We have an email that comes everyday with a designated from address of say firstname.lastname@example.org. We've attempted to whitelist it to not end up in a user's quarantine but it still does. The email is being sent from a mail service provider thats actually from address is always unique (ie: email@example.com ) usually from a variety of shared IP addresses. Any suggestion on how we could whitelist this type of email for this user? I wouldn't want to get all their IP's because they probably send a fair amount of trash our way but imply adding in the original firstname.lastname@example.org email as a whitelist doesn't work. Thanks!
Hi Michael and welcome to the UTM Community!
Are these emails from Constant Contact or???
Cheers - Bob
No it technically looks like its being sent by an Amazon SES service. Below are two examples of the actual sending service.
18.104.22.168 - email@example.com
22.214.171.124 - firstname.lastname@example.org
Are you on 7.705-7, Michael?
Please insert a picture of the Edit of how you're trying to whitelist. Also, copy here the lines from the SMTP log relevant to an email being incorrectly quarantined.
That is the address the end user sees as it is sent from. We are on UTM firmware 9.705-7
I meant the text lines in the SMTP proxy log found at 'Logging & Reporting >> View Log Files', Michael.
Ahhhh, the address in the From field is not necessarily the same as the Sender.
When querying that log for that Amazon SES IP on that day here is the record it produces:
2021:06:10-06:38:54 sophos exim-in: 2021-06-10 06:38:54 SMTP connection from [126.96.36.199]:58517 (TCP/IP connection count = 1)2021:06:10-06:38:54 sophos exim-in: 2021-06-10 06:38:54 H=a11-16.smtp-out.amazonses.com [188.8.131.52]:58517 Warning: mikedomain.gov profile excludes SANDBOX scan2021:06:10-06:38:54 sophos exim-in: 2021-06-10 06:38:54 [184.108.40.206] F=<email@example.com> R=<firstname.lastname@example.org> Verifying recipient address with callout2021:06:10-06:38:54 sophos exim-in: 2021-06-10 06:38:54 1lrI5O-0000F6-2e Greylisting: 220.127.116.11 is a known retry host2021:06:10-06:38:54 sophos exim-in: 2021-06-10 06:38:54 1lrI5O-0000F6-2e <= email@example.com H=a11-16.smtp-out.amazonses.com [18.104.22.168]:58517 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-SHA256:128 CV=no S=3098 DKIM=amazonses.com firstname.lastname@example.org:06:10-06:39:00 sophos smtpd: SCANNER: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="22.214.171.124" from="email@example.com" to="firstname.lastname@example.org" subject="Notification from the Massachusetts Department of Unemployment Assistance (DUA)" queueid="1lrI5U-0000FQ-GQ" size="1245" reason="as" extra=""2021:06:10-06:39:19 sophos exim-in: 2021-06-10 06:39:19 SMTP connection from a11-16.smtp-out.amazonses.com [126.96.36.199]:58517 closed by QUIT
The sender is "email@example.com instead of the defma.org address seen in the From field. I suspect these emails are getting caught by an "unintended feature" introduced in the 9.705-7 Up2Date which was a rushed response to the 21 Nails threat. I don't think there's any way to whitelist such sender addresses except *.amazonses.com and that doesn't seem wise to me.