Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Hosted Exchange Issue (Customer having trouble with a vendor)
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
A customer needs to be able to accept email from a specific vendor.

Unfortunately, mail from this vendor comes from a whole pile of different IP addresses and most are not in DNS and therefore rejected (rightfully so).

The vendor, of course, is using O365 and responded thusly:

If you are a cloud-only organization with all mailboxes in Exchange Online, create an SPF record that identifies the Microsoft messaging servers as a legitimate source of mail for your domain. To do this, create a TXT record with the following value:


v=spf1 include:spf.protection.outlook.com all


That won't help my customer as Kerio's SPF check only reacts negatively.

Any suggestions?

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
Your client doesn't need the SPF record, your client's vendor does. Another way is just to whitelist the vendor's domain.
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
You aren't understanding.

Yes, the vendor added the SPF record. As I said, that don't help my client.

AFAIK , you can't whitelist the dns check. That rejection happens before the message is even accepted on most MTA's and I imagine Connect does the same.

[Updated on: Fri, 28 June 2013 00:30]


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
1. Can you post the reject log from Connect?
2. Have you tried whitelisting?
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
White-list what? We don't have a list of ip addresses. There has to be a way to extract that from the include in the SPF record.. That was my first thought but I couldn't find anything on line that my customer can use. I suppose I could write something but I'd rather not if I can get it elsewhere.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
All your client needs to do is to add into his domain TXT SPF record with include:include:spf.protection.outlook.com. Assuming that Microsoft has all his IP included in spf.protection.outlook.com correctly.

You can find IPs with resolving their SPF records:

$ dig +short spf.protection.outlook.com TXT
"v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-c.outlook.com include:spf.messaging.microsoft.com -all"


You will have to do it recursively Smile

Petr Dobry
Product Development Manager | Kerio
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
Petr Dobry (Kerio) wrote on Fri, 28 June 2013 04:47
All your client needs to do is to add into his domain TXT SPF record with include:include:spf.protection.outlook.com. Assuming that Microsoft has all his IP included in spf.protection.outlook.com correctly.


I assume you meant that MY customer's vendor needs to add it, which he says he has done. However, the Connect server is still rejecting because of failed DNS.

I see nothing in Kerio documentation that says a positive SPF result is a whitelist. Can you tell me where it says that? Not doubting you necessarily, but if the issue is that Microsoft doesn't keep that include up to date, we need to prove that to him.

Petr Dobry (Kerio) wrote on Fri, 28 June 2013 04:47

You can find IPs with resolving their SPF records:

$ dig +short spf.protection.outlook.com TXT
"v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-c.outlook.com include:spf.messaging.microsoft.com -all"


You will have to do it recursively Smile


Yeah. I know. What a pain that is.. do you know of any tool/website where my customer can get it in one entry?

Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
spf-a.outlook.com text = "v=spf1 ip4:157.56.232.0/21 ip4:157.56.240.0/20 ip4:207.46.198.0/25 ip4:207.46.4.128/25 ip4:157.56.24.0/25 ip4:157.55.157.128/25 ip4:157.55.61.0/24 ip4:157.55.49.0/25 ip4:65.55.174.0/25 ip4:65.55.126.0/25 ip4:65.55.113.64/26 ip4:65.55.94.0/25 -all"

Authoritative answers can be found from:


$ nslookup -q=TXT spf-b.outlook.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
spf-b.outlook.com text = "v=spf1 ip4:65.55.78.128/25 ip4:111.221.112.0/21 ip4:207.46.58.128/25 ip4:111.221.69.128/25 ip4:111.221.66.0/25 ip4:111.221.23.128/25 ip4:70.37.151.128/25 ip4:157.56.248.0/21 ip4:213.199.177.0/26 ip4:157.55.225.0/25 ip4:157.55.11.0/25 -all"

[Updated on: Fri, 28 June 2013 11:33]


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Are the emails rejected because of missing PTR for server IP addresses or because of invalid SPF?
Otherwise I see no correlation between DNS PTR and SPF and making a perfect SPF makes no sense as it is not a whitelist for missing PTR.

[Updated on: Fri, 28 June 2013 11:40]

  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
Oh, and of course

nslookup -q=TXT spf.messaging.outlook.com
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find spf.messaging.outlook.com: NXDOMAIN


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
Pavel Dobry (Kerio) wrote on Fri, 28 June 2013 05:40
Are the emails rejected because of missing PTR for server IP addresses or because of invalid SPF?
Otherwise I see no correlation between DNS PTR and SPF and making a perfect SPF makes no sense as it is not a whitelist for missing PTR.



They are rejected for DNS.

That's what I said originally: SPF isn't going to stop missing DNS. Apparently SOME servers react to a positive SPF by whitelisting, but Connect doesn't (AFAIK).


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
And clear me up on this: will the PTR check be stopped by whitelisting anyway? In other words, is whitelisting checked before you do PTR checks?

I assumed that it is, which is where this all started: I need an easy way for the customer to get the list of IP's. If no such tool exists, I'll have to write one, but I already see that is a problem as that nslookup -q=TXT spf.messaging.outlook.com fails..

[Updated on: Fri, 28 June 2013 12:04]


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Passing SPF check does not automatically whitelist sender server in other anti-spam tests.

Quote:
I assume you meant that MY customer's vendor needs to add it, which he says he has done.
I'm lost who's who now Smile It must be the one who's managing customer's DNS domain.

Petr Dobry
Product Development Manager | Kerio
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
OK, never mind - I know who is who Smile

Anyway:

I wrote some quick code that will recurse through and get the IP's. It's a pain, though, because he'll need to run that regularly to update the whitelists.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
For anyone who needs it, the rough, non-debugged code is :

#!/usr/bin/perl
$domain=shift @ARGV;
@results=getit($domain);


sub getit {
my $domain=shift;

my @foo=`nslookup -q=TXT $domain`;
my @results=();
foreach (@foo) {
next if not /$domain\ttext/;
s/$domain\ttext = "v=spf1//;
@results=split /\s+/;
foreach (@results) {
next if /-all/;
print "$_\n";
if (/include:/) {
s/include://;
getit($_);
}

}
}
}



The results look like this:

$getspf.pl spf.protection.outlook.com
include:spf-a.outlook.com

ip4:157.56.232.0/21
ip4:157.56.240.0/20
ip4:207.46.198.0/25
ip4:207.46.4.128/25
ip4:157.56.24.0/25
ip4:157.55.157.128/25
ip4:157.55.61.0/24
ip4:157.55.49.0/25
ip4:65.55.174.0/25
ip4:65.55.126.0/25
ip4:65.55.113.64/26
ip4:65.55.94.0/25
include:spf-b.outlook.com

ip4:65.55.78.128/25
ip4:111.221.112.0/21
ip4:207.46.58.128/25
ip4:111.221.69.128/25
ip4:111.221.66.0/25
ip4:111.221.23.128/25
ip4:70.37.151.128/25
ip4:157.56.248.0/21
ip4:213.199.177.0/26
ip4:157.55.225.0/25
ip4:157.55.11.0/25
include:spf-c.outlook.com

ip4:157.55.9.128/25
ip4:157.55.47.0/24
ip4:157.55.224.128/25
ip4:157.56.96.0/24
ip4:157.56.106.0/24
ip4:132.245.0.0/16
include:spf.messaging.microsoft.com

include:spfa.frontbridge.com

ip4:157.55.116.128/26
ip4:157.55.133.0/24
ip4:157.55.158.0/23
ip4:157.55.234.0/24
ip4:157.56.112.0/24
ip4:157.56.116.0/25
ip4:157.56.120.0/25
ip4:207.46.100.0/24
ip4:207.46.108.0/25
ip4:207.46.163.0/24
ip4:134.170.140.0/24
ip4:157.56.110.0/23
include:spfb.frontbridge.com

ip4:207.46.51.64/26
ip4:213.199.154.0/24
ip4:213.199.180.128/26
ip4:216.32.180.0/23
ip4:64.4.22.64/26
ip4:65.55.83.128/27
ip4:65.55.169.0/24
ip4:65.55.88.0/24
ip4:94.245.120.64/26
ip4:131.107.0.0/16
ip4:157.56.73.0/24
ip4:134.170.132.0/24
include:spfc.frontbridge.com

ip4:207.46.101.128/26
ip6:2a01:111:f400:7c00::/54
ip6:2a01:111:f400:fc00::/54
ip4:157.56.87.192/26
ip4:157.55.40.32/27
ip4:157.56.123.0/27
ip4:157.56.91.0/27
ip4:157.55.206.0/24
ip4:157.55.207.0/24
ip4:157.56.206.0/23
ip4:157.56.208.0/22

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
pcunix

Messages: 594
Karma: 33
Send a private message to this user
I'll post that code at my website later today. With luck, somebody will find this or that and say "Dude! You don't need to do that! Just do.."

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
Previous Topic: Clients Emails with no relationship between each other are being mashed together.
Next Topic: IP that logged in?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Sep 24 23:21:20 CEST 2017

Total time taken to generate the page: 0.00569 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.