Hey Jim,
I'm having the same issue with spoofed emails using the FROM in the P2 header, so I decided to kill them by removing the ms-exch-smtp-accept-authoritative-domain-sender permissions on my receive connector. But now UTM is not able to send Quarantine reports, as UTM sends the reports to that receive connector using one of our email addresses and Exchange is rejecting them now.
How are you handling the Quarantine reports after changing those permissions on the Exchange receive connector?
Thanks!
Hey Jim,
I'm having the same issue with spoofed emails using the FROM in the P2 header, so I decided to kill them by removing the ms-exch-smtp-accept-authoritative-domain-sender permissions on my receive connector. But now UTM is not able to send Quarantine reports, as UTM sends the reports to that receive connector using one of our email addresses and Exchange is rejecting them now.
How are you handling the Quarantine reports after changing those permissions on the Exchange receive connector?
Thanks!
I have SPF enabled on UTM and have SPF records set up for my domain. The thing is UTM uses SPF to check only the MAIL FROM field on the P1 headers of an email. Emails can still be spoofed by altering the FROM field on the P2 headers of an email. Unfortunately, UTM does not check P2 headers of emails, thus allowing spoofed emails to still come through.
See my posts above from 21,22 Sep 2015. The problem is that the From field comes after the DATA command. Only the Sender field is considered for email-address blacklists, DKIM and SPF.
Cheers - Bob
This is a reply to an old post, but adding this now for others who stumble into the discussion again.
Not sure why UTM could not send quarantine reports. It should be configured to long onto your mail server with credentials
Managment... Notifications... Advanced... Authentication (checked, followed by a username and password). The username there should be consistent with the sender name on the Notification... General tab.
Alternatively, you configure an Exchange Receive Connector to filter on IP Address instead of authentication, then put the UTM Address into the allowed list.