Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1491 Views 7 Replies Latest reply: Oct 31, 2013 11:04 PM by boerio RSS
boerio Newcomer 4 posts since
Oct 20, 2013
Currently Being Moderated

Oct 20, 2013 1:02 PM

Problems getting the SaaS Inbound Filtering to work properly

I am trying to land the Inbound Filtering product, and am unable to get messages from MX Logic to the end destination.  I hope that someone here can help me get this figured out.  I need some advice on how to properly configure the Inbound Servers so that the messages will get delivered to the hosted mail server.

 

Here's the lay of the land.  I have a hosted domain, and my ability to configure that domain is through cPanel.

 

I've followed the EPS Welcome Kit information and have my domains configured under Account Management.  My MX records are properly set.  I suspect my problem is somewhere between my Inbound Servers and the domain's mail server itself.  If I have the SMTP host information set to example.com port 25, I will get the following "events" in the Message Audit window:

 

Recipient Disposition: [250 Bounce (550 through this server without authentication.); Mode: normal; Queued: no; Frontend TLS: yes; SPF: n/a]
Message Disposition: [250 Message Queued (No RCPTS); Backend TLS: yes; Backend IP: 216.120.236.125; Policy Set: Default Inbound]

 

According to the documentation available to me in cPanel, the settings should be as follows:

 

Secure SSL/TLS Settings (Recommended)

Incoming Server (IMAP): host.example.com port 993

Incoming Server (POP3): host.example.com port 995

Outgoing Server: host.example.com port 465

Authentication is required for IMAP, POP3, and SMTP.

 

Non-SSL Settings (NOT Recommended)

Incoming Server (IMAP): mail.example.com port 143

Incoming Server (POP3): mail.example.com port 110

Outgoing Server: mail.example.com port 25

Authentication is required for IMAP, POP3, and SMTP.

 

The ports are all the standard ports one would expect.  I think what I'm getting lost in here is that the "authentication is required". 

 

If I set the Inbound Servers to use host.example.com and either ports 993 or 995, and either enforce TLS (or not) messages will sit on the MX Logic servers.

 

I've gone into the Account Management -> Configuration panel abd tested the User Authentication capabilities for both POP3 and IMAP (but I don't think that's important for this purpose).

 

I've failed to find much of anything helpful through either internet searches or KB searches.

 

Thanks for the help!

  • PhilM Champion 528 posts since
    Jan 7, 2010

    I am also new to this product and have only been using it for less than 1 week.

     

    As far as I understand, the communication channel between SaaS Email and your Email server is SMTP (port 25) only - for delivering e-mail at least. You may have also set up synchronisation to your LDAP/AD server to provide the SaaS system with a list of valid addresses.

     

    The suggestion from your audit seems to be that your destination (inbound) mail server is requiring authentication (550 through this server without authentication) and is issuing a 550 hard bounce response because the SaaS service is trying to connect and deliver without authenticating.

     

    Looking at the EMail Protection -> Setup -> Inbound Servers screen, the only other option  you appear to be able to control is whether to force TLS or not.

     

    Does your SMTP server require authentication?

     

    If so, are you able to disable authentication for connection coming from the MXLogic address ranges?

     

    -Phil.

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012

    Hi boerio,

     

    Phil has you on the right path here. Disabling authentication requirements for your SMTP server for connections over TLS is advised. Once disabled, you should also ensure that your firewall is locked down to only receive Port 25 SMTP traffic from the McAfee SaaS IP Ranges:

     

    -McAfee SaaS IP Ranges-

     

    208.65.144.0/21

    Netmask: 255.255.248.0

    HostMin:   208.65.144.1

    HostMax:   208.65.151.254

     

    208.81.64.0/21

    Netmask:   255.255.248.0

    HostMin:   208.81.64.1

    HostMax:   208.81.71.254

     

    Because the steps on how to turn off authentication vary depending on your SMTP environment, we recommend searching the web for the server environment name and "disable SMTP Authentication", e.g. "Exchange 2007 Disable SMTP Authentication", should return a result quite quickly.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012

    Jeff,

     

    Without knowing the specifics of your server environment, I can only guess as to the cause. My guess though as to do with non TLS SMTP Traffic being allowed for anonymous senders, but TLS traffic requiring authentication. You may have to verify that though with the mail provider.

     

    Ultimately though it does come down to that is the response we receive from the recipient host. We cannot force a recipient host to accept mail from us, it must be configured to do so, and if it issues an Permanent Failure based on an Authentication requirement, then that must be disabled.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • PhilM Champion 528 posts since
    Jan 7, 2010

    Jeff,

     

    I don't want you to think that Brad & I are ganging up on you, but not knowing the precise make-up of your e-mail infrastructure does hamper our ability to offer a response that does not accidentally misinform.

     

    Brad is a McAfee guy and so I will defer to him on the specifics of the SaaS Email product. However, as a reseller engineer who has come into contact with a vast variety of environments over the 16+ years I've been installing Firewalls, e-mail Security solutions and such like I don't think I have ever come across an environment where external parties are required to authenticate when delivering SMTP mail to the recipient's organisation.

     

    It is, as mentioned, maybe something to do with the specifics of your server environment. But, would I expect you to provide authentication credentials in order to deliver an e-mail message to me? No. Your mail server receives the e-mail from your e-mail client application, looks at the domain and then uses DNS to establish where I "live" (ignore the inclusion of the SaaS solution at this point). It then establishes an SMTP connection to the mail server (almost certainly via a public IP address on my firewall) and basically says "I've got an e-mail for phil@phils-domain.com". My SMTP server responds with "Great, send away!" and completes the transaction. It won't ask you to authenticate first. What it will do (if it has been configured properly) is reject the request if your server connects and then tries to send the message to phil@anotherdomain.com as this would be an attempt to relay.

     

    I've now signed-up for SaaS and all I've done is to specify what was my old MX record as my "Inbound" server within SaaS, changed my DNS MX record to force external parties to send e-mail via the SaaS service and then modified the inbound SMTP rule on my Firewall to only accept connections from the subnets belonging to McAfee SaaS/MXLogic.

     

    -Phil.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points