3

we have an SMTP problem. Our setup is a internal Exchange server and an external mail gateway (exim) with a DNS entry and MX record. This gateway accepts all mail for our domain and accepts relaying mails from our internal server and external staff (TLS and user authentication). This is the setup described and short words and it's working properly for years.

No we have problem with one of our most important client (staff >15k). They are rejecting e-mails from our external staff! Not because of a blacklist of our mail-gateway, it's because of a blacklisted IP in the Received E-Mail Header. The e-mail is not sent directly to the target SMTP, of course it's relayed by our SMTP (which is not blacklisted there).

SenderX: IP (blacklisted at http://www.barracudacentral.org)
    -->
Our SMTP Gateway: official IP, (not blacklisted)
    -->
Target SMTP: accepts mail from our SMTP, but not from SenderX

In my opinion it's very unusual to reject mails because of checking the "Received" IP Adresses. The RFC states, they must be added.

RFC 5432: 3.7.2. Received Lines in Gatewaying

When forwarding a message into or out of the Internet environment, a gateway MUST prepend a Received: line, but it MUST NOT alter in any way a Received: line that is already in the header section.

What should I advise the postmaster of our client?

Thor
  • 151

2 Answers2

3

Why are your external users not connecting directly to the Exchange server (via RPC over HTTP, POP, or IMAP)? If they were you wouldn't have these problems. My suggestion would be to configure the external clients to connect to the Exchange server directly, which will then send email to the gateway server as usual.

joeqwerty
  • 110,860
  • Technically I can solve this problem (exim header rewriting / VPN). But I believe that the main prolbem is a misconfiguration of the the other SMTP server! If it's violating a RFC it would be easy, but if the others or paranoid (or over-enthusiastic) it will be hard to convince them. – Thor Jun 09 '11 at 11:55
  • @Thor: That may be the case but I don't understand why the external users don't connect to Exchange directly. Your scenario seems a bit unorthodox. I'm just curious as to why things are set up the way they are. – joeqwerty Jun 09 '11 at 12:13
  • This was decided several years ago (I think with MSX 2000 or 2003) because of security issues. Now we have a sophisticated setup with our mail gateway, (responsible for several domains) and use this service also for our staff. – Thor Jun 10 '11 at 05:45
2

What should I advise the postmaster of our client?

The foremost advice would be to fix the broken filtering configuration. Half the world is sending mails with internal (mostly RFC-1918) addresses in Received: headers, it is a really bad idea to block mails based on these criteria.

Your problem is not new, however. Every now and then some over-enthusiastic postmaster screws up the filters, so people have found ways to work around it by simply rewriting the headers. With postfix, you can use header_checks to do it - as described in this article. I hardly ever see exim, but I'd expect it to have some similar functionality.

the-wabbit
  • 41,007
  • After a couple of emails they realized that their server has really a misconfiguration ;-) – Thor Jun 11 '11 at 06:50