This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Notification email from do-not-reply@fw-notify.net identified as SPAM and being inherently blocked by many email services

First time poster, long time personal user since Astaro days.

Recently, many Internet email providers have started requiring email being received to include at least one of many "standards" based mechanisms that attempt to verify the originating source as authentic. This trend can be characterized as an effort to combat the rampant distribution of UCE (Unsolicited Commercial Email), commonly, but incorrectly known as SPAM (sorry Hormel).

In many cases, an Internet email host wants to see a valid SPF (Sender Policy Framework, tools.ietf.org/.../rfc7208) record associated with the originator, or a valid DKIM (Domain Keys Identified Mail, http://dkim.org/) block that cryptographically authenticates the fact that at least some of the content of the received email message has not changed.

Sophos has mitigated the SPF issue by creating an SPF DNS record for fw-notify.net as follows:

Type Domain        Record Content    TTL

TXT  fw-notify.net v=spf1 a mx -all  14708

See: https://community.sophos.com/kb/en-us/115536 for more information on the fw-notify.net domain used for notification.

Thus, if an email system (SMTP) receives a message from a user at fw-notify.net, and the receiving system requires a valid SPF, the receiving email system scores the email from fw-notify.net as passing the SPF check.

Regarding Domain Keys Identified Mail, I suggest reading this short but extremely informative blog post by Jett Pendleton

https://www.sparkpost.com/blog/understanding-spf-and-dkim/

Now that you understand some of the methods being employed to combat UCE, I'll present my question, and a proposed feature enhancement for Sophos UTM.

My first question is, can I substitute an external mail server for the Sophos internal server originating the notifications from the fw-notify.net domain?

My second question is does, or can Sophos support DKIM in the UTM?

If Sophos does not currently support DKIM, I strongly suggest that they include this feature going forward.

I am certainly willing to participate in a project to get this feature implemented, particularly since most mainline email services for both individuals and enterprises seem to be moving in the direction of requiring DKIM signed and hashed communications.

Please advise and comment.

Best regards,

Gregg Rasor



This thread was automatically locked due to age.
Parents
  • You need to configure UTM Notifications so that it connects to an email server in client mode, so that the message is sent with a valid email account instead of the bogus one.   UTM should never send as a mail server.

    If it is an external mail server, you will need to configure credentials.  If it is an internal mail server, you have the choice of logging in with credentials (still recommended) or whitelisted based on IP address.   If you use credentials, the send-as must be the email account associated with those credentials.   If you are whitelisting by the IP address, the send-as account must use a domain hosted by that email server.

Reply
  • You need to configure UTM Notifications so that it connects to an email server in client mode, so that the message is sent with a valid email account instead of the bogus one.   UTM should never send as a mail server.

    If it is an external mail server, you will need to configure credentials.  If it is an internal mail server, you have the choice of logging in with credentials (still recommended) or whitelisted based on IP address.   If you use credentials, the send-as must be the email account associated with those credentials.   If you are whitelisting by the IP address, the send-as account must use a domain hosted by that email server.

Children
  • Thank you Douglas.

    I see a tab under Notifications Advanced that has text External SMTP server status.  The specifics are SMTP server (from Network Definitions -> Hosts or Network Definitions -> DNS Hosts), SMTP port (587, SMTP submission port in my case), Use TLS (off for this trial), and Authentication.

    Regarding the Global tab under Management -> Notifications, I changed the Sender to do-not-reply@sending_domain.com (my domain, redacted for lack of clarity and because some folks misuse Internet resources).

    I tested this configuration using my internal mail server (in the Intranet, same subnet as the hardware running the Sophos UTM) with notifications to an account on the internal email server, and an external account.  The UTM sent the notification using the internal email server, and upon inspection, the received emails were exactly as expected.

    What do I mean by "the received emails were exactly as expected?"

    The notification email sent from the internal email server to an account on the internal email contained no information on routing, hops, DKIM, SPF, etc in the notification email.  This is as expected.  The notification email sent from the internal email server to an account on the external email server contained all necessary information on routing, hops, DKIM, SPF, etc.

    Perfect!

    Thank you for your assistance.

    Gregg Rasor