Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Allowed Spoofed Email (Email sent on our behalf from external mail server problem)
  •  
BobH

Messages: 123
Karma: 0
Send a private message to this user
We have an e commerce site that sends email confirmations to our customers as well as a confirming email to an alias on our Kerio Connect server (v8.5.3).

Our e commerce vendor recently made a change in the system to use AmazonSES for it's email processing. Since then we've not been able to receive these emails because Kerio Connect blocks them with this error message.

Quote:
[13/Jan/2016 11:46:13] SMTP: Message from IP address 54.240.8.86 was rejected because of missing authentication for local domain sender <contact<_at_>wiscoind.com>.


These confirming emails use our alias "contact<_at_>wiscoind.com" as the sending email address. This is so the customers who receive order confirmations can reply to the email to contact us directly.

What do I have to do to allow these emails to be successfully received by our Kerio Connect server?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
BobH wrote on Wed, 13 January 2016 21:13

What do I have to do to allow these emails to be successfully received by our Kerio Connect server?


I would start in our KnowledgeBase: http://kb.kerio.com/1491

If you let Amazon to send emails from your email domain then make sure that your SPF record in DNS is correct. And you must either create an exception in Sender Policy or configure Amazon to use authentication when contacting your Kerio Connect server.
  •  
BobH

Messages: 123
Karma: 0
Send a private message to this user
I reviewed the KB article. We have "User must authenticate in order to send messages from a local domain." checked. We do not have "Reject messages with spoofed local domain" checked.

I'm not clear on why these emails from Amazon with spoofed addresses are being blocked. The error message regarding "missing authentication" should logically only apply to emails generated by Kerio Connect's SMTP server. Since these emails come from Amazon, why should authentication apply?

On SPF records, an Amazon SES help doc says

Quote:
Amazon SES sends your emails from a "Mail-From" domain that Amazon SES owns. You therefore do not need to make any changes to your DNS records for your emails to pass SPF authentication.


We currently have Kerio Connect SPF Checking enabled and we have "Add spam score to message: 3" set.

Since we are not seeing any error messages based on SPF showing up in the Kerio Connect logs, it doesn't appear this is an issue with these emails. These messages are not showing up in the SPAM logs, only in the security log.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
BobH wrote on Wed, 13 January 2016 22:20
I reviewed the KB article. We have "User must authenticate in order to send messages from a local domain." checked. We do not have "Reject messages with spoofed local domain" checked.

I'm not clear on why these emails from Amazon with spoofed addresses are being blocked. The error message regarding "missing authentication" should logically only apply to emails generated by Kerio Connect's SMTP server. Since these emails come from Amazon, why should authentication apply?

Because you have "User must authenticate in order to send messages from a local domain." enabled. Server does excatly what you have configured. Anyone (including Amazon mail client) MUST authenticate if want to send and email with From address of your email domain to your server. "Spoofed local domain sender policy" is next level of security which verifies not only the domain but also email address of the user who authenticated to the server when sending an email.
Quote:

On SPF records, an Amazon SES help doc says

Quote:
Amazon SES sends your emails from a "Mail-From" domain that Amazon SES owns. You therefore do not need to make any changes to your DNS records for your emails to pass SPF authentication.


We currently have Kerio Connect SPF Checking enabled and we have "Add spam score to message: 3" set.

Since we are not seeing any error messages based on SPF showing up in the Kerio Connect logs, it doesn't appear this is an issue with these emails. These messages are not showing up in the SPAM logs, only in the security log.


Amazon obviously does not own your email domain - your Kerio Connect server does. So although SPF check on your server is ok (which is expected as all emails with your domain from Amazon are rejected and thus not checked at all), other servers in the Internet probably reject the emails because of invalid SPF. Or put them directly to Junk Email folder.
  •  
BobH

Messages: 123
Karma: 0
Send a private message to this user
This is getting pretty deep into email stuff I'm not so clear on. Here is an excerpt of the source email header that I'm trying to understand. This comes from a test email sent to a personal email account I have with an ISP, from the e commerce provider . The email went through to this address with no problem.

Quote:
Return-Path: < 000001523c036e1d-5d408e1b-8d2f-4354-adff-e0db2b51c7b0-000000 <_at_>amazonses.com>
Received: from impin008 ([68.114.189.32])
by mtain006.msg.strl.va.charter.net
(InterMail vM.9.00.021.00 201-2473-182) with ESMTP
id <20160113172324.OETV11894.mtain006.msg.strl.va.charter.net@impin008>
for <bhartung<_at_>charter.net>; Wed, 13 Jan 2016 11:23:24 -0600
Received: from a8-94.smtp-out.amazonses.com ([54.240.8.94])
by impin008 with charter.net
id 5VPQ1s01F21juU601VPQ5p; Wed, 13 Jan 2016 11:23:24 -0600
...


From: =?UTF-8?B?V2lzY28gSW5kdXN0cmllcyA=?= <contact<_at_>wiscoind.com>
Reply-To: contact<_at_>wiscoind.com

To: bhartung<_at_>charter.net
Subject: Testing Email From Website


The first two red lines seem to clearly identify the origin of the email as coming from Amazon SES, not our domain. That would seem consistent with Amazon's help document saying it would be their SPF records that would satisfy SPF checking by other mail servers.

The third red line appears to be setting an equivalency for our alias address. I'm guessing this equivalency is to some internal Amazon value.

Seeing this additional detail, how would you interpret our Kerio Connect server rejecting this email?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Your SPF record does include amazonses.com SPF TXT record and also IP address scope ip4:54.240.0.0/18. Therefore your SPF is fine and covers also Amazon servers.

The third line says "From: =?UTF-8?B?V2lzY28gSW5kdXN0cmllcyA=?= <contact<_at_>wiscoind.com>". Sender email address is from your domain. And your server is configured to reject those emails if the user does not authenticate first.
You can either configure Amazon to use authentication in SMTP when sending email to your server or configure Kerio Connect to exclude all Amazon IP addresses from this security setting. In your case it would be creating an IP address group with following network scopes: ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18.
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Amazon SES use MX for delivery and can't be configured to SMTP AUTH.

Petr Dobry
Product Development Manager | Kerio
  •  
BobH

Messages: 123
Karma: 0
Send a private message to this user
I can confirm that Amazon does not support SMTP Authentication so I did enter the acceptations that you sent me into our Kerio Connect Whitelist, as the IP Group Amazon, under the sender policy (see attached jpg).

The result was that a test email sent from the e commerce website was able to successfully be delivered to my company email address.

Thank you so much for your patience and help.

Previous Topic: Outlook 365 on iPhone
Next Topic: Migrating a users mailbox
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 20:23:10 CEST 2017

Total time taken to generate the page: 0.00468 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.