ORF Whitelisting all incoming email - ORF Forums

ORF Whitelisting all incoming email RSS Back to forum

1

Next to each incoming email in the log is "Email whitelisted (email from a trusted intermediate host or intranet)." ORF is letting all spam through because of this.

Any ideas?

by Jonathan 6 years ago
2

Hi,

is the source inside the same IP Segment than your own ORF host? Or is ORF receiving from another smarthost declared as intermediate host?

Regards
Norbert

by NorbertFe 6 years ago
3

Hi Norbert. No the source is not in the same segment and there is no intermediate host. It's a pretty simple single exchange server setup. Every email received comes directly from the outside world.

by Jonathan 6 years ago
4

@Jonathan: Do you see this logged at Before Arrival or at On Arrival? What is the IP address logged? If it is an intranet IP address, that means some software or hardware appliance on your intranet removes the original sender information from the headers, so ORF identify the original sender host (i.e., it considers the intranet host as the sender, and as it treats intranet hosts as Intermediate Hosts, the email gets whitelisted). For more information, see the following help topic:

http://vamsoft.com/r?o-hto-headeranalysis

We have seen such behavior with ISA/Forefront servers:

http://vamsoft.com/support/docs/faq#header-issue

But other things may also cause this. To solve the problem, the host should be configured to preserve the original headers.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

5

@Krisztián Fekete (Vamsoft): Hi,

I see it logged "On Arrival". Here is a screenshot with my email address removed for privacy.

http://oi41.tinypic.com/28bforb.jpg

I checked the message headers from a test message I sent from my gmail account (below) and wonder if it is seeing the firewall (192.168.100.1 as an intermediate?). My mail server is 192.168.100.2. I have substituted the actual domain with mydomain.com for privacy.

Received: from mail-ee0-f45.google.com (192.168.100.1) by mail.mydomain.com
(192.168.100.2) with Microsoft SMTP Server (TLS) id 8.0.813.0; Tue, 20 Aug
2013 11:03:10 -0400
Received: by mail-ee0-f45.google.com with SMTP id c50so264104eek.4 for
; Tue, 20 Aug 2013 08:03:14 -0700 (PDT)

by Jonathan 6 years ago
(in reply to this post)

6

@Jonathan: Yes, it seems the firewall is the one to blame. It rewrites the original source IP in the header with its own, which is considered an Intermediate Host.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

7

Is there any way to have ORF exclude the firewalls IP address as a trusted host?

Strange thing is I have another Exchange 2007/ORF box on the same firewall and it is working fine. I will take a look at the firewall polices and see if I can see anything which doesnt match the other setup.

by Jonathan 6 years ago
8

@Jonathan: No, as far as I know, there is no way to declare any host in the same subnet as "untrusted". So you have to re-configure your Firewall not to rewrite the Sender IP address.

Regards
Norbert

by NorbertFe 6 years ago
(in reply to this post)

9

Looks like a question for my firewall manufacturer. As far as I can see its configured the same as our other mail server so I must be missing something.

Thanks for your help.

by Jonathan 6 years ago
10

@Jonathan: The problem is, even if you could configure ORF not to consider intranet IPs as Intermediate Hosts (you cannot), the original IP is simply not there. As many blacklist tests are based on the source IP, they would not work. As Norbert mentioned, the only solution is configuring the firewall not to remove any information from the original headers, so ORF could "look behind" the firewall to determine who the real sender was.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

11

@Krisztián Fekete (Vamsoft): Yes I cmopletely understand. I just need to work out why the firewall is affecting the headers. It is not happening with the other mail server. I would think it should just NAT the SMTP traffic and nothing else. Oh well. I will work it out eventually.

by Jonathan 6 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2