Look past cloud-based email gateways
Idea shared by Douglas Foster - 9/6/2022 at 11:16 AM
Currently my MX is a server running SmarterMail Free, configured as an incoming gateway, and using Declude as its primary filtering mechanism.   When SM calls Declude, it creates a .HDR file with summary information about the message, including Source IP, HELO name, and Reverse DNS name.   I use these attributes in some of my Declude processing. 

I would like to evaluate the cloud-based vendors, but I don't want to change the behavior of my existing SM+Declude filtering at all.   This means that I want SM to look behind the cloud server systems, and put the prior server information into the HDR file.

The exact nature of the look-behind is a little hard to predict until I go further with one of the vendors, but I don't think SM can do anything close to this right now.  

For example, if the cloud solution is ProofPoint, the lookbehind rule should probably be:
"Skip prior received records if:
Helo or Reverse DNS name ends with pphosted.com, and a matching name is forward-confirmed to the Source IP
The Source IP is a private IP address"

This rule ensures that the Received skip only occurs if the message is verifiably from Proofpoint, while allowing for a variable number of hops within the Proofpoint environment, and recognizing that the intermediate hops may traverse systems using a Private IP address.

When the skip is invoked, the information passed to the .HDR file should become the values from the Source IP and HELO name from the first non-skipped Received header, plus the recalculated Reverse DNS host name.

Reply to Thread