Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Sending email from blacklisted IP
  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
I have seen this happen more and more frequently. Our users travel all over the world and use webmail to send messages. Our mailserver is not listed on any blacklists, but if a user sends a message from a public network via our server, the message can be blocked. One domain which uses Barracuda sends a nice informative message, explaining that the IP of the sender (city wide public wifi network) is on X blacklist. However, the mail gateway (our server) isn't. Having pointed this out to the admin, the situation is easily rectified. However, some domains (like .mac) silently drop the messages.

Feature request: Is it possible to configure webmail to hide/change the public IP of where the sender is logged in from? It could just be the public IP of the SMTP server, as this is where the message is originating from.
  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
It seems that Gmail doesn't include the IP address of the sender when using the web interface but does when using SMTP client (as per RFC).

I'll make this an official feature request.
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
I don't understand what is happening and where gmail is involved?
An RBL lookup does not use the contents of the received headers. It is based on the relay/sever contacting the recipient. If you are using Kerio webmail, it should be either your mail server address or the address of the mail relay from your ISP.
  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
Here's an example from webmail:
Quote:

Return-Path: <sender<_a.t_>ourserver.com>
X-Original-To: user<_a.t_>destination.com
Delivered-To: user<_a.t_>destination.com
Received: from mail.ourserver.com (mail.ourserver.com [xx.xxx.xxx.xxx])
by destination.com (Postfix) with ESMTP id 3B876165C84
for <user<_a.t_>destination.com>; Fri, 12 Jun 2009 04:32:10 -0700 (PDT)
Received: from [xx.xx.101.66] ([xx.xx.101.66])
by mail.ourserver.com
for user<_a.t_>destination.com;
Fri, 12 Jun 2009 04:32:08 -0700
To: "User" <user<_a.t_>destination.com>
From: "Sender" <sender<_a.t_>ourserver.com>
Organization: xxx
Subject: test headers
Message-ID: <20090612113208.fa061f79<_a.t_>mail.ourserver.com>
Date: Fri, 12 Jun 2009 04:32:08 -0700
X-User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10)
Gecko/2009042315 Firefox/3.0.10
MIME-Version: 1.0


Notice 'Received: from [xx.xx.101.66] ([xx.xx.101.66])' This is the public IP of someone using a wifi network.

Here is the same message sent via Gmail webmail:
Quote:

Return-Path: <user<_a.t_>googlemail.com>
X-Original-To: user<_a.t_>destination.com
Delivered-To: user<_a.t_>destination.com
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248])
by destination.com (Postfix) with ESMTP id BEE7E165D61
for <user<_a.t_>destination.com>; Fri, 12 Jun 2009 05:45:44 -0700 (PDT)
Received: by an-out-0708.google.com with SMTP id d14so1138758and.41
for <user<_a.t_>destination.com>; Fri, 12 Jun 2009 05:45:43 -0700 (PDT)


The 'Received: from' does not include the public IP address of the sender, only the public IP of googles MTA.
  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
Quote:

An RBL lookup does not use the contents of the received headers. It is based on the relay/sever contacting the recipient. If you are using Kerio webmail, it should be either your mail server address or the address of the mail relay from your ISP.

True for an RBL, but other gateway anti-spam appliances perform other checks and the received headers do get analysed.
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
AOL has the originating external ip address in a Received header.
Yahoo Mail has the originating external ip address in a Received header.
Gmail has a Received header without the ip address but some other encoded information.

I can see how the information would be useful in tracking down the origin of a message for various reasons. With gmail, you would have to contact gmail support-good luck with that.

We too have problems with proprietary security based mailers/filters where error messages don't get passed through properly or they are too aggressive in mail management. Just as we have to adjust kerio to block spam but not block good mails, they have to do likewise.

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
A filter that rejects a message because it finds an IP deep down in the headers which is on a blacklist, is seriously broken! Be it in the MTA's configuration, the admins understanding of SMTP or in the vendor's design.

Spamhaus specifically warns about NOT looking up anything but the IP that contacts your MTA, because neither the sender nor the receiver can possibly know all the hops of a message. Plus, the vast majority of mail is sent by legitimate clients that are inevitably found on blacklists with dynamic IP addresses. Look up the one you're using at home right now!

sonofcolin: can you verify that Apple (i.e .mac) actually rejects messages if anything other than the last IP in the Received-headers is on a blacklist?

  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
Quote:

sonofcolin: can you verify that Apple (i.e .mac) actually rejects messages if anything other than the last IP in the Received-headers is on a blacklist?

Yes, after a long discussion with apple tech support, they added our MTA to their whitelist. They asked for mail headers of problem messages and then whitelisted our server.

This is a known issue. Gmail deliberately removes the Received header from webmail clients for this very reason (and replaces it with the outbound smtp gateway). I would like to have this option in Kerio. I can not change the policies of the the recipient mailserver admin. As far as RFC goes, I believe that all SMTP hops should be shown in the mail headers. As webmail client isn't sending via SMTP, this would not be a violation.
  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
Quote:

WARNING! Some post-delivery filters use "full Received line traversal" or "deep parsing", where the filter reads all the IPs in the Received lines. Legitimate users, correctly sending good mail out through their ISP's smarthost, will have PBL-listed IPs show up in the first (lowest) Received header where their ISP picks it up. Such mail should not be blocked! So, you should tell your filters to stop comparing IPs against PBL at the IP which hands off to your mail server!

If all mailserver admins adhered to this advice, then we wouldn't have a problem. But many don't and we do have issues. Kerio, give us the option for our remote users to use webmail and not have their public IP sent in the mail headers (please).
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
Strange, if Apple is blocking webmail based on the the original sending ip address, not just the latest mta contacting it, then they would also be blocking emails sent via yahoo, aol, outlook, thunderbird, etc. I don't think that is the case or they would be losing a lot of business. Maybe they are?

BTW, why bother masking address xx.xx.101.66, I am curious to know where it is. Showing a transient public ip address is not a security risk for anyone.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
sgongola wrote on Tue, 16 June 2009 15:35

Strange, if Apple is blocking webmail based on the the original sending ip address, not just the latest mta contacting it, then they would also be blocking emails sent via yahoo, aol, outlook, thunderbird, etc. I don't think that is the case or they would be losing a lot of business. Maybe they are?


The realities of operating a mail server means Yahoo, GMail, Hotmail and the rest of the freemail domains are the first IPs to go in the whitelist. I mean, we have users who prefer using Hotmail over KMS' webmail when they are out on the road. I guess there's no such thing as "too convenient" Sad
  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
Quote:

Strange, if Apple is blocking webmail based on the the original sending ip address, not just the latest mta contacting it, then they would also be blocking emails sent via yahoo, aol, outlook, thunderbird, etc. I don't think that is the case or they would be losing a lot of business. Maybe they are?


As I stated, gmail helps its user base by not publishing this info in the headers.
Quote:


BTW, why bother masking address xx.xx.101.66, I am curious to know where it is. Showing a transient public ip address is not a security risk for anyone.

Simple. I don't want you to know where I am Smile
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Rolling Eyes

[Updated on: Wed, 17 June 2009 14:26]

  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
There is a difference between 'where' and 'who.' Now use your edit button. Thanks.
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
sonofcolin wrote on Sat, 13 June 2009 04:46
Quote:
sonofcolin: can you verify that Apple (i.e .mac) actually rejects messages if anything other than the last IP in the Received-headers is on a blacklist?

Yes, after a long discussion with apple tech support, they added our MTA to their whitelist. They asked for mail headers of problem messages and then whitelisted our server.



Hi sonofcolin,

I'm experiencing exactly the same problem with me.com (owned by Apple). Would you mind telling me how you contacted Apple? I'm not a customer and I can't find a relevant contact.

Cheers,
James
Previous Topic: Banner and HELO settings
Next Topic: Kerio Offline Outlook Connector + access database problem
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 06:43:31 CET 2017

Total time taken to generate the page: 0.00512 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.