (0 queued or processing)
2020.04.08 09:34:16.217 [59392] Added to RemoteDeliveryQueue (0 queued; 1/50 processing)
2020.04.08 09:34:16.217 [59392] [RemoteDeliveryQueue] Begin Processing.
2020.04.08 09:34:16.217 [59392] Sending remote mail for VALID@EMAIL.COM
2020.04.08 09:34:16.217 [59392] Sending remote mail to: VALID@EMAIL.COM
2020.04.08 09:34:16.217 [59392] Initiating connection to PRIMARYSMLOCALIP
2020.04.08 09:34:16.217 [59392] Connecting to PRIMARYSMLOCALIP:25 (Id: 1)
2020.04.08 09:34:16.217 [59392] Binding to local IP INCOMINGGATEWAYLOCALIP (Id: 1)
2020.04.08 09:34:16.217 [59392] Connection to PRIMARYSMLOCALIP:25 from INCOMINGGATEWAYLOCALIP:63825 succeeded (Id: 1)
2020.04.08 09:34:16.217 [59392] RSP: 220 PRIMARYHOST
2020.04.08 09:34:16.217 [59392] CMD: EHLO INCOMINGGATEWAYHOST
2020.04.08 09:34:16.249 [59392] RSP: 250-PRIMARYHOST Hello [INCOMINGGATEWAYLOCALIP]
2020.04.08 09:34:16.249 [59392] RSP: 250-SIZE 104857600
2020.04.08 09:34:16.249 [59392] RSP: 250-AUTH LOGIN CRAM-MD5 NTLM
2020.04.08 09:34:16.249 [59392] RSP: 250-STARTTLS
2020.04.08 09:34:16.249 [59392] RSP: 250-8BITMIME
2020.04.08 09:34:16.249 [59392] RSP: 250-DSN
2020.04.08 09:34:16.249 [59392] RSP: 250 OK
2020.04.08 09:34:16.249 [59392] CMD: STARTTLS
2020.04.08 09:34:16.280 [59392] RSP: 220 Start TLS negotiation
2020.04.08 09:34:16.280 [59392] Certificate name mismatch.
2020.04.08 09:34:16.280 [59392] CMD: EHLO INCOMINGGATEWAYHOST
2020.04.08 09:34:16.373 [59392] RSP: 250-PRIMARYHOST Hello [INCOMINGGATEWAYLOCALIP]
2020.04.08 09:34:16.373 [59392] RSP: 250-SIZE 104857600
2020.04.08 09:34:16.373 [59392] RSP: 250-AUTH LOGIN CRAM-MD5 NTLM
2020.04.08 09:34:16.373 [59392] RSP: 250-8BITMIME
2020.04.08 09:34:16.373 [59392] RSP: 250-DSN
2020.04.08 09:34:16.373 [59392] RSP: 250 OK
2020.04.08 09:34:16.373 [59392] CMD: MAIL FROM:<VALID@EMAIL.COM> RET=HDRS ENVID=092ddad7-50d5-4154-8211-42d73216e764 SIZE=3735
2020.04.08 09:34:16.405 [59392] RSP: 550 Authentication is required for relay
2020.04.08 09:34:16.405 [59392] CMD: QUIT
2020.04.08 09:34:21.412 [59392] Removed from RemoteDeliveryQueue (0 queued or processing)
2020.04.08 09:34:22.348 [59392] Removing Spool message: Killed: True, Failed: False, Finished: False
2020.04.08 09:34:22.348 [59392] Delivery finished for VALID@EMAIL.COM at 09:34:22	[id:-1587934859392]
EDIT:

When it comes to delivery notifiaction errors I see that latest notification I have from august 2019 and it contains:

Return-Path: <>
Received: from INCOMINGGATEWAYHOST (UnknownHost [INCOMINGGATEWAYLOCALIP]) by PRIMARYHOST with SMTP
(version=TLS\Tls
cipher=Aes256 bits=256);
Mon, 19 Aug 2019 11:25:01 +0200
Received: from OUTGOINGGATEWAYHOST (OUTGOINGGATEWAYHOST [OUTGOINGGATEWAYIP]) by INCOMINGGATEWAYHOST with SMTP
(version=TLS\Tls12
cipher=Aes256 bits=256);
Mon, 19 Aug 2019 11:23:32 +0200
Message-ID: <637018105916155383@OUTGOINGGATEWAYHOST>
From: "System Administrator"
To: VALID@EMAIL.COM
Date: Mon, 19 Aug 2019 11:23:11 +0200
Subject: Delivery Failure
Content-Type: text/plain
Auto-Submitted: auto-generated
X-SmarterMail-MessageType: Bounce
X-Exim-Id: 637018105916155383
X-SmarterMail-SmartHostSpam:
X-SmarterMail-SmartHostSpamWeight: 0
X-SmarterMail-SmartHostSpamSalt: 1230971332
X-SmarterMail-SmartHostSpamKey: 1913677964
X-SmarterMail-TotalSpamWeight: 0
headers and in incoming gateway delivery log it looked like this:

2019.08.19 11:23:33.382 [49393] Delivery started for  at 11:23:33
2019.08.19 11:23:33.382 [49393] Spool message was missing Return-Path; Also missing FROM header. If this is a system message this is normal behavior.
2019.08.19 11:23:43.693 [49393] Added to SpamCheckQueue (0 queued; 4/30 processing)
2019.08.19 11:23:43.693 [49393] [SpamCheckQueue] Begin Processing.
2019.08.19 11:23:43.693 [49393] Starting Spam Checks.
2019.08.19 11:23:43.693 [49393] Skipping spam checks: Bounce Message
2019.08.19 11:23:43.693 [49393] Spam Checks completed.
2019.08.19 11:23:43.693 [49393] Removed from SpamCheckQueue (3 queued or processing)
2019.08.19 11:23:46.954 [49393] Added to RemoteDeliveryQueue (0 queued; 2/50 processing)
2019.08.19 11:23:46.954 [49393] [RemoteDeliveryQueue] Begin Processing.
2019.08.19 11:23:46.954 [49393] Sending remote mail for 
2019.08.19 11:23:46.969 [49393] Sending remote mail to: VALID@EMAIL.COM
2019.08.19 11:23:46.969 [49393] Initiating connection to PRIMARYSMLOCALIP
2019.08.19 11:23:46.969 [49393] Connecting to PRIMARYSMLOCALIP:25 (Id: 1)
2019.08.19 11:23:46.969 [49393] Binding to local IP INCOMINGGATEWAYLOCALIP (Id: 1)
2019.08.19 11:23:46.985 [49393] Connection to PRIMARYSMLOCALI:25 from INCOMINGGATEWAYLOCALIP:59215 succeeded (Id: 1)
2019.08.19 11:23:46.985 [49393] RSP: 220 PRIMARYHOST
2019.08.19 11:23:46.985 [49393] CMD: EHLO INCOMINGGATEWAYHOST
2019.08.19 11:23:47.016 [49393] RSP: 250-PRIMARYHOST Hello [INCOMINGGATEWAYLOCALIP]
2019.08.19 11:23:47.016 [49393] RSP: 250-SIZE 104857600
2019.08.19 11:23:47.016 [49393] RSP: 250-AUTH LOGIN CRAM-MD5
2019.08.19 11:23:47.016 [49393] RSP: 250-STARTTLS
2019.08.19 11:23:47.016 [49393] RSP: 250-8BITMIME
2019.08.19 11:23:47.016 [49393] RSP: 250-DSN
2019.08.19 11:23:47.016 [49393] RSP: 250 OK
2019.08.19 11:23:47.016 [49393] CMD: STARTTLS
2019.08.19 11:23:47.047 [49393] RSP: 220 Start TLS negotiation
2019.08.19 11:23:47.047 [49393] Certificate name mismatch.
2019.08.19 11:23:47.047 [49393] CMD: EHLO INCOMINGGATEWAYHOST
2019.08.19 11:23:47.141 [49393] RSP: 250-PRIMARYHOST Hello [INCOMINGGATEWAYLOCALIP]
2019.08.19 11:23:47.141 [49393] RSP: 250-SIZE 104857600
2019.08.19 11:23:47.141 [49393] RSP: 250-AUTH LOGIN CRAM-MD5
2019.08.19 11:23:47.141 [49393] RSP: 250-8BITMIME
2019.08.19 11:23:47.141 [49393] RSP: 250-DSN
2019.08.19 11:23:47.141 [49393] RSP: 250 OK
2019.08.19 11:23:47.141 [49393] CMD: MAIL FROM:<> RET=HDRS ENVID=36162033-8423-4c1f-909d-3399e3de68b1 SIZE=2834
2019.08.19 11:23:47.172 [49393] RSP: 250 OK <> Sender ok
2019.08.19 11:23:47.172 [49393] CMD: RCPT TO:<VALID@EMAIL.COM> NOTIFY=NEVER
2019.08.19 11:23:47.203 [49393] RSP: 250 OK <VALID@EMAIL.COM> Recipient ok
2019.08.19 11:23:47.203 [49393] CMD: DATA
2019.08.19 11:23:47.266 [49393] RSP: 354 Start mail input; end with <CRLF>.<CRLF>
2019.08.19 11:23:47.484 [49393] RSP: 250 OK
2019.08.19 11:23:47.484 [49393] CMD: QUIT
2019.08.19 11:23:47.547 [49393] RSP: 221 Service closing transmission channel
2019.08.19 11:23:47.547 [49393] Delivery for  to VALID@EMAIL.COM has completed (Delivered)
2019.08.19 11:23:47.547 [49393] Removed from RemoteDeliveryQueue (2 queued or processing)
2019.08.19 11:23:50.011 [49393] Removing Spool message: Killed: False, Failed: False, Finished: True
2019.08.19 11:23:50.011 [49393] Delivery finished for  at 11:23:50	[id:71549393]
so as you can see there was empty FROM field:

2019.08.19 11:23:47.141 [49393] CMD: MAIL FROM:<> RET=HDRS ENVID=36162033-8423-4c1f-909d-3399e3de68b1 SIZE=2834
which was not triggering spoofing protection and thats why it was delivering bounce to its sender.
 
0
Sébastien Riccio Replied
The trouble you have here seems to be 1) because the outgoing gateway bounce with a from when it should use <> and because of this, as you have Enable Domain's SMTP auth setting for local deliveries in your primary server, it will reject unauthentified deliveries from/to the same domain.

This settings has no effect for open relay though. It only prevent local domains to be spammed  when spammers spoof the FROM with a domain local to you server.

Your two options here is to disable this option or to find out why your outgoing gateway is bouncing mails using the original sender FROM instead of <>.


" Bounce messages in SMTP are sent with the envelope sender address <>, known as the null sender address. They are frequently sent with a From: header address of MAILER-DAEMON at the recipient site. "

It looks like your outgoing gateway is not respecting this.

Sébastien Riccio
System & Network Admin

0
Webio Replied
You know .. I use SmarterMail for both incoming and outgoing gateways (all in latest version - 7398).

From field inside bounce can be set in Configuration -> System Messages


but when it will be empty then take a look what SMTP communication between outgoing and incoming gateway looks like:

2020.04.08 15:38:07.485 [OUTGOINGGATEWAYIP][33492459] rsp: 220 INCOMINGGATEWAYHOST
2020.04.08 15:38:07.485 [OUTGOINGGATEWAYIP][33492459] connected at 2020-04-08 15:38:07
2020.04.08 15:38:07.485 [OUTGOINGGATEWAYIP][33492459] Country code: PL
2020.04.08 15:38:07.485 [OUTGOINGGATEWAYIP][33492459] IP in whitelist
2020.04.08 15:38:07.485 [OUTGOINGGATEWAYIP][33492459] IP in authentication bypass
2020.04.08 15:38:07.500 [OUTGOINGGATEWAYIP][33492459] cmd: EHLO OUTGOINGGATEWAYHOST
2020.04.08 15:38:07.500 [OUTGOINGGATEWAYIP][33492459] rsp: 250-INCOMINGGATEWAYHOST Hello [OUTGOINGGATEWAYIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5 NTLM250-STARTTLS250-8BITMIME250-DSN250 OK
2020.04.08 15:38:07.532 [OUTGOINGGATEWAYIP][33492459] cmd: STARTTLS
2020.04.08 15:38:07.532 [OUTGOINGGATEWAYIP][33492459] rsp: 220 Start TLS negotiation
2020.04.08 15:38:07.781 [OUTGOINGGATEWAYIP][33492459] cmd: EHLO OUTGOINGGATEWAYHOST
2020.04.08 15:38:07.781 [OUTGOINGGATEWAYIP][33492459] rsp: 250-INCOMINGGATEWAYHOST Hello [OUTGOINGGATEWAYIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5 NTLM250-8BITMIME250-DSN250 OK
2020.04.08 15:38:07.812 [OUTGOINGGATEWAYIP][33492459] cmd: MAIL FROM:<VALIDSENDER@EMAIL.COM> RET=HDRS ENVID=bc01368e-ab20-4759-bae4-7282bf428d7a SIZE=4362
2020.04.08 15:38:07.812 [OUTGOINGGATEWAYIP][33492459] senderEmail(1): VALIDSENDER@EMAIL.COM parsed using: <VALIDSENDER@EMAIL.COM>
2020.04.08 15:38:07.812 [OUTGOINGGATEWAYIP][33492459] rsp: 250 OK <VALIDSENDER@EMAIL.COM> Sender ok
2020.04.08 15:38:07.812 [OUTGOINGGATEWAYIP][33492459] Sender accepted. Weight: 0. Block threshold: 90. 
2020.04.08 15:38:07.828 [OUTGOINGGATEWAYIP][33492459] cmd: RCPT TO:<VALIDSENDER@EMAIL.COM> NOTIFY=FAILURE
2020.04.08 15:38:07.844 [OUTGOINGGATEWAYIP][33492459] rsp: 250 OK <VALIDSENDER@EMAIL.COM> Recipient ok
2020.04.08 15:38:07.859 [OUTGOINGGATEWAYIP][33492459] cmd: DATA
2020.04.08 15:38:07.875 [OUTGOINGGATEWAYIP][33492459] Performing PTR host name lookup for OUTGOINGGATEWAYIP
2020.04.08 15:38:07.875 [OUTGOINGGATEWAYIP][33492459] PTR host name for OUTGOINGGATEWAYIP resolved as OUTGOINGGATEWAYHOST
2020.04.08 15:38:07.875 [OUTGOINGGATEWAYIP][33492459] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
2020.04.08 15:38:07.906 [OUTGOINGGATEWAYIP][33492459] senderEmail(2): noreply@gmail.com parsed using: "System Administrator Out 2" <noreply@gmail.com>
2020.04.08 15:38:07.906 [OUTGOINGGATEWAYIP][33492459] rsp: 250 OK
2020.04.08 15:38:07.906 [OUTGOINGGATEWAYIP][33492459] Received message size: 4367 bytes
2020.04.08 15:38:07.906 [OUTGOINGGATEWAYIP][33492459] Successfully wrote to the HDR file. (D:\Poczta\Spool\SubSpool3\-1823561386490.hdr)
2020.04.08 15:38:07.906 [OUTGOINGGATEWAYIP][33492459] Data transfer succeeded, writing mail to -1823561386490.eml (MessageID: <b22bf36c2b454e1680f59cbd83275639@gmail.com>)
2020.04.08 15:38:07.953 [OUTGOINGGATEWAYIP][33492459] cmd: QUIT
2020.04.08 15:38:07.953 [OUTGOINGGATEWAYIP][33492459] rsp: 221 Service closing transmission channel
2020.04.08 15:38:07.953 [OUTGOINGGATEWAYIP][33492459] disconnected at 2020-04-08 15:38:07
as you can see here:

2020.04.08 15:38:07.812 [OUTGOINGGATEWAYIP][33492459] cmd: MAIL FROM:<VALIDSENDER@EMAIL.COM> RET=HDRS ENVID=bc01368e-ab20-4759-bae4-7282bf428d7a SIZE=4362
in SMTP session there is still sender email being used in FROM field. Only thing which is changing is that 


2020.04.08 15:38:07.906 [OUTGOINGGATEWAYIP][33492459] senderEmail(2): noreply@gmail.com parsed using: "System Administrator Out 2" <noreply@gmail.com>
is being used in bounce content email sender. Whatever you do there still be sender email address used in communication:

primary server -> outgoing gateway -> incoming  gateway -> primary server

where primary server will reject connection with 550 error from incoming gateway because of FROM field contains email domain configured on local server so external connection looks like spoofed message.

EDIT: If @Marle is on v15 then it is not affecting his environment. For sure it worked last year in august or maybe later. I don't remember when I've upgraded from v15 to v17 (I've skipped v16) but I think it was before that. Maybe this has something to do with some changes in SM core.
0
Sébastien Riccio Replied
I see yes, then maybe it's a bug in SmarterMail when used as outgoing gateway and sending bounces.

I can't really try to replicate it as we are using E.F.A filtering appliance as incoming gateway and a custom made outgoing gateway (Haraka MTA+rspamd).

Maybe someone from SmarterTools can shed some light on this topic ?
Sébastien Riccio
System & Network Admin

0
Webio Replied
I have open ticket with ST started in 18th of february regarding this issue. Now I wanted to reach out to community to find out if anyone else has experienced this issue too.

EDIT: There is big probability that I've upgraded outgoing gateway in august from v15 to 17 and v17 was usedon primary server before that date and since v15 system messages had empty FROM header it was working fine then (so this is something which is not related to august changes in v17 changelog)
0
Webio Replied
Basically having possibility to change also email addres in FROM field during SMTP session between outgoing gateway and incoming gateway for bounce or delivery notifications would allow me to fix this problem (some may make this FROM field empty and some may just provide own noreply email address). There could be two fields (one for FROM field in SMTP session and one for FROM field inside bounce/delivery message) or just one field which there is already there which will be used for both SMTP session and bounce/delivery message content.
0
Sébastien Riccio Replied
Yeah, I personally can't help you much more here. A temporary workaround until there is another solution is to disalbe the AUTH for local deliveries settings.




Sébastien Riccio
System & Network Admin

0
Webio Replied
Enabling:

Enable Domain's SMTP auth setting for local deliveries 

is allowing to connect to SmarterMail and perform SMTP message sending to local users located on server to which you are connecting without authentication so IMHO this can be called partial open relay. I've just tested connecting to my server using simple PHP script using phpmailer library where SMTPAuth param was set to false.

EDIT: Also this didn't allowed bounce message to be delivered anyway (I didn't looked into logs but bounce message was not delivered for sure).
0
Sébastien Riccio Replied
An open relay is a smtp server that allows you to send mail to external domain without requiring auth. Allowing to send mail to local domains without auth is not an open relay :)

Have you tried disabling this setting on both your incoming and primary server ?

EDIT: if you disable auth for local deliveries, you can prevent local domain spoofing by spammers by having correct SPF records for your local domains, as the spoofer remote ip would not match your domain SPF requirements.

Sébastien Riccio
System & Network Admin

0
Webio Replied
I have more than 5k mail domains with a lot of users and if remote script is connecting to local server and can send emails to all local mailboxes without authentication then for me it is open relay :)

I'm thinking about installing SM v16 or SM v15 on outgoing gateways which will probably fix my problem right away.
0
Webio Replied
Just to update this thread:

Some of next releases will use "MAIL FROM <>" so this will cover this problem.
0
Merle Wait Replied
Just FYI .....
We have a two license.... and have SM15   and SM17 ..
Have verified via SM Ticket & Technician ..  that SM17    DOES NOT work without outbound gateways that are SM15.   Could not get SM17 to logon to authorize properly .. to SM15x.   {this was as of Feb 17th}.

Next coming week (April 21}, we have are changing out one of our out-bound gateways to be SM17; to see if SM15x will talk to an SM17 correctly. We'll see if what other weird behavior occurs.

Reply to Thread