Re: [mailop] Microsoft SPF failing our email internally against their own servers

Tue, 20 Nov 2018 01:46:15 -0800 

Morning Jesse,
        (mailop CC@d for completeness but it's not mail a mail delivery issue 
really)

You seem to have been spot on with the connector issue.  I hadn't realised that 
the connectors we setup in O356 were not
specific to our hybrid exchange setup and if the certificate on our mailhosts 
also matched the certificates defined in there
then mail seems to be routed into our tenancy first and then back out again, 
causing the SPF fail. (I'm happier in Unix land)

So, restricting the regex in the O365 connector so that it only matches our 
hybrid servers and not our on premise servers
seems to have done the trick.  (I'm still uncertain, there seemed to me to be a 
bit of hand waving going on)

Now can anyone recommend any sendmail milters to restrict outbound send rates 
so we can clamp down on these phished accounts more.

Thanks,
        Duncan

-----Original Message-----
From: mailop <mailop-boun...@mailop.org> On Behalf Of Jesse Thompson via mailop
Sent: 08 November 2018 17:49
To: mailop@mailop.org
Subject: Re: [mailop] Microsoft SPF failing our email internally against their 
own servers

I would bet it has to do with the way you set up your inbound and outbound 
connectors in your Exchange Online tenant.  You should not need to include EOP 
in your SPF (although IIRC there is no way to set up hybrid routing for OOFs)

We had some tenant-tenant routing issues in 2015 due to the way we had set up 
our connectors for hybrid routing.  We resolved it via some advice obtained 
from a lengthy conversation with someone on the Exchange team who actually 
knows how the EOP/ExO systems are plumbed.

Microsoft's support teams don't like dealing with complex mail flow scenarios, 
but I am encouraged by some comments I've heard lately that they realize that 
enterprise mail flow will always be complex, which is why they're starting to 
address some of the forwarding problem scenarios, adding a capability to fix 
inbound-gateway SPF evaluation, getting on board with ARC, etc.

Jesse

On 11/8/2018 6:14 AM, Duncan Brannen wrote:
> Morning all,
> 
>                  Does anyone have any issues delivering to some O365 
> domains due to Microsoft internally SPF failing inbound email against 
> their own servers?
> 
> We’re seeing the email go through our MXs and be delivered to 
> x.protection.outlook.com,
> 
> protection.outlook.com then SPF checks and passes the message, 
> verifies the DKIM signature and passes that.
> 
> then…
> 
> it gets routed internally from protection.outlook.com to 
> outlook.office365.com, back to protection.outlook.com
> 
> and then goes through a second set of SPF and DKIM checks which fail 
> SPF because protection.outlook.com is not a permitted server for 
> st-andrews.ac.uk
> 
> It ‘seems’ to happen for recipients in UK datacentres where their MX 
> records still point at the EU datacentres and I ‘think’ having
> 
> an O365 tenancy but routing all of our outbound email through our 
> onsite MX servers is a contributing factor due to the tenant
> 
> name appearing in the headers. [we’re hybrid on premise, Gmail and 
> O365]
> 
> Our support call is going round in circles, we’ve been told the remote 
> site has blacklisted us, that we need to add the MS servers into our 
> SPF,
> 
> that we need to add our hybrid servers into our SPF, that our DKIM 
> signature is invalid, that our SPF is invalid, that the remote site 
> have errors
> 
> in their EOP configuration and that Barracuda have blacklisted us.
> 
> I can see that adding protection.outlook.com to our SPF record will 
> fix this though protection.outlook.com shouldn’t be sending email for 
> us and
> 
> shouldn’t be in our SPF but it may be that the price of having an O365 
> tenancy is we have to whether we send email that way or not. If anyone
> 
> knows either way and can explain why or knows how we should phrase a 
> request for escalation to a team that understands hybrid setups where
> 
> email is routed through non MS servers I’d appreciate sharing of the 
> knowledge. J
> 
> Example headers below.
> 
> Cheers,
> 
>            Duncan
> 
> Received: from LNXP265MB0905.GBRP265.PROD.OUTLOOK.COM 
> (2603:10a6:600:5e::31)
> 
> by LO2P265MB1728.GBRP265.PROD.OUTLOOK.COM with HTTPS via
> 
> LNXP265CA0019.GBRP265.PROD.OUTLOOK.COM; Fri, 26 Oct 2018 08:00:56 
> +0000
> 
> Received: from CWLP265CA0256.GBRP265.PROD.OUTLOOK.COM 
> (2603:10a6:401:25::28)
> 
> by LNXP265MB0905.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:78::11) with
> 
> Microsoft SMTP Server (version=TLS1_2,
> 
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1273.24; Fri, 
> 26 Oct
> 
> 2018 08:00:56 +0000
> 
> Received: from VE1EUR01FT055.eop-EUR01.prod.protection.outlook.com
> 
> (2a01:111:f400:7e01::206) by CWLP265CA0256.outlook.office365.com
> 
> (2603:10a6:401:25::28) with Microsoft SMTP Server (version=TLS1_2,
> 
> cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1273.19 via 
> Frontend
> 
> Transport; Fri, 26 Oct 2018 08:00:55 +0000
> 
> Authentication-Results: spf=fail (sender IP is 104.47.0.127)
> 
> smtp.mailfrom=st-andrews.ac.uk; uhi.ac.uk; dkim=pass (signature was
> verified)
> 
> header.d=UniversityofStAndrews907.onmicrosoft.com;uhi.ac.uk;
> 
> dmarc=bestguesspass action=none header.from=st-andrews.ac.uk;
> 
> Received-SPF: Fail (protection.outlook.com: domain of st-andrews.ac.uk 
> does
> 
> not designate 104.47.0.127 as permitted sender)
> 
> receiver=protection.outlook.com; client-ip=104.47.0.127;
> 
> helo=EUR01-HE1-obe.outbound.protection.outlook.com;
> 
> Received: from EUR01-HE1-obe.outbound.protection.outlook.com
> (104.47.0.127) by
> 
> VE1EUR01FT055.mail.protection.outlook.com (10.152.3.104) with 
> Microsoft SMTP
> 
> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) 
> id
> 
> 15.20.1294.14 via Frontend Transport; Fri, 26 Oct 2018 08:00:55 +0000
> 
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> 
> d=UniversityofStAndrews907.onmicrosoft.com; 
> s=selector1-standrews-ac-uk0e;
> 
> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange
> -SenderADCheck;
> 
> bh=jmNDk9A9PZk09YI7EoXcC6bpFtKR82SKTANn3/DMLug=;
> 
> b=ED9NpX9QKXys3LSbATyd1YMgMQbsPuEcRC92nBMGdPTsmDPO7fHqm7hzMOCCkKw4+1+h
> nch9Jw2kVAxit6o/NKsdo66TJ+EM0BDCmmkAefoo/2KSvwKz5cuTTp5lBId6DKAUjUSjoC
> OqOhIv5yf46DzflVSY0yr4fy3dIbEe3GI=
> 
> Received: from VI1PR06CA0143.eurprd06.prod.outlook.com
> (2603:10a6:803:a0::36)
> 
> by DB6PR0601MB2389.eurprd06.prod.outlook.com (2603:10a6:4:1f::20) with
> 
> Microsoft SMTP Server (version=TLS1_2,
> 
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1273.19; Fri, 
> 26 Oct
> 
> 2018 08:00:53 +0000
> 
> Received: from VE1EUR01FT064.eop-EUR01.prod.protection.outlook.com
> 
> (2a01:111:f400:7e01::205) by VI1PR06CA0143.outlook.office365.com
> 
> (2603:10a6:803:a0::36) with Microsoft SMTP Server (version=TLS1_2,
> 
> cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1273.21 via 
> Frontend
> 
> Transport; Fri, 26 Oct 2018 08:00:53 +0000
> 
> Authentication-Results-Original: spf=pass (sender IP is 138.251.6.249)
> 
> smtp.mailfrom=st-andrews.ac.uk; uhi.ac.uk; dkim=pass (signature was
> verified)
> 
> header.d=st-andrews.ac.uk;uhi.ac.uk; dmarc=bestguesspass action=none
> 
> header.from=st-andrews.ac.uk;
> 
> Received-SPF: Pass (protection.outlook.com: domain of st-andrews.ac.uk
> 
> designates 138.251.6.249 as permitted sender)
> 
> receiver=protection.outlook.com; client-ip=138.251.6.249;
> 
> helo=mailhost.st-andrews.ac.uk;
> 
> Received: from mailhost.st-andrews.ac.uk (138.251.6.249) by
> 
> VE1EUR01FT064.mail.protection.outlook.com (10.152.3.34) with Microsoft 
> SMTP
> 
> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) 
> id
> 
> 15.20.1273.13 via Frontend Transport; Fri, 26 Oct 2018 08:00:52 +0000
> 
> Received: from mailhost02.st-andrews.ac.uk (mailhost.st-andrews.ac.uk
> [192.168.0.2])
> 
>                 by mailhost.st-andrews.ac.uk (8.15.2/8.15.2/Debian-8) 
> with ESMTPS id w9Q80pTc120481
> 
>                 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
> bits=256 verify=NOT);
> 
>                 Fri, 26 Oct 2018 09:00:52 +0100
> 
> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; 
> d=st-andrews.ac.uk;
> 
>                 s=mailhost; t=1540540852;
> 
>                 bh=gRTuJZzb7JI456njDWSRhuU9IlxP+i6HdwYnqMKdJJU=;
> 
>                 h=From:To:Subject:Date:From;
> 
>                 
> b=gaAFsl9e7JmElplb6otYlJgysWIZCbUlAl9bfTD2uRtkU8FPNDNDNEYv67RzacZCQ
> 
>                 
> 5dwU2tZoAqcYPeq18kxxreiWAOaUdPkI9bzyKxJVVRahXx1cy01bKOhz7thUVWKQaA
> 
>                 
> KQVJHV3FiLGyCS7zYlE08wCygEhvavY5gXAqINaDxPdqNT0JfNsaLzsYfuL4eIGtFm
> 
>                 
> Xel+vrLfTEzoacFoYrf+yan/R5pMp5z/wQx6nVhW1Ihz5ibtPHghj4REjIlyrCbWm4
> 
>                 
> LtztByClgpj5MB7PteT3VsLO0mgJ6Q02Q4UsLLZa6HEGslfxJ2OoyAOXj1stNvcz2W
> 
>                 3mnsL8C9RSiOw==
> 
> X-Spam-Status: No
> 
> X-StAndrews-MailScanner-From: d...@st-andrews.ac.uk 
> <mailto:d...@st-andrews.ac.uk>
> 
> X-StAndrews-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
> 
>                 score=0.111, required 5, DKIM_SIGNED 0.10, 
> HTML_MESSAGE 0.00,
> 
>                 T_DKIM_INVALID 0.01)
> 
> X-StAndrews-MailScanner: No virus detected
> 
> X-StAndrews-MailScanner-ID: w9Q80mnL120467
> 
> X-StAndrews-MailScanner-Information: Please contact the ISP for more 
> information
> 
> Received: from unimail.st-andrews.ac.uk (exch13-srv03.st-andrews.ac.uk
> [138.251.9.20])
> 
>                 by mailhost02.st-andrews.ac.uk 
> (8.15.2/8.15.2/Debian-8) with ESMTPS id w9Q80mnL120467
> 
>                 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 
> bits=256 verify=NOT);
> 
>                 Fri, 26 Oct 2018 09:00:49 +0100
> 
> Received: from exch13-srv03.st-andrews.ac.uk (138.251.9.20) by
> 
> exch13-srv03.st-andrews.ac.uk (138.251.9.20) with Microsoft SMTP 
> Server
> (TLS)
> 
> id 15.0.1210.3; Fri, 26 Oct 2018 09:00:48 +0100
> 
> Received: from EUR03-VE1-obe.outbound.protection.outlook.com
> (213.199.154.148)
> 
> by exch13-srv03.st-andrews.ac.uk (138.251.9.20) with Microsoft SMTP 
> Server
> 
> (TLS) id 15.0.1210.3 via Frontend Transport; Fri, 26 Oct 2018 09:00:48 
> +0100
> 
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> 
> d=UniversityofStAndrews907.onmicrosoft.com; 
> s=selector1-standrews-ac-uk0e;
> 
> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange
> -SenderADCheck;
> 
> bh=sfdcZ9ETxSvzJVU/5gt/HSeE7sIMoJ61hF3L/g+1OlQ=;
> 
> b=dy0PNnh1+cASR+z9cij+VQ1mawDIS5MYQVvFvRNxP1rHUjs2Gg0m6bswj0/HHOiINg6r
> /4XnPPwcK22bRaMF0QMuTYtnu/a13qfN1qId1TZXpeYhHyQ4BDgcCXcT7vx6JQuN6v74Ov
> XE5geWreHWiv4uyDAiYR4m+pu50KOy+EY=
> 
> Received: from HE1PR0602MB3596.eurprd06.prod.outlook.com (52.133.5.31) 
> by
> 
> HE1PR0602MB2763.eurprd06.prod.outlook.com (10.175.31.11) with 
> Microsoft SMTP
> 
> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 
> id
> 
> 15.20.1273.18; Fri, 26 Oct 2018 08:00:46 +0000
> 
> Received: from HE1PR0602MB3596.eurprd06.prod.outlook.com
> 
> ([fe80::9cbd:88d4:5772:eac2]) by 
> HE1PR0602MB3596.eurprd06.prod.outlook.com
> 
> ([fe80::9cbd:88d4:5772:eac2%2]) with mapi id 15.20.1250.028; Fri, 26 
> Oct
> 2018
> 
> 08:00:46 +0000
> 
> 
> 
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to