Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 6664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM blocking 1 internal user outgoing

JasonIstre
Just started a couple hours ago.  Everything she sends from outlook our exchange servers sends to the UTM and they bounce back.  Other users arent having problems.  Here's one from the log....

1VA0dh-0003pL-38 DKIM: d=lifelock.com s=dkimrnt16925 c=simple/simple a=rsa-sha1 i=@lifelock.com t=1376584988 [invalid - syntax error in public key record]
1VA0di-0003pP-1N ctasd reports 'Confirmed' RefID:str=0001.0A020207.520D00B3.020F,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
1VA0dh-0003pL-38 ctasd reports 'Suspect' RefID:str=0001.0A020207.520D051E.0118,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0
1VA0dh-0003pL-38 member.services@lifelock.com H=rntca67.rnmk.com [216.136.162.67]:20183 P=esmtp S=24513 id=RNTM.AvUE~wqVCv8S1GdlGvEe~yL~Jvsq~y7~Mv~3~zr~.0.1376584988.0CfMM9Qn2Dk!@websc18.int.rightnowtech.com
1VA0di-0003pP-1N id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="REMOVED-LOCALIP" from="REMOVED-USERNAME@REMOVED-DOMAIN.com" to="REMOVED" subject="test" queueid="1VA0di-0003pP-1N" size="2591" reason="as" extra="confirmed"
1VA0di-0003pP-1N H=REMOVED-SERVER-NAME (smtp01.REMOVED-DOMAIN.com) [REMOVED-LOCALIP]:11432 F= rejected after DATA

Ideas?


This thread was automatically locked due to age.
  • 0
     1VA0dh-0003pL-38 DKIM: d=lifelock.com s=dkimrnt16925 c=simple/simple a=rsa-sha1 i=@lifelock.com t=1376584988 [invalid - syntax error in public key record]
    ...
     1VA0dh-0003pL-38 ctasd reports 'Suspect' RefID:str=0001.0A020207.520D051E.0118,ss=2,re=0.00 0,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0
     1VA0dh-0003pL-38 member.services@lifelock.com H=rntca67.rnmk.com [216.136.162.67]:20183 P=esmtp S=24513 id=RNTM.AvUE~wqVCv8S1GdlGvEe~yL~Jvsq~y7~Mv~3~zr~.0 .1376584988.0CfMM9Qn2Dk!@websc18.int.rightnowtech. com

    Apparently, that email was delivered or quarantined, depending on your settings.  LifeLock needs to fix their DKIM record.

     1VA0di-0003pP-1N ctasd reports 'Confirmed' RefID:str=0001.0A020207.520D00B3.020F,ss=4,sh,re=0 .000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
    ...
     1VA0di-0003pP-1N id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="REMOVED-LOCALIP" from="REMOVED-USERNAME@REMOVED-DOMAIN.com" to="REMOVED" subject="test" queueid="1VA0di-0003pP-1N" size="2591" reason="as" extra="confirmed"
     1VA0di-0003pP-1N H=REMOVED-SERVER-NAME (smtp01.REMOVED-DOMAIN.com) [REMOVED-LOCALIP]:11432 F= rejected after DATA

    CommTouch thinks the email looks like a known spam.  Have you seen the email?  If it looks OK, then CommTouch likely will have their database adjusted automatically this afternoon.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    It's outgoing and just one user here.  I sat down at her computer and used outlook to send a few emails to some different accounts and they immediately come back undeliverable as the UTM rejects them.  She has no addins in outlook and spyware and virus scan came back clean.  I don't see those lifelock messages in the log for any other users but her.

    the only thing I could do was create an antispam exception for anything where the sender was her email address.  but it seems like that would allow Internet smtp mail that says its from her to get through when it's obviously spam.
  • 0
    There are two messages in the logs above, 1VA0dh-0003pL-38 and 1VA0di-0003pP-1N.  The first one appears to be a message from LifeLock, and I don't think there's anything wrong there.  I've emailed their postmaster to inform them of the error in their public DNS DKIM TXT record.

    You could make the Exception more complex by also requiring that the email was sent from your Exchange server's IP.

    It would beinteresting to know if you created an Outlook Profile for your username on her machine if emails from you get bounced if sent from that machine.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I took the exception off for the original user and it's going through without a problem now, but...

    Suddenly today I have a different outlook user unable to send outgoing mail.

    log shows...
    1VEN6B-0001ur-1G ctasd reports 'Confirmed' RefID:str=0001.0A020207.521CE23B.0196,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
    and...
    1VEN7I-0001zD-0a ctasd reports 'Confirmed' RefID:str=0001.0A020201.521CE280.006B,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12

    She is able to send emails from her iphone (activesync to exchange) without an issue.

    I did full malware and AV scans on the first users computer and it came back with nothing.  I'm just trying to understand what about the emails gets flagged as spam and how to prevent it.

    I cant seem to make an exception for the sender address and exchange ip, the rules are "OR".
  • 0
    You can just change that to "AND."  Did you try the experiment I suggested?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to JasonIstre
    I wanted to try your experiment but by the time I got to her computer it was no longer rejecting.  

    See the attached image.  Only the "OR" option is available.  How would I do from this sender AND this host?
  • 0
    Only the "OR" option is available.

    You're right - I was thinking about Exceptions in Web Filtering.

    I don't know of any way to report a false-positive to CommTouch except from the SMTP Quarantine in Mail Manager.  

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    This happened again to another user who was using guest wifi from a hospital with Outlook on her notebook.  Everything she sent was blocked as confirmed spam, though send could send emails from her phone (4g, not guest wifi).  When she got home her outlook was sending unblocked.

    Her outlook is cache mode HTTPS MAPI, it doesn't use SMTP to send email.  The exchange server does that.  Is there something that gets put in the email about the clients public internet IP or location?
  • 0
    If it looks like there might be a different reason for the rejection, please show the SMTP log file lines for one of her rejected emails.  Does she always have this problem when on guest WiFi, or just in that one location?  When she's on your internal WiFi with her notebook, does she have the problem?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    This is a different sales rep from the first two.  All three times it has happened they have been at different customer locations using guest wireless.  When they get home, or back in the office they don't have the problem.

    2013:09:03-10:25:04 utm-1 exim-in[10028]: 2013-09-03 10:25:04 1VGsTY-0002bk-1i ctasd reports 'Confirmed' RefID:str=0001.0A020206.5225FF50.01A9,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
Unfiltered HTML