May 24 2020 11:39 AM
In a hybrid Exchange 2013 - EXO environment (with MX pointing on-prem), I came across two issues:
1. The connecting IP address (CIP) always equals one of the on-prem relay servers (not the original external mailserver). This results in:
- the spf always fails for inbound mails
- because of the connection filter, every mail gets IFV:CAL (The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.)
2. When checking user submissions for "Not Junk". We see in the headers SFV:BLK (Filtering was skipped and the message was blocked because it was sent from an address on an individual’s blocked sender list). When checking the Get-MailboxJunkEmailConfiguration the BlockedSendersAndDomains is (already?) empty.
Thank you for helping me out!
Jun 05 2020 05:49 AM
Jun 05 2020 10:58 AM
@BemmelenPatrick Thank you!
1. "Keep internal Exchange message headers" is enabled for the inbound and outbound connector. When checking the mail headers you can see all the hops, but the spf is not checked against the originating mail server but against an internal relay server. If all hops are retained in the mail headers, why/when is the spf not checked against the first server? Our spf is valid (although currently set to "?all").
2. That's were I see those mails. But I found it weird that we see every day at least one user submitting a false positive (not junk) in which we see SFV:BLK . When checking the blocked sender list, the sender is not present (anymore?), was the sender automatically removed from the blocked sender list because the user submitted the mail to MS as not junk?
Jun 05 2020 10:58 PM
Jun 10 2020 11:08 AM
@BemmelenPatrick I anonymized it slightly
What puzzles me most is the spf fail: domain of e.linkedin.com does not designate XX.XX.71.5 as permitted sender, XX.XX.71.5 is a server of ours. Why is spf not checked against the first IP address (199.7.202.92)
Received: from VI1PR09MB4096.eurprd09.prod.outlook.com (2603:10a6:209:90::29)
by AM6PR09MB2792.eurprd09.prod.outlook.com with HTTPS via
AM6P194CA0016.EURP194.PROD.OUTLOOK.COM; Wed, 10 Jun 2020 13:22:02 +0000
Received: from AM6PR08CA0041.eurprd08.prod.outlook.com (2603:10a6:20b:c0::29)
by VI1PR09MB4096.eurprd09.prod.outlook.com (2603:10a6:800:121::8) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Wed, 10 Jun
2020 13:22:00 +0000
Received: from AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com
(2603:10a6:20b:c0:cafe::95) by AM6PR08CA0041.outlook.office365.com
(2603:10a6:20b:c0::29) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.19 via Frontend
Transport; Wed, 10 Jun 2020 13:22:00 +0000
Authentication-Results: spf=fail (sender IP is XX.XX.71.5)
smtp.mailfrom=e.linkedin.com; contoso.com; dkim=pass (signature was verified)
header.d=e.linkedin.com;contoso.com; dmarc=pass action=none
header.from=e.linkedin.com;
Received-SPF: Fail (protection.outlook.com: domain of e.linkedin.com does not
designate XX.XX.71.5 as permitted sender) receiver=protection.outlook.com;
client-ip=XX.XX.71.5; helo=relay1.contoso.com;
Received: from relay1.contoso.com (XX.XX.71.5) by
AM5EUR03FT028.mail.protection.outlook.com (10.152.16.118) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3088.18 via Frontend Transport; Wed, 10 Jun 2020 13:22:00 +0000
Received: from localhost (mcheck1.contoso.com [XX.XX.71.91])
by relay1.contoso.com (Postfix) with ESMTP id 5E60E7619C
for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 15:22:00 +0200 (CEST)
X-Virus-Scanned: by Contoso DICT
X-Spam-CMAuthority: v=2.3 cv=Eda2v8uC c=1 sm=1 tr=0
a=407tTOkso+zxEghPF3UieQ==:17 a=KqOhe5OoNmIA:10 a=O76VCmqbo-wA:10
a=nTHF0DUjJn0A:10 a=Xg6hxTJYhxMA:10 a=M51BFTxLslgA:10
a=r77TgQKjGQsHNAKrUKIA:9 a=jU4qhlNgAAAA:8 a=YY1ZcqqrI6xR5oziIx0A:9
a=QEXdDO2ut3YA:10 a=SSmOFEACAAAA:8 a=4F_gcz9cAAAA:8 a=P0CS7o0kAAAA:8
a=g2DXbu_dzxOSWhaP4Y8A:9 a=a1La3gOqBzqfoSXu:21 a=gKO2Hq4RSVkA:10
a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=utKY0mbGk_15_-6maDl2:22
a=xJca28oTcna21abs7k0g:22 a=Sf_sMCSL_WJvxhl3zmRG:22
a=HH7FIXwXL_sUf1zzYxQd:22
Received: from relay1.contoso.com ([XX.XX.71.5])
by localhost (mcheck1.contoso.com [XX.XX.43.40]) (amavisd-new, port 10024)
with ESMTP id 9VyQz8KiaVbs for <emmtom.toms@contoso.com>;
Wed, 10 Jun 2020 15:21:59 +0200 (CEST)
Received: from omp.e.linkedin.com (omp.e.linkedin.com [199.7.202.92])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by relay1.contoso.com (Postfix) with ESMTPS id 41058761D0
for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 15:21:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=linkedin; d=e.linkedin.com;
h=X-CSA-Complaints:MIME-Version:Content-Type:Date:To:From:Reply-To:Subject:
List-Unsubscribe:Message-ID; i=linkedin@e.linkedin.com;
bh=VBYsNAgiDn7YaiIN9cVXM81+g80p3KHLOaF4tKbBfcQ=;
b=FlJXmEzPX/6BGfuuY5NymMAp/uUqFVJufQmDU4e33gwYsb1jE8/zTVhTQdv0ApZzsc6FVzIrTJPu
fPF0cJjRzNyPZqqNTilBCA1Rlvc2fdEaodYbvSsP/NeAOrNI3XGVvMDOFy2U/IIlKBUIpQvEaWxo
5fz57GVjlTRSuBvvCWw=
Received: by omp.e.linkedin.com id hs3f7a2lr0oo for <emmtom.toms@contoso.com>; Wed, 10 Jun 2020 06:21:57 -0700 (envelope-from <linkedin@e.linkedin.com>)
X-CSA-Complaints: whitelist-complaints@eco.de
Content-Type: multipart/mixed; boundary="----msg_border_H19D3aPqbR"
Date: Wed, 10 Jun 2020 06:21:57 -0700
To: <emmtom.toms@contoso.com>
From: =?UTF-8?B?TGlua2VkSW4=?= <linkedin@e.linkedin.com>
Reply-To: =?UTF-8?B?TGlua2VkSW4=?= <donotreply@e.linkedin.com>
Subject: Emma, thanks for being a valued member
Feedback-ID: 50563:15879535:oraclersys
List-Unsubscribe: <mailto:unsubscribe-AQpglLjHJlYQGhEEYGcKT1zfCha0Hrzc09zgRmpHl6t8EHLwjzaSzcT8eDUd3lyTbO6W@imh.rsys5.com?subject=List-Unsubscribe>, <https://e.linkedin.com/pub/optout/UnsubscribeOneStepConfirmAction?YES=true&_ri_=X0Gzc2X%3DAQpglLjHJl....>
X-sgxh1: LuunLLjlQnLLjlkxmnLglQIL
X-rext: 6.interact5.EoGG5EJd2Sx8oHRajXRDF0uiatAlCGaeOrQ1X2CL93KUtP2IwA4
X-cid: linkedin.3752
X-ei: Egbnz3E-LglAP044NUjD3X2Hnhqk1RQC
Require-Recipient-Valid-Since: emmtom.toms@contoso.com; Wed, 8 Apr 2020 19:18:00 -0700
Message-ID: <0.1.21F.3B0.1D63F2A1E020AEE.0@omp.e.linkedin.com>
X-Miltered: at jchkm4 with ID 5EE0DE76.000 by Joe's j-chkmail (http://helpdesk.contoso.com/email/)!
X-j-chkmail-Enveloppe: 5EE0DE76.000 from omp.e.linkedin.com/omp.e.linkedin.com/199.7.202.92/omp.e.linkedin.com/<linkedin@e.linkedin.com>
X-j-chkmail-Score: MSGID : 5EE0DE76.000 on relay1.contoso.com : j-chkmail score : . : R=. U=. O=# B=0.000 -> S=0.083
X-j-chkmail-Status: Ham
Return-Path: linkedin@e.linkedin.com
X-MS-Exchange-Organization-Network-Message-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-Forefront-Antispam-Report: CIP:XX.XX.71.5;CTRY:BE;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:relay1.contoso.com;PTR:relay1.contoso.com;CAT:NONE;SFTY:;SFS:;DIR:INB;SFP:;
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource: AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: Contosobe.onmicrosoft.com
X-MS-Office365-Filtering-Correlation-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-MS-TrafficTypeDiagnostic: VI1PR09MB4096:
X-MS-Oob-TLC-OOBClassifiers: OLM:6790;
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Antispam: BCL:1;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2020 13:22:00.5392
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ca920975-ae6a-4b67-5983-08d80d414218
X-MS-Exchange-CrossTenant-Id: d7811cde-ecef-496c-8f91-a1786241b99c
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d7811cde-ecef-496c-8f91-a1786241b99c;Ip=[XX.XX.71.5];Helo=[relay1.contoso.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR09MB4096
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.6337616
X-MS-Exchange-Processed-By-BccFoldering: 15.20.3088.011
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:I;ENG:(750128)(520011016)(944506458)(944626604);
X-Microsoft-Antispam-Message-Info:
MIME-Version: 1.0
Jun 11 2020 05:24 AM