Hello,
In our organizational mail architecture we have two mail gateway
servers accepting mail from the Internet; the servers are Rocky Linux
running postfix, amavis, spamassassin, clamav (as usual). These two
servers process incoming mail and deliver to the final destination, a
mailbox server (running postfix/dovecot), also being the outgoing mail
server.
The current problem:
Some incoming mails are verification messages which include a code so
that users can use it (along with their credentials) to login to
various services; Typically Microsoft is using this model
(officeonline, sharepointonline etc). These codes expire in a short
time, after which they are rendered useless.
Unfortunately, the mail gateway servers may delay while processing
mail (esp. if there is some increased load at the time, so the queue
may take longer to get processed), so such mails may delay for an
unacceptable amount of time.
What are the options we have to achieve short delivery times for such
mails?
Can you identify some very specific characteristics of these mails
(see at the end an example of such a verification mail) so that these
can be used to safely exclude them from scanning?
A suggestion was to whitelist the sender address (at the example
below: no-re...@sharepointonline.com), but we fear that this (or other
similar) commonly used sender address may be deceptively used in
third-party phishing/malicious mail which will then get through
unprocessed/unfiltered.
What are your suggestions or your solutions in similar problems as
mail admins?
Thanks in advance for your advice and experience.
Regards,
Nick
====================================================== Verification
Mail Example / Start ===================================================
Return-Path: <no-re...@sharepointonline.com>
Delivered-To: nuser...@noa.gr
Received: from vmail2.noa.gr
by vmail2.noa.gr with LMTP id ENPiG+K/HWI1WwAAcV+qjQ
for <nuser...@noa.gr>; Tue, 01 Mar 2022 08:40:34 +0200
Received: from mailgw1.noa.gr (mailgw1.noa.gr
[IPv6:2001:648:2ffc:1115::27])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by vmail2.noa.gr (IC-XC-NI-KA) with ESMTPS id 2B2AB800279E8
for <nuser...@noa.gr>; Tue, 1 Mar 2022 08:36:19 +0200 (EET)
Authentication-Results: vmail2.noa.gr;
dkim=pass (1024-bit key) header.d=spoemeaeop.onmicrosoft.com
header.i=@spoemeaeop.onmicrosoft.com header.b="duygZdT7";
dkim=pass (2048-bit key) header.d=sharepointonline.com
header.i=@sharepointonline.com header.b="NSIBSpc4"
Received: from localhost (localhost [127.0.0.1])
by mailgw1.noa.gr (NOA MAIL ICXC-NIKA) with ESMTP id 4K76w30stzzLrN6
for <nuser...@noa.gr>; Tue, 1 Mar 2022 08:36:19 +0200 (EET)
X-Virus-Scanned: amavisd-new at noa.gr
X-Spam-Flag: NO
X-Spam-Score: -1.198
X-Spam-Level:
X-Spam-Status: No, score=-1.198 tagged_above=-999 required=3.4
tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.4, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1,
URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: mailgw1.noa.gr (amavisd-new); dkim=pass
(1024-bit key)
header.d=spoemeaeop.onmicrosoft.com header.b="duygZdT7";
dkim=pass (2048-bit key) header.d=sharepointonline.com
header.b="NSIBSpc4"
Received: from mailgw1.noa.gr ([127.0.0.1])
by localhost (mailgw1.noa.gr [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id EG6CD8_ppl7r for <nuser...@noa.gr>;
Tue, 1 Mar 2022 08:36:17 +0200 (EET)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com
(mail-am6eur05on2107.outbound.protection.outlook.com [40.107.22.107])
by mailgw1.noa.gr (NOA MAIL ICXC-NIKA) with ESMTPS id 4K76w10b2bzLrN2
for <nuser...@noa.gr>; Tue, 1 Mar 2022 08:36:16 +0200 (EET)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=DQy/HPfqgVGVzhRDDPblc7PYpVyj8tDb7cAzuyhxNBekKL6VhobTOHxFA8aVda731s7TUOidf0oWdRcIVUYN59ESUa6PhOR9yatOv/jo5usAF0saLkK3W39tpmTaCKTdWfWOuxrydvPY8pFhPUD13IF25NeGc9muK7XeuvqE0CZ/pguxL72orX2Tnipph52Gxe1ywNowof9Non+ZIaauQaPT8PgeJ9qB6aTntCngDAbOK6R96fV0JsF/t6lX1hHwrHaoz94P8cusUmiVpIna9Lj8TgqkeUDGW1Izi3BIxmJFeuUXVw8Bqbkc7OoKdxDs0iQipqZnxp80TbQC3JKJhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=d7bSMeveuuT/xdNhkJBNqGHH/RPI6FAO2VsSzVp8VOg=;
b=LI56/Wj4Z2+4QWNIrW97b3VL8N+qsLrNLiIttbrDkxuPJGRRbjEVE7zmOkf0tDSHq3FILulZPPvtGepBLE7GmqO0m+V96PP1cHcVB2EE5Gp81g816GLAzey64c0TzyiQLddsnMjewPrmGMIRaNFTyKsPGQZYsI9HP9ebTAIFUOytlfgJmIbua6Yhp64ZNA63vObVJfuz6NeV1/7gZL0B+Wyr04uLC2tOJMhKRaJmaVCFO9LOdB71U8CVXD3T2igMJjxRNRudIh4p8zi6DR1a267tlRRE9D/r3foAZslFIqr49BkGxi5f42xQS5p1KJl4uJCqHw1uMI6g9NrPk6Sa1Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none
action=none header.from=sharepointonline.com; dkim=none (message not
signed);
arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=spoemeaeop.onmicrosoft.com; s=selector1-spoemeaeop-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=d7bSMeveuuT/xdNhkJBNqGHH/RPI6FAO2VsSzVp8VOg=;
b=duygZdT7LI/NtfjuuCp3OsLKWBAUVi35sK8KmVZKML0TmLz+RifN1gF9W4s28KpeyNR78S0sIRGO3WdPdaSCHvI4nM10+cTRPuoZSEaSOkGRstLnMcJ+WeRNc0lFaxgMGePEumlky3jsGlDnrUx4KlawX6W0USyoX265RVWBZCk=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sharepointonline.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=d7bSMeveuuT/xdNhkJBNqGHH/RPI6FAO2VsSzVp8VOg=;
b=NSIBSpc4fhf0CSrvzYoI0drAvSDPw7diyzdQE40a6CDzltOIToSHaxcVoWnktYCmSkthZUAi2HpsbYyXOMrpzIytiS2F+csF5m81RjI6i/BKOIcB8Pxa6aUrBd7T13NLwjIkUgsCzz2CXzYXPXjGGhrzRR9/r3MHQpZmJJ9VTVKjTJKgBKxdmumkI/zk9VkQiwHps3ATrRJJy0kJihF/FfDjVJQmArKt0WnTi7/rqboX2m/JWiCU0QOE/yq98yfk5rM2SA8PpNbPPIFut3KnL7ZdD2y6/1C/LpiFdk5YbQ/ee+LPyCAMvEkl9tuya067OEwqHY0FsKT2UVakseMufQ==
Received: from AM6P192CA0108.EURP192.PROD.OUTLOOK.COM
(2603:10a6:209:8d::49)
by PR3PR09MB4443.eurprd09.prod.outlook.com (2603:10a6:102:35::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.24; Tue,
1 Mar
2022 06:36:15 +0000
Received: from VE1EUR03FT048.eop-EUR03.prod.protection.outlook.com
(2603:10a6:209:8d:cafe::8c) by AM6P192CA0108.outlook.office365.com
(2603:10a6:209:8d::49) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22 via
Frontend
Transport; Tue, 1 Mar 2022 06:36:14 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is
52.232.126.143)
smtp.mailfrom=sharepointonline.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=sharepointonline.com;
Received: from westeurope0.notifyp.svc.ms (52.232.126.143) by
VE1EUR03FT048.mail.protection.outlook.com (10.152.19.8) with
Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5017.22 via Frontend Transport; Tue, 1 Mar 2022 06:36:14 +0000
Date: Tue, 01 Mar 2022 06:36:14 +0000
Subject: 30362606 is your Microsoft SharePoint verification code.
Message-Id:
<odspmicro-SpoShare-e66525a0-8010-c000-b666-00c1854ccaf9-90fd2a7f-b429-4326-b8dd-1502e232d603-71a3f397-006b-4288-922a-b7e9a3e8157e@RD501AC5BFEEBE>
Sender: SharePoint Online <no-re...@sharepointonline.com>
X-SpRequestGuid: e66525a0-8010-c000-b666-00c1854ccaf9
X-SpMailMessageId: ee7db6d7-186d-4fd2-8525-21d939e0ca91
To: nuser...@noa.gr
Reply-To: no-re...@sharepointonline.com
X-Crid:
=?us-ascii?q?e66525a0-8010-c000-b666-00c1854ccaf9-90fd2a7f-b429-4326-b8dd-?=
=?us-ascii?q?1502e232d603-71a3f397-006b-4288-922a-b7e9a3e8157e?=
X-Tnid: 7a3603ac-db0c-4fe6-b725-0b64d501d886
From: SharePoint Online <no-re...@sharepointonline.com>
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Id: <F73SC7YA7GU4.IHSLFU3R01RX@RD501AC5BFEEBE>
X-MS-TrafficTypeDiagnostic:
VE1EUR03FT048:EE_FirstParty-SPO-V3|PR3PR09MB4443:EE_FirstParty-SPO-V3
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id:
51bb0214-9615-46e1-fab9-08d9fb4dc8bb
X-Microsoft-Antispam-PRVS:
<pr3pr09mb44436e4976ab73ffb577027de5...@pr3pr09mb4443.eurprd09.prod.outlook.com>
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
7yuUdAwwNUF9b5MueqmNH8L8UuXp96Q9Ks5y4eC919OHhdxvNP7R7ppZk/+e6AoQb3Xt/2sYKVJIX4OqKJbbc3biUVUl739rthFirFSJCbC0XQePXLkRlfLVECyGbuSyeYOCdS8NnjQVrtjEVLLWyJBsM3Zf21ULLDmebv20imrAgRa2cUP9ywS3/3dpHkKtFyMqNyKyxPEeW54Eui1ODZ0PsSyr2kTwirATjpooWSYJD80Iq54Vb9Ip7LMDpLMy9vBwMnftqQYJ395QazO1m16Y8BvzS2/fOmAG7m7Jk36TXjI1R/zWrJB4jCvzJy8M/uytrs/5VwRzykLIBjZwDAOpkc6wiZ0lL7HurbALobEx5kLRluAWDYuyZRLyNIpJ5spBwO55rU3ciYOj4ippSug0HmZfujbsUsiEDnP+tjkKdpS7jlC4LUPm9WxDsx8GOktCiKOpDsANV0FLQ9zhP/tBPX8qv3yn7Bcf8tGpU2ZnJPiW0NZs+12yq+BpPGUBcB6xye+XzlITfIoQ6QDhWPy4XfB4QVfLDOWWSiH+bvBrJyFDflmGtLw1B63XJeWD1rsZoy+0Se6Z45nHJdY/uWNHEMfjiu+d4fw12psAHaKK+l4JHgGVQN5+6J2TZZKB3ApFleQZXvm+qe0QnuSqnA==
X-Forefront-Antispam-Report:
CIP:52.232.126.143;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:westeurope0.notifyp.svc.ms;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230001)(7916004)(346002)(39840400004)(396003)(376002)(136003)(47690400004)(47530400004)(6506007)(7846003)(26005)(6512007)(9686003)(6486002)(336012)(3450700001)(52230400001)(83380400001)(4744005)(118246002)(5660300002)(68406010)(8936002)(8676002)(33716001)(956004)(6916009)(166002)(356005)(81166007)(2906002)(15650500001)(316002)(508600001)(36736006)(86362001);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
y+l04T9dNb1eJye8NxzGlQrpeHlEo6t4359n8NRs8zn3qDNdiDrkjinwPKxvojNgl67QwM4VDVEruhHTrijKG+CPKMUuAGUiERrwI4JE2oxibvP0rmevQo88BKZPpzzf
X-OriginatorOrg: spoemeaeop.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2022 06:36:14.7045
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
51bb0214-9615-46e1-fab9-08d9fb4dc8bb
X-MS-Exchange-CrossTenant-Id: 4d93e101-5f88-4b2c-b255-9a7bb7b1b764
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=4d93e101-5f88-4b2c-b255-9a7bb7b1b764;Ip=[52.232.126.143];Helo=[westeurope0.notifyp.svc.ms]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource:
TreatMessagesAsInternal-VE1EUR03FT048.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR09MB4443
<style type="text/css">a { color: #0072bc; text-decoration: none;
}</style><table border="0" cellspacing="0" cellpadding="8"
style="width:100%" dir="ltr"><tr><td align="left" valign="top"><div
style="font-family: 'Segoe UI Semilight', 'Segoe UI', Verdana,
sans-serif; color: #444444;"><div style="margin-bottom: 21px;
font-size: 18px;"><!-- _lcid="1033" _dal="1" -->
<!-- _LocalBinding -->
<html dir="ltr">
<head>
<base
href="<ows:HttpVDir/>/_layouts/15/<%=System.Threading.Thread.CurrentThread.CurrentUICulture.LCID%>/emailattestationtemplate.htm">
<meta name="SharePointError" content="">
<meta name="Robots" content="NOINDEX">
<meta name="GENERATOR" content="Microsoft SharePoint">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Expires" content="0">
<title id="onetidTitle">Time of Access</title>
<html lang="en-us">
<head>
<title>Time of Access v2</title>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
table td {border-collapse:collapse;margin:0;padding:0;}
</style>
</head>
<body>
<table style="height: 100%; border-style: none; width: 100%;
border-spacing: 0; padding: 0; background-color: #f8f8f8;">
<tbody style="height: 100%;">
<tr style="height: 100%; background-color: #ffffff;">
<td align="center" valign="bottom">
<table border="0" width="640" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td width="14"> </td>
<td height="48"><img
src="https://wedoprojects.sharepoint.com/sites/WeDo-Projects/_layouts/15/images/SharePointBanner.png"
alt="SharePoint" width="80" height="13"></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr style="height: 100%;">
<td style="height: 100%;" align="center" valign="bottom">
<table style="height: 100%;" border="0" width="640" cellspacing="0"
cellpadding="0">
<tbody style="height: 100%;">
<tr>
<td> </td>
</tr>
<tr>
<td width="14"> </td>
<td>
<table border="0" width="100%" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td>
<table border="0" cellspacing="0" cellpadding="0" bgcolor="#FFFFFF">
<tbody>
<tr>
<td width="32"> </td>
<td height="32"> </td>
<td width="32"> </td>
</tr>
<tr>
<td> </td>
<td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif;
font-size: 14px; padding: 0px 0px 0px 0px;" bgcolor="#ffffff">Hello,</td>
</tr>
<tr>
<td> </td>
<td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif;
font-size: 14px; padding: 12px 0px 14px 0px;" bgcolor="#ffffff">For
security purposes, you must enter the code below to verify your
account to access CULTURE Proposal folder. The code will only work for
15 minutes and if you request a new code, this code will stop
working.</td>
</tr>
<tr>
<td> </td>
<td>
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif;
font-size: 14px; padding: 8px 16px 0px 16px;"
bgcolor="#FFF4CE">Account verification code:</td>
</tr>
<tr>
<td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif;
font-size: 18px; padding: 0px 16px 8px 16px;"
bgcolor="#FFF4CE"><strong>30362606</strong></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td> </td>
<td style="padding: 24px 0px 0px; color: #333333; font-family: 'Segoe
UI',Arial,sans-serif; font-size: 14px;"
bgcolor="#ffffff"><strong>Having problems with the code?</strong></td>
</tr>
<tr>
<td> </td>
<td style="padding: 0px 0px 48px; color: #333333; font-family: 'Segoe
UI',Arial,sans-serif; font-size: 14px;">View the error and make sure
that the email identifier is "287G12B". If it's not, look for an
updated email or try requesting a new code.</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
<td width="14"> </td>
</tr>
<tr style="height: 100%;">
<td width="14"> </td>
<td style="padding-top: 20px; padding-bottom: 20px;" align="left"
valign="top">
<p style="font-family: 'Segoe UI', Tahoma, sans-serif; margin: 0px 0px
0px 5px; color: #000; font-size: 10px;">© 2017 Microsoft <a
style="color: #072b60;" title="Privacy"
href="https://privacy.microsoft.com/privacystatement"> Privacy &
Cookies</a></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</body>
</html></head></html></div></div></td></tr></table>
====================================================== Verification
Mail Example / End ===================================================