Allowed Spoofed Email [message #127138] |
Wed, 13 January 2016 21:13  |
BobH
Messages: 66 Registered: March 2005 Location: Oregon, WI USA
|
|
|
|
We have an e commerce site that sends email confirmations to our customers as well as a confirming email to an alias on our Kerio Connect server (v8.5.3).
Our e commerce vendor recently made a change in the system to use AmazonSES for it's email processing. Since then we've not been able to receive these emails because Kerio Connect blocks them with this error message.
Quote:[13/Jan/2016 11:46:13] SMTP: Message from IP address 54.240.8.86 was rejected because of missing authentication for local domain sender <contact<_at_>wiscoind.com>.
These confirming emails use our alias "contact<_at_>wiscoind.com" as the sending email address. This is so the customers who receive order confirmations can reply to the email to contact us directly.
What do I have to do to allow these emails to be successfully received by our Kerio Connect server?
|
|
|
|
Re: Allowed Spoofed Email [message #127140 is a reply to message #127139] |
Wed, 13 January 2016 22:20   |
BobH
Messages: 66 Registered: March 2005 Location: Oregon, WI USA
|
|
|
|
I reviewed the KB article. We have "User must authenticate in order to send messages from a local domain." checked. We do not have "Reject messages with spoofed local domain" checked.
I'm not clear on why these emails from Amazon with spoofed addresses are being blocked. The error message regarding "missing authentication" should logically only apply to emails generated by Kerio Connect's SMTP server. Since these emails come from Amazon, why should authentication apply?
On SPF records, an Amazon SES help doc says
Quote:Amazon SES sends your emails from a "Mail-From" domain that Amazon SES owns. You therefore do not need to make any changes to your DNS records for your emails to pass SPF authentication.
We currently have Kerio Connect SPF Checking enabled and we have "Add spam score to message: 3" set.
Since we are not seeing any error messages based on SPF showing up in the Kerio Connect logs, it doesn't appear this is an issue with these emails. These messages are not showing up in the SPAM logs, only in the security log.
|
|
|
|
Re: Allowed Spoofed Email [message #127164 is a reply to message #127138] |
Thu, 14 January 2016 14:49   |
BobH
Messages: 66 Registered: March 2005 Location: Oregon, WI USA
|
|
|
|
This is getting pretty deep into email stuff I'm not so clear on. Here is an excerpt of the source email header that I'm trying to understand. This comes from a test email sent to a personal email account I have with an ISP, from the e commerce provider . The email went through to this address with no problem.
Quote: Return-Path: < 000001523c036e1d-5d408e1b-8d2f-4354-adff-e0db2b51c7b0-000000 <_at_>amazonses.com>
Received: from impin008 ([68.114.189.32])
by mtain006.msg.strl.va.charter.net
(InterMail vM.9.00.021.00 201-2473-182) with ESMTP
id <20160113172324.OETV11894.mtain006.msg.strl.va.charter.net@impin008>
for <bhartung<_at_>charter.net>; Wed, 13 Jan 2016 11:23:24 -0600
Received: from a8-94.smtp-out.amazonses.com ([54.240.8.94])
by impin008 with charter.net
id 5VPQ1s01F21juU601VPQ5p; Wed, 13 Jan 2016 11:23:24 -0600
...
From: =?UTF-8?B?V2lzY28gSW5kdXN0cmllcyA=?= <contact<_at_>wiscoind.com>
Reply-To: contact<_at_>wiscoind.com
To: bhartung<_at_>charter.net
Subject: Testing Email From Website
The first two red lines seem to clearly identify the origin of the email as coming from Amazon SES, not our domain. That would seem consistent with Amazon's help document saying it would be their SPF records that would satisfy SPF checking by other mail servers.
The third red line appears to be setting an equivalency for our alias address. I'm guessing this equivalency is to some internal Amazon value.
Seeing this additional detail, how would you interpret our Kerio Connect server rejecting this email?
|
|
|
|
|
Re: Allowed Spoofed Email [message #127169 is a reply to message #127138] |
Thu, 14 January 2016 16:35  |
BobH
Messages: 66 Registered: March 2005 Location: Oregon, WI USA
|
|
|
|
I can confirm that Amazon does not support SMTP Authentication so I did enter the acceptations that you sent me into our Kerio Connect Whitelist, as the IP Group Amazon, under the sender policy (see attached jpg).
The result was that a test email sent from the e commerce website was able to successfully be delivered to my company email address.
Thank you so much for your patience and help.
|
|
|