GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Allowed Spoofed Email (Email sent on our behalf from external mail server problem)
Allowed Spoofed Email [message #127138] Wed, 13 January 2016 21:13 Go to next message
BobH is currently offline  BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
We have an e commerce site that sends email confirmations to our customers as well as a confirming email to an alias on our Kerio Connect server (v8.5.3).

Our e commerce vendor recently made a change in the system to use AmazonSES for it's email processing. Since then we've not been able to receive these emails because Kerio Connect blocks them with this error message.

Quote:
[13/Jan/2016 11:46:13] SMTP: Message from IP address 54.240.8.86 was rejected because of missing authentication for local domain sender <contact<_at_>wiscoind.com>.


These confirming emails use our alias "contact<_at_>wiscoind.com" as the sending email address. This is so the customers who receive order confirmations can reply to the email to contact us directly.

What do I have to do to allow these emails to be successfully received by our Kerio Connect server?
Re: Allowed Spoofed Email [message #127139 is a reply to message #127138] Wed, 13 January 2016 21:50 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
BobH wrote on Wed, 13 January 2016 21:13

What do I have to do to allow these emails to be successfully received by our Kerio Connect server?


I would start in our KnowledgeBase: http://kb.kerio.com/1491

If you let Amazon to send emails from your email domain then make sure that your SPF record in DNS is correct. And you must either create an exception in Sender Policy or configure Amazon to use authentication when contacting your Kerio Connect server.


Re: Allowed Spoofed Email [message #127140 is a reply to message #127139] Wed, 13 January 2016 22:20 Go to previous messageGo to next message
BobH is currently offline  BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
I reviewed the KB article. We have "User must authenticate in order to send messages from a local domain." checked. We do not have "Reject messages with spoofed local domain" checked.

I'm not clear on why these emails from Amazon with spoofed addresses are being blocked. The error message regarding "missing authentication" should logically only apply to emails generated by Kerio Connect's SMTP server. Since these emails come from Amazon, why should authentication apply?

On SPF records, an Amazon SES help doc says

Quote:
Amazon SES sends your emails from a "Mail-From" domain that Amazon SES owns. You therefore do not need to make any changes to your DNS records for your emails to pass SPF authentication.


We currently have Kerio Connect SPF Checking enabled and we have "Add spam score to message: 3" set.

Since we are not seeing any error messages based on SPF showing up in the Kerio Connect logs, it doesn't appear this is an issue with these emails. These messages are not showing up in the SPAM logs, only in the security log.
Re: Allowed Spoofed Email [message #127142 is a reply to message #127140] Wed, 13 January 2016 23:28 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
BobH wrote on Wed, 13 January 2016 22:20
I reviewed the KB article. We have "User must authenticate in order to send messages from a local domain." checked. We do not have "Reject messages with spoofed local domain" checked.

I'm not clear on why these emails from Amazon with spoofed addresses are being blocked. The error message regarding "missing authentication" should logically only apply to emails generated by Kerio Connect's SMTP server. Since these emails come from Amazon, why should authentication apply?

Because you have "User must authenticate in order to send messages from a local domain." enabled. Server does excatly what you have configured. Anyone (including Amazon mail client) MUST authenticate if want to send and email with From address of your email domain to your server. "Spoofed local domain sender policy" is next level of security which verifies not only the domain but also email address of the user who authenticated to the server when sending an email.
Quote:

On SPF records, an Amazon SES help doc says

Quote:
Amazon SES sends your emails from a "Mail-From" domain that Amazon SES owns. You therefore do not need to make any changes to your DNS records for your emails to pass SPF authentication.


We currently have Kerio Connect SPF Checking enabled and we have "Add spam score to message: 3" set.

Since we are not seeing any error messages based on SPF showing up in the Kerio Connect logs, it doesn't appear this is an issue with these emails. These messages are not showing up in the SPAM logs, only in the security log.


Amazon obviously does not own your email domain - your Kerio Connect server does. So although SPF check on your server is ok (which is expected as all emails with your domain from Amazon are rejected and thus not checked at all), other servers in the Internet probably reject the emails because of invalid SPF. Or put them directly to Junk Email folder.


Re: Allowed Spoofed Email [message #127164 is a reply to message #127138] Thu, 14 January 2016 14:49 Go to previous messageGo to next message
BobH is currently offline  BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
This is getting pretty deep into email stuff I'm not so clear on. Here is an excerpt of the source email header that I'm trying to understand. This comes from a test email sent to a personal email account I have with an ISP, from the e commerce provider . The email went through to this address with no problem.

Quote:
Return-Path: < 000001523c036e1d-5d408e1b-8d2f-4354-adff-e0db2b51c7b0-000000 <_at_>amazonses.com>
Received: from impin008 ([68.114.189.32])
by mtain006.msg.strl.va.charter.net
(InterMail vM.9.00.021.00 201-2473-182) with ESMTP
id <20160113172324.OETV11894.mtain006.msg.strl.va.charter.net@impin008>
for <bhartung<_at_>charter.net>; Wed, 13 Jan 2016 11:23:24 -0600
Received: from a8-94.smtp-out.amazonses.com ([54.240.8.94])
by impin008 with charter.net
id 5VPQ1s01F21juU601VPQ5p; Wed, 13 Jan 2016 11:23:24 -0600
...


From: =?UTF-8?B?V2lzY28gSW5kdXN0cmllcyA=?= <contact<_at_>wiscoind.com>
Reply-To: contact<_at_>wiscoind.com

To: bhartung<_at_>charter.net
Subject: Testing Email From Website


The first two red lines seem to clearly identify the origin of the email as coming from Amazon SES, not our domain. That would seem consistent with Amazon's help document saying it would be their SPF records that would satisfy SPF checking by other mail servers.

The third red line appears to be setting an equivalency for our alias address. I'm guessing this equivalency is to some internal Amazon value.

Seeing this additional detail, how would you interpret our Kerio Connect server rejecting this email?
Re: Allowed Spoofed Email [message #127165 is a reply to message #127164] Thu, 14 January 2016 15:24 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
Your SPF record does include amazonses.com SPF TXT record and also IP address scope ip4:54.240.0.0/18. Therefore your SPF is fine and covers also Amazon servers.

The third line says "From: =?UTF-8?B?V2lzY28gSW5kdXN0cmllcyA=?= <contact<_at_>wiscoind.com>". Sender email address is from your domain. And your server is configured to reject those emails if the user does not authenticate first.
You can either configure Amazon to use authentication in SMTP when sending email to your server or configure Kerio Connect to exclude all Amazon IP addresses from this security setting. In your case it would be creating an IP address group with following network scopes: ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18.


Re: Allowed Spoofed Email [message #127167 is a reply to message #127165] Thu, 14 January 2016 16:01 Go to previous messageGo to next message
Petr Dobry (Kerio) is currently offline  Petr Dobry (Kerio)
Messages: 405
Registered: November 2003

Kerio Technologies
Amazon SES use MX for delivery and can't be configured to SMTP AUTH.

Petr Dobry
Product Development Manager | Kerio
Re: Allowed Spoofed Email [message #127169 is a reply to message #127138] Thu, 14 January 2016 16:35 Go to previous message
BobH is currently offline  BobH
Messages: 66
Registered: March 2005
Location: Oregon, WI USA
I can confirm that Amazon does not support SMTP Authentication so I did enter the acceptations that you sent me into our Kerio Connect Whitelist, as the IP Group Amazon, under the sender policy (see attached jpg).

The result was that a test email sent from the e commerce website was able to successfully be delivered to my company email address.

Thank you so much for your patience and help.
Previous Topic: Outlook 365 on iPhone
Next Topic: Migrating a users mailbox
Goto Forum:
  


Current Time: Tue May 30 15:32:59 CEST 2023

Total time taken to generate the page: 0.05660 seconds