Barracuda Reputation blocking mails based on Client IP

[stevehw]

Hi,

I have a confusing problem. Our staff sometimes use USB 3G sticks which give them dynamic IPs. Sometimes mails are bounced back from remote MTAs to due to this (i.e. poor Barracuda Reputation).

I have X-Originating-IP disabled on Zimbra.

zmprov gacf | grep zimbraSmtpSendAddOriginatingIP
zimbraSmtpSendAddOriginatingIP: FALSE

When looking at the sent mail (Right-clicking and Show Original), I cannot see X-Originating-IP or any reference to the blocked client IP so I have no idea where the remote MTA's are getting the senders client IP from.

Does Show Original show everything? Can anyone give me a pointer where to start looking? I have included the sent mail below but removed the content parts.

Many Thanks,

Steve HW


From: *removed*
To: *removed*
Subject: *removed*
Date: Wed, 15 Sep 2010 22:14:26 +0100
Message-ID: <000c01cb551b$0203c2f0$060b48d0$@com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0007_01CB5523.63C82AF0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: ActVGvomd+1Zn8d+RWunJJ4Fbm0ylA==
Content-Language: en-gb
X-OlkEid: F6A411206648FFE8F4477445858EEBE1F8B038DF

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01CB5523.63C82AF0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0008_01CB5523.63C82AF0"


------=_NextPart_001_0008_01CB5523.63C82AF0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

*removed*

------=_NextPart_001_0008_01CB5523.63C82AF0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

*removed*

------=_NextPart_001_0008_01CB5523.63C82AF0--

[phoenix]

You won't see any IP addresses on an email in the Sent folder as that copy hasn't been sent anywhere, you need to look at a copy of the received email for the details of it's route through mail servers.

[stevehw]

Thanks Bill,

Of course you're right, I checked the full bounced message and the sent mail has a "Received: from" header that includes the senders client IP. Is this coming from the Outlook client? Is there any way I can tell Zimbra to strip this from the header or is this something I need to do in Postfix?

Thanks for the pointer

Steve

[phoenix]

Could you update your forum profile with the output of the following command (do not post the output in this thread):

Code:

zmcontrol -v

Are these mail clients connecting via the ZCO or IMAP and are they using port 25 to submit their email?

[stevehw]

Profile Updated.

Staff use IMAP SSL from within Outlook, so port 993.

Steve

[phoenix]

Profile Updated.

Thanks.

Staff use IMAP SSL from within Outlook, so port 993.

Yes but what do they use for their Submission port? I suspect you're using port 25 on the ZImbra server, is that correct?

[stevehw]

Yes, 25 is still the default for smtp.

Steve

[phoenix]

Yes, 25 is still the default for smtp.

That's actually the incorrect port for mail submission to an MTA, the correct port is 587 and will require the user to authenticate when they send mail. I believe that should solve your problem as the mail will then come from the mail server itself and should not have any IP in the headers that reflect what the originating IP was. Try changing that for a test user and see what the results are, you can obviously verify it by looking at the headers via the show original.

[stevehw]

Bill - Thanks again for your help with this. I've read up on port 587, I never knew that, guess you can tell I'm not a full-time mail admin It's now opened and accepting mail.

I sent a mail to myself but unfortunately the headers still include my sender IP and DNS in a "Received: from" header.

Any other ideas? Striping all these with postfix seems crude but many posts on the net are saying this is the way forward.

Steve

[stevehw]

I've tried to use postfix to remove these headers but think I've hit a bug.

I've added the following to /opt/zimbra/conf/postfix_header_checks.in

/^Received: from/ IGNORE

Running "postfix reload" shows this carried across to /opt/zimbra/conf/postfix_header_checks

However, /opt/zimbra/postfix/conf/main.cf contains "header_checks = ".

To check the setting I've ran the following:

zmlocalconfig postfix_header_checks
postfix_header_checks = pcre:${zimbra_home}/conf/postfix_header_checks

All looks good, so why is this not shown in main.cf...

If I add the line manually using:

/opt/zimbra/postfix/sbin/postconf -e header_checks=pcre:/opt/zimbra/conf/postfix_header_checks

Those headers are now stripped from the mails - w'hey However, if I reload postfix again or restart zimbra, the header_check line is removed from main.cf and the problem returns