UTM Email Protection: recipient verification

Can you show the relevant log lines from SMTP proxy?

Hi,

this should be the lines:

----

2015:11:10-16:06:52 astaro-1 exim-in[8891]: 2015-11-10 16:06:52 SMTP connection from [212.227.17.12]:54570 (TCP/IP connection count = 1)
2015:11:10-16:06:53 astaro-1 exim-in[26865]: 2015-11-10 16:06:53 [212.227.17.12] F=<test-address@web.de> R=<bounce@domain.com> Verifying recipient address with callout
2015:11:10-16:06:53 astaro-1 exim-in[26865]: 2015-11-10 16:06:53 1ZwAVZ-0006zJ-06 ctasd reports 'Unknown' RefID:str=0001.0A0B0202.5642080D.0096,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2015:11:10-16:06:53 astaro-1 exim-in[26865]: 2015-11-10 16:06:53 1ZwAVZ-0006zJ-06 Greylisting: 212.227.17.12 is a known retry host
2015:11:10-16:06:53 astaro-1 exim-in[26865]: 2015-11-10 16:06:53 1ZwAVZ-0006zJ-06 <= test-address@web.de H=mout.web.de [212.227.17.12]:54570 P=esmtps X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 S=1893 id=trinity-308a7e51-a084-4f3e-80b5-6b3ea95e39e4-1447168012206@3capp-webde-bap54
2015:11:10-16:06:53 astaro-1 exim-in[26865]: 2015-11-10 16:06:53 SMTP connection from mout.web.de [212.227.17.12]:54570 closed by QUIT
2015:11:10-16:06:55 astaro-1 smtpd[8888]: QMGR[8888]: 1ZwAVZ-0006zJ-06 moved to work queue
2015:11:10-16:07:00 astaro-1 smtpd[26901]: SCANNER[26901]: 1ZwAVg-0006zt-8q <= test-address@web.de R=1ZwAVZ-0006zJ-06 P=INPUT S=114
2015:11:10-16:07:00 astaro-2 exim-out[3087]: 2015-11-10 16:07:00 Start queue run: pid=3087
2015:11:10-16:07:00 astaro-2 exim-out[3087]: 2015-11-10 16:07:00 End queue run: pid=3087
2015:11:10-16:07:00 astaro-1 smtpd[26901]: SCANNER[26901]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="212.227.17.12" from="test-address@web.de" to="bounce@domain.com" subject="[NvA, 10.11.2015, 16:06]: Test" queueid="1ZwAVg-0006zt-8q" size="114"
2015:11:10-16:07:00 astaro-1 smtpd[26901]: SCANNER[26901]: 1ZwAVZ-0006zJ-06 => work R=SCANNER T=SCANNER
2015:11:10-16:07:00 astaro-1 smtpd[26901]: SCANNER[26901]: 1ZwAVZ-0006zJ-06 Completed
2015:11:10-16:07:00 astaro-1 exim-out[26908]: 2015-11-10 16:07:00 Start queue run: pid=26908
2015:11:10-16:07:00 astaro-1 exim-out[26908]: 2015-11-10 16:07:00 End queue run: pid=26908
2015:11:10-16:07:00 astaro-1 exim-out[26904]: 2015-11-10 16:07:00 1ZwAVg-0006zt-8q => bounce@domain.com P=<test-address@web.de> R=static_route_hostlist T=static_smtp H=Exchange-IP [Exchange-IP]:25 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 2.6.0 <trinity-308a7e51-a084-4f3e-80b5-6b3ea95e39e4-1447168012206@3capp-webde-bap54> [InternalId"
2015:11:10-16:07:00 astaro-1 exim-out[26904]: 2015-11-10 16:07:00 1ZwAVg-0006zt-8q Completed
2015:11:10-16:07:00 astaro-1 exim-in[8891]: 2015-11-10 16:07:00 SMTP connection from [Exchange-IP]:46933 (TCP/IP connection count = 1)
2015:11:10-16:07:00 astaro-1 exim-in[26912]: 2015-11-10 16:07:00 [Exchange-IP] F=<> R=<test-address@web.de> Accepted: from relay
2015:11:10-16:07:00 astaro-1 exim-in[26912]: 2015-11-10 16:07:00 1ZwAVg-000704-2y <= <> H=exchange.domain.com (Exchange-Server) [Exchange-IP]:46933 P=esmtps X=TLSv1.2:AES256-SHA:256 S=10234 id=f050d3fe-d5af-43e8-8746-bd935017f52c@Exchange-Server
2015:11:10-16:07:00 astaro-1 exim-in[26912]: 2015-11-10 16:07:00 SMTP connection from exchange.domain.com (Exchange-Server) [Exchange-IP]:46933 closed by QUIT
2015:11:10-16:07:02 astaro-1 smtpd[8888]: QMGR[8888]: 1ZwAVg-000704-2y moved to work queue
2015:11:10-16:07:02 astaro-1 smtpd[26901]: SCANNER[26901]: 1ZwAVi-0006zt-IN <= R=1ZwAVg-000704-2y P=INPUT S=9353
2015:11:10-16:07:02 astaro-1 smtpd[26901]: SCANNER[26901]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="Exchange-IP" from="" to="test-address@web.de" subject="Unzustellbar: [NvA, 10.11.2015, 16:06]: Test" queueid="1ZwAVi-0006zt-IN" size="9353"
2015:11:10-16:07:02 astaro-1 smtpd[26901]: SCANNER[26901]: 1ZwAVg-000704-2y => work R=SCANNER T=SCANNER
2015:11:10-16:07:02 astaro-1 smtpd[26901]: SCANNER[26901]: 1ZwAVg-000704-2y Completed
2015:11:10-16:07:03 astaro-1 exim-out[26917]: 2015-11-10 16:07:03 1ZwAVi-0006zt-IN => test-address@web.de P=<> R=dnslookup T=remote_smtp H=mx-ha02.web.de [212.227.17.8]:25 X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 C="250 Requested mail action okay, completed: id=0MLMic-1ZvcXs3glG-000bgS"
2015:11:10-16:07:03 astaro-1 exim-out[26917]: 2015-11-10 16:07:03 1ZwAVi-0006zt-IN Completed
----

I send a mail from test-address@web.de to bounce@domain.com, which mx record delegates to my UTM with a SMTP-Profile to route the mail to the Exchange-Server.

Regards Nathan

Seems like you have to look deeper into your Exchange config.
UTM does the callout and it is successfull, so it tries to deliver the message...

thank for the hint.
In Exchange 2013 frontend/smtpreceive log I found this:
---
2015-11-10T15:06:52.877Z,Exchange-Server\Default Frontend,08D2BFE52C7839A9,22,10.0.17.11:25,10.0.17.1:31046,<,RCPT TO:<bounce@domain.com>,
2015-11-10T15:06:52.877Z,Exchange-Server\Default Frontend,08D2BFE52C7839A9,23,10.0.17.11:25,10.0.17.1:31046,>,250 2.1.5 Recipient OK,
---
This seems to be the default Exchange setting - serverfault.com/.../exchange-2013-recipient-filtering-reject-after-rcpt-to workaround here: www.msxfaq.de/.../e2013recipientfilter.htm (sorry for non german readers)
I dont't like change this at the moment. So I tried recipient verification by AD (I've got muliple AD-domains) and get this in Sophos SMTP proxy log:
---
2015:11:11-10:55:01 astaro-1 exim-in[8891]: 2015-11-11 10:55:01 SMTP connection from [212.227.17.12]:54102 (TCP/IP connection count = 1)
2015:11:11-10:55:01 astaro-1 exim-in[9321]: 2015-11-11 10:55:01 [212.227.17.12] F=<test-address@web.de> R=<bounce@domain.com> Verifying recipient address in Active Directory
2015:11:11-10:55:01 astaro-1 exim-in[9321]: 2015-11-11 10:55:01 H=mout.web.de [212.227.17.12]:54102 Warning: ACL "warn" statement skipped: condition test deferred: failed to bind the LDAP connection to server dc-01.anotherdomain.local:636 - ldap_bind() returned -1
2015:11:11-10:55:01 astaro-1 exim-in[9321]: 2015-11-11 10:55:01 1ZwS7J-0002QL-1A ctasd reports 'Unknown' RefID:str=0001.0A0B0204.56431075.0179,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2015:11:11-10:55:01 astaro-1 exim-in[9321]: 2015-11-11 10:55:01 1ZwS7J-0002QL-1A Greylisting: 212.227.17.12 is a known retry host
2015:11:11-10:55:01 astaro-1 exim-in[9321]: 2015-11-11 10:55:01 1ZwS7J-0002QL-1A <= test-address@web.de H=mout.web.de [212.227.17.12]:54102 P=esmtps X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 S=1886 id=trinity-b0c4c3a7-7f70-4612-b379-79c3a2842ff8-1447235700694@3capp-webde-bs55
2015:11:11-10:55:01 astaro-1 exim-in[9321]: 2015-11-11 10:55:01 SMTP connection from mout.web.de [212.227.17.12]:54102 closed by QUIT
---
Exchange-Server for domain.com is in domain.local with dc-ex.domain.local.
In profile settings I can’t specify the DC, but the BaseDN=‘DC=domain,DC=local‘, which is defined in auth/servers and work in user portal.
Maybe I’m totally wrong.

Is there a proper configuration for SMTP-Profile with working recipient filter?

Thanks Nathan

According to Bobs post in www.astaro.org/.../46789-smtp-proxy-ad-recipient-verification-ldaps-failing.html I switch all AD-Settings to non SSL Port 389 it works:
---
2015:11:11-11:48:35 astaro-1 exim-in[8891]: 2015-11-11 11:48:35 SMTP connection from [212.227.17.12]:49433 (TCP/IP connection count = 1)
2015:11:11-11:48:36 astaro-1 exim-in[20278]: 2015-11-11 11:48:36 [212.227.17.12] F=<test-address@web.de> R=<bounce@domain.com> Verifying recipient address in Active Directory
2015:11:11-11:48:36 astaro-1 exim-in[20278]: 2015-11-11 11:48:36 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="212.227.17.12" from="test-address@web.de" to="bounce@domain.com" size="1540" reason="address_verification" extra="Address not present in directory"
2015:11:11-11:48:36 astaro-1 exim-in[20278]: 2015-11-11 11:48:36 H=mout.web.de [212.227.17.12]:49433 F=<test-address@web.de> rejected RCPT <bounce@domain.com>: Address not present in directory
2015:11:11-11:48:36 astaro-1 exim-in[20278]: 2015-11-11 11:48:36 SMTP connection from mout.web.de [212.227.17.12]:49433 closed by QUIT
---

But, only if the DC for domain.com is at the bottom of the AD servers list! If I put this DC to the top I get following - the mail is send to and bounced by Exchange:
---
2015:11:11-11:53:49 astaro-1 exim-in[8891]: 2015-11-11 11:53:49 SMTP connection from [212.227.17.11]:55379 (TCP/IP connection count = 1)
2015:11:11-11:53:49 astaro-1 exim-in[21420]: 2015-11-11 11:53:49 [212.227.17.11] F=<test-address@web.de> R=<bounce@domain.com> Verifying recipient address in Active Directory
2015:11:11-11:53:49 astaro-1 exim-in[21420]: [1\3] 2015-11-11 11:53:49 H=mout.web.de [212.227.17.11]:55379 Warning: ACL "warn" statement skipped: condition test deferred: LDAP search failed - error 10: Referral/0000202B: RefErr: DSID-031007EF, data 0, 1 access points
2015:11:11-11:53:49 astaro-1 exim-in[21420]: [2\3] ref 1: 'domain.local'
2015:11:11-11:53:49 astaro-1 exim-in[21420]: [3/3]
2015:11:11-11:53:49 astaro-1 exim-in[21420]: 2015-11-11 11:53:49 1ZwT2D-0005ZU-1Y ctasd reports 'Unknown' RefID:str=0001.0A0B0206.56431E3D.019E,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2015:11:11-11:53:49 astaro-1 exim-in[21420]: 2015-11-11 11:53:49 1ZwT2D-0005ZU-1Y Greylisting: 212.227.17.11 is a known retry host
2015:11:11-11:53:49 astaro-1 exim-in[21420]: 2015-11-11 11:53:49 1ZwT2D-0005ZU-1Y <= test-address@web.de H=mout.web.de [212.227.17.11]:55379 P=esmtps X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 S=1886 id=trinity-7b06cf1f-3a94-4ede-988e-02c7fb7e1b10-1447239228996@3capp-webde-bs55
2015:11:11-11:53:49 astaro-1 exim-in[21420]: 2015-11-11 11:53:49 SMTP connection from mout.web.de [212.227.17.11]:55379 closed by QUIT
---

Is this a bug?

Here's some further information from the built-in help that applies:

As an additional antispam feature, the SMTP proxy tacitly checks each recipient address it receives with your backend mail server(s) before accepting mail for this address. Emails for invalid recipient addresses will not be accepted. In order for this function to work, your backend mail server(s) must reject mails for unknown recipients at the SMTP stage. The general rule is that if your backend server rejects a message, the SMTP proxy will reject it, too.

Note, however, that recipient verification is not done for trusted (authenticated) or relay hosts, because some user agents may encounter problems when recipients get rejected in the SMTP transaction. In the usual scenario (backend mail server rejects unknown recipients in the SMTP transaction), Sophos UTM will only generate bounces in the following cases:

When a trusted or relay source sends a message to an undeliverable recipient.
When the backend mail server has been down so that Sophos UTM was not able to verify the recipient.
However, Sophos UTM does not prevent your backend mail server(s) from sending non-delivery reports (NDRs) or bounces. In addition, Sophos UTM caches positive callout replies from the mail server for 24 hours, and negative ones for two hours.

Hi,
I've opend a support call.

It's seemed to be a bug, when more authtification servers are defined.
The SMTP AD recipient verification ask every time the last (bottom) AD-Server in list.

I'll reply for further info.
N.

Sophos classified this behavior as "documentation bug".
When using AD recipient verification with multiple SMTP-Profiles and different Domain Controller Exim will take the last in list. If a LDAP query fails Exim dont't check the next DC.
Sophos will change the documentation, and think about change the configuration to avoid this.
Thank for helping
Nathan