Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Messages sent from Smartphones rejected because of SPAM
  •  
urbandot

Messages: 22
Karma: 0
Send a private message to this user
Hi,

We are using Kerio Connect latest version with some i-Phones.

The problem is that authentified users sending e-mails from their i-Phones are rejected by the SMTP server because IPs belong to black lists.

This happens very often, and I am looking for a workaround to prevent this from happening all the time.

I can see that I can whitelist a range of IPs but in this case, this is useless.

Do you know how to whitelist a domain ?
E.g. : ALL e-mails sent from *<_at_>mydomain.com are CLEAN (bypass the anti-spam).

Thank you in adavance.

Stéphane.
  •  
freakinvibe

Messages: 1554
Karma: 63
Send a private message to this user
The Spamhaus Policy Block List (PBL) for example, is listing all dynamic IP addresses that should never send mail directly.

You can bypass blacklist checking, by sending via SMTP submission port 587. You have to configure that on your iPhone.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
urbandot

Messages: 22
Karma: 0
Send a private message to this user
Urgent help needed !!!

We are about to loose a client, totally exhausted because of this issue !!!

We do not manage to solve the problem.

We tried by switching to port 587 / SSL on all i-Phone terminals. It just made no difference at all.

Every time a user from this company tries to send a mail from an i-Phone, the server logs the same error in the Security journal :

"IP... found in DNS blacklist SpamHaus (or DNSBL)"
"Relay attempt... rejected"

Any help appreciated.

S.
  •  
freakinvibe

Messages: 1554
Karma: 63
Send a private message to this user
Can you post the exact log entries?

First, make sure the SMTP Submission service is running on port 587. Then make sure you have the authentication correct on the iPhone. Submissions on port 587 will never be checked against Blacklists, but they must be authenticated.

If you see "Reley attempt rejected", this means you have not authenticated successfully.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
maxreefer

Messages: 97
Karma: 0
Send a private message to this user
freakinvibe wrote on Tue, 02 August 2011 16:28

....
If you see "Reley attempt rejected", this means you have not authenticated successfully.


Or just check if "Users authenticated through SMTP server for outgoing mail" option is flagged and "Enable rating of messages sent from trustworthy relay agents defined in SMTP relay options" unflagged

[Updated on: Tue, 02 August 2011 16:34]

  •  
urbandot

Messages: 22
Karma: 0
Send a private message to this user
The Client reassures me that the option is checked on his terminals.

This is what I get in the logs :

[02/Aug/2011 14:18:06] IP address 80.11.180.208 found in DNS blacklist SpamHaus SBL-XBL, mail from <XXXXXXXXXX> to <XXXXXXXXXX>
[02/Aug/2011 14:18:06] IP address 80.11.180.208 found in DNS blacklist SORBS DNSBL, mail from <XXXXXXXXXX> to <XXXXXXXXXX>
[02/Aug/2011 14:18:06] Relay attempt from IP address 80.11.180.208, mail from <XXXXXXXXXX> to <XXXXXXXXXX> rejected

S.
  •  
urbandot

Messages: 22
Karma: 0
Send a private message to this user
maxreefer wrote on Tue, 02 August 2011 16:32
freakinvibe wrote on Tue, 02 August 2011 16:28

....
If you see "Reley attempt rejected", this means you have not authenticated successfully.


Or just check if "Users authenticated through SMTP server for outgoing mail" option is flagged and "Enable rating of messages sent from trustworthy relay agents defined in SMTP relay options" unflagged


Users authenticated through SMTP server for outgoing mail :
Option is flagged

Enable rating of messages sent from trustworthy relay agents defined in SMTP relay options :
Option is not flagged

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Why don't they use Exchange account instead of IMAP/SMTP?
  •  
maxreefer

Messages: 97
Karma: 0
Send a private message to this user
can you see in "Mail" log something like
[02/Aug/2011 15:27:36] Recv: Queue-ID: 4e37fb46-00031929, Service: SMTP, From: <youruser@yourdomain.com>, To: <username@domain.com>, Size: 191017, Sender-Host: 100.100.100.100, User: youruser<_at_>yourdomain.com

the bold text means the authenticated user is using your server as SMTP
  •  
urbandot

Messages: 22
Karma: 0
Send a private message to this user
maxreefer wrote on Tue, 02 August 2011 16:54
can you see in "Mail" log something like
[02/Aug/2011 15:27:36] Recv: Queue-ID: 4e37fb46-00031929, Service: SMTP, From: <youruser@yourdomain.com[/email]>, To: <username<_at_>domain.com[/email]>, Size: 191017, Sender-Host: 100.100.100.100, User: youruser<_at_>yourdomain.com

the bold text means the authenticated user is using your server as SMTP


That is merely impossible to say as the users send a lot of mail using the webmail, outlook, AND the i-Phone.

S.
  •  
freakinvibe

Messages: 1554
Karma: 63
Send a private message to this user
You should use a test iPhone and setup a connection. As pdobry correctly states, you should preferrably use and ActiveSync connection (by choosing "Exchange" in the mail setup). This will prevent any blacklisting issues. Once you got that running, you have to send instructions to your client, how the set the iPhone up.

If they absolutely need to setup an SMTP connection instead of ActiveSync, they must use authentication on port 587.

[Updated on: Tue, 02 August 2011 17:49]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
p0ddie

Messages: 242
Karma: -3
Send a private message to this user
It is very common to use a mobile data connection to send spam, so most of the ip pools of mobile providers are on blacklists. I had this behavior with a customer too who connected to Kerio with IMAP. Had him use Activesync, this never happened again.

Convince your customer that this is a security feature and not a flaw and explain to them that your spam filtering is top notch and very strict, that's why they need to use Activesync.

If for some weird reason they cant use Activesync, then they will need to

- either have their cell phone provider provide them with a custom APN with a different ip range than can be whitelisted by you
- or you need to provide them with vpn access so they can open a vpn tunnel to send mails
- you need to disable blacklisting alltogether and, if spam becomes too much of a problem, use a firewall that supports anti spam stuff. Protip: If you're not in Asia or Russia and are not involved with these countries, have your firewall block these countries altogether.

It's as simple as that.

To make it short: Trying to send with smtp over a gsm connection will most likely result in Kerio blocking your IP through a blacklist before you can even authenticate with smtp.
  •  
urbandot

Messages: 22
Karma: 0
Send a private message to this user
Thank you very much for your very nice and effective support.

I will give your solutions a try tomorrow ; I have just informed my and I now wait for his return with this.

I will bring him assistance on how to setup the device.

I will let you know the result.

Cheers.

S.
  •  
urbandot

Messages: 22
Karma: 0
Send a private message to this user
Hi,

I managed to convince my Client last week to switch to ACTIVESYNC on the iPhone.
Unfortunately, users there do not manager to connect to the KERIO server.

They get this error message : "Authentication could not be verified" (in French) on their mobile phone.

Theese are the settings currently being used :

Email : user<_at_>domain.com
Server : ssl.domain.com
Domain : domain.com
Name : user<_at_>domain.com
Password : XXXXXX
Use SSL : Yes

S.
p0ddie

Messages: 242
Karma: -3
Send a private message to this user
That's because you are using a self signed certificate on your server.

The iPhones try to connect with ssl by default (which is a good thing).

Tell your users to accept the unsigned certificate

or

buy a valid ssl certificate for your server (starting at 50€/year)

or

shutdown port 443 and https altogether and have them connect only via unsave, unencrypted plain http (NOT recommended).

Depending on how much you charge for the service / how professional you want to be, I can highly recommend to buy a ssl certificate if you have more than 5 users and if you can somehow manage to budget the 50-100€ for the certificate.
Previous Topic: Problem with HTML domain footer
Next Topic: Atrix Update
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 25 03:02:02 CET 2017

Total time taken to generate the page: 0.00520 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.