7 Replies Latest reply: Oct 31, 2013 11:04 PM by boerio RSS

    Problems getting the SaaS Inbound Filtering to work properly

    boerio

      I am trying to land the Inbound Filtering product, and am unable to get messages from MX Logic to the end destination.  I hope that someone here can help me get this figured out.  I need some advice on how to properly configure the Inbound Servers so that the messages will get delivered to the hosted mail server.

       

      Here's the lay of the land.  I have a hosted domain, and my ability to configure that domain is through cPanel.

       

      I've followed the EPS Welcome Kit information and have my domains configured under Account Management.  My MX records are properly set.  I suspect my problem is somewhere between my Inbound Servers and the domain's mail server itself.  If I have the SMTP host information set to example.com port 25, I will get the following "events" in the Message Audit window:

       

      Recipient Disposition: [250 Bounce (550 through this server without authentication.); Mode: normal; Queued: no; Frontend TLS: yes; SPF: n/a]
      Message Disposition: [250 Message Queued (No RCPTS); Backend TLS: yes; Backend IP: 216.120.236.125; Policy Set: Default Inbound]

       

      According to the documentation available to me in cPanel, the settings should be as follows:

       

      Secure SSL/TLS Settings (Recommended)

      Incoming Server (IMAP): host.example.com port 993

      Incoming Server (POP3): host.example.com port 995

      Outgoing Server: host.example.com port 465

      Authentication is required for IMAP, POP3, and SMTP.

       

      Non-SSL Settings (NOT Recommended)

      Incoming Server (IMAP): mail.example.com port 143

      Incoming Server (POP3): mail.example.com port 110

      Outgoing Server: mail.example.com port 25

      Authentication is required for IMAP, POP3, and SMTP.

       

      The ports are all the standard ports one would expect.  I think what I'm getting lost in here is that the "authentication is required". 

       

      If I set the Inbound Servers to use host.example.com and either ports 993 or 995, and either enforce TLS (or not) messages will sit on the MX Logic servers.

       

      I've gone into the Account Management -> Configuration panel abd tested the User Authentication capabilities for both POP3 and IMAP (but I don't think that's important for this purpose).

       

      I've failed to find much of anything helpful through either internet searches or KB searches.

       

      Thanks for the help!

        • 1. Re: Problems getting the SaaS Inbound Filtering to work properly
          PhilM

          I am also new to this product and have only been using it for less than 1 week.

           

          As far as I understand, the communication channel between SaaS Email and your Email server is SMTP (port 25) only - for delivering e-mail at least. You may have also set up synchronisation to your LDAP/AD server to provide the SaaS system with a list of valid addresses.

           

          The suggestion from your audit seems to be that your destination (inbound) mail server is requiring authentication (550 through this server without authentication) and is issuing a 550 hard bounce response because the SaaS service is trying to connect and deliver without authenticating.

           

          Looking at the EMail Protection -> Setup -> Inbound Servers screen, the only other option  you appear to be able to control is whether to force TLS or not.

           

          Does your SMTP server require authentication?

           

          If so, are you able to disable authentication for connection coming from the MXLogic address ranges?

           

          -Phil.

          • 2. Re: Problems getting the SaaS Inbound Filtering to work properly
            Brad McGarr

            Hi boerio,

             

            Phil has you on the right path here. Disabling authentication requirements for your SMTP server for connections over TLS is advised. Once disabled, you should also ensure that your firewall is locked down to only receive Port 25 SMTP traffic from the McAfee SaaS IP Ranges:

             

            -McAfee SaaS IP Ranges-

             

            208.65.144.0/21

            Netmask: 255.255.248.0

            HostMin:   208.65.144.1

            HostMax:   208.65.151.254

             

            208.81.64.0/21

            Netmask:   255.255.248.0

            HostMin:   208.81.64.1

            HostMax:   208.81.71.254

             

            Because the steps on how to turn off authentication vary depending on your SMTP environment, we recommend searching the web for the server environment name and "disable SMTP Authentication", e.g. "Exchange 2007 Disable SMTP Authentication", should return a result quite quickly.

            • 3. Re: Problems getting the SaaS Inbound Filtering to work properly
              boerio

              Brad,

               

              Thanks for the details.  I'm not sure I have the ability to make the changes you suggest.  I'm in a shared hosting environment, and I suspect that if I ask to disable the SMTP auth, it will also do that for others on the same server.

               

              What still doesn't make sense to me here is that any given host today can connect to my mail server and deliver email just fine.  In other words, if joe@random.com wants to send me email, random.com has no problem connecting to mydomain.com to deliver the email to me.

               

              Why must I disable authentication for MX Logic to work?

               

              Jeff

              • 4. Re: Problems getting the SaaS Inbound Filtering to work properly
                Brad McGarr

                Jeff,

                 

                Without knowing the specifics of your server environment, I can only guess as to the cause. My guess though as to do with non TLS SMTP Traffic being allowed for anonymous senders, but TLS traffic requiring authentication. You may have to verify that though with the mail provider.

                 

                Ultimately though it does come down to that is the response we receive from the recipient host. We cannot force a recipient host to accept mail from us, it must be configured to do so, and if it issues an Permanent Failure based on an Authentication requirement, then that must be disabled.

                • 5. Re: Problems getting the SaaS Inbound Filtering to work properly
                  PhilM

                  Jeff,

                   

                  I don't want you to think that Brad & I are ganging up on you, but not knowing the precise make-up of your e-mail infrastructure does hamper our ability to offer a response that does not accidentally misinform.

                   

                  Brad is a McAfee guy and so I will defer to him on the specifics of the SaaS Email product. However, as a reseller engineer who has come into contact with a vast variety of environments over the 16+ years I've been installing Firewalls, e-mail Security solutions and such like I don't think I have ever come across an environment where external parties are required to authenticate when delivering SMTP mail to the recipient's organisation.

                   

                  It is, as mentioned, maybe something to do with the specifics of your server environment. But, would I expect you to provide authentication credentials in order to deliver an e-mail message to me? No. Your mail server receives the e-mail from your e-mail client application, looks at the domain and then uses DNS to establish where I "live" (ignore the inclusion of the SaaS solution at this point). It then establishes an SMTP connection to the mail server (almost certainly via a public IP address on my firewall) and basically says "I've got an e-mail for phil@phils-domain.com". My SMTP server responds with "Great, send away!" and completes the transaction. It won't ask you to authenticate first. What it will do (if it has been configured properly) is reject the request if your server connects and then tries to send the message to phil@anotherdomain.com as this would be an attempt to relay.

                   

                  I've now signed-up for SaaS and all I've done is to specify what was my old MX record as my "Inbound" server within SaaS, changed my DNS MX record to force external parties to send e-mail via the SaaS service and then modified the inbound SMTP rule on my Firewall to only accept connections from the subnets belonging to McAfee SaaS/MXLogic.

                   

                  -Phil.

                  • 6. Re: Problems getting the SaaS Inbound Filtering to work properly
                    boerio

                    Phil,

                     

                    I'm not looking at this as being ganged up on at all.  I'm just trying to figure out how in the world to make it all work.  I haven't been able to focus much on it the past few days because this ain't my regular gig.  I'll probably get back at it as the weekend comes closer.  I agree with everything you're saying here - the domain gets email every day from a plethora of sources (hence our desire to have the Inbound Filtering product), so it must be a setting that I'm not getting right.

                     

                    Jeff

                    • 7. Re: Problems getting the SaaS Inbound Filtering to work properly
                      boerio

                      I found the solution to my problem.

                       

                      For Inbound Servers, I had to choose mail.example.com as the domain, and port 25.

                       

                      Then on cPanel, I needed to make sure that I set MX Entry -> Email Routing to Local Mail Exchanger.  For some reason, it seemed logical to set it to Remote Mail Exchanger (and even saw some indications that this was  the proper way to go).  Mail is flowing properly to my servers!

                       

                      Jeff