Deep Header Check and X-Originating-IP

Can you post screenshots of this in the logs?

roman, We' ve seen similar issue with Fortimail SPF checking even if deep header check was not enabled. We had to resolve our issue another way (whitelisting, etc). Curious to see what you people find. Steve

Hi, here is the text of the History log and Antispam log of one of the mentioned messages - So this is outbound from Exchange Server to Fortimail! (10.232.1.30 is the Exchange Server) 193.171.X.X is the Fortimail in the DMZ Column Content Log Type History Date 2014-04-25 Time 17:21:02 Classifier Not Spam Disposition Accept From s300000@domain.at To romanr@extdomain.net Subject Proxy Session ID s3PFL2Jb026983-s3PFL2Jd026983 Client [10.232.1.30] Level information Type statistics Destination IP 193.171.X.X Length 619 Resolved OK Mailer mta Direction out Policy IDs 1:3:1 Log ID 0200026984 Column Content Log Type AntiSpam Date 2014-04-25 Time 17:21:02 From s300000@domain.at To romanr@extdomain.net Subject Proxy Session ID s3PFL2Jb026983-s3PFL2Jd026983 Client [10.232.1.30] Message SPF (envelope) indicates that MTA (213.208.X.X) is not permitted to send email for domain.at Level information Type spam Destination IP 193.171.X.X Log ID 0300026984 From the mail header: Subject: Proxy Content-Type: text/plain; charset=" ISO-8859-15" ; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [213.208.X.X] X-FEAS-SPF: PASS / PASS ( ip=" 193.171.X.X" , helo=" mail.domain.at" , mailFrom=" s300000@domain.at" ) ( headerFrom=" s300000@domain.at" ) Return-Path: s300000@domain.at

Steve, in my opinion this would be a design failure or just a bug... Proving SPF or any other IP based method on the X-Originating-IP is just wrong in my opinion... This should only happen with Deep Header scanning for blacklisted IPs, where this would be okay! Good to know, I am not the only one thinking this is incorrect - I think I' ll report this bug. Br, Roman

I don' t think this is caused because of the X-Originating-IP header... You likely have " Treat SPF checking failed email as spam" checked in your AS profile and that IP is in the " Received: from" headers.

So confusion, did the fortimail have deep-header check enabled or not? I thought all IP address where checked with the deep-header check enable? This would include SPF checks and Fortiguard AS. Or is this not the case?

No - Deep Header Check was disabled. SPF checking was also disabled on the session policy for the Exchange server. This is what annoys me. I opened a support ticket - Lets see! br, Roman

But in your outgoing AS profile you have " Treat SPF checking failed email as spam" enabled right?

Ok, let us know what support says... I haven' t been able to block a blacklisted IP address based on X-Originating-IP even with deep header enabled.

Ok, let us know what support says... I haven' t been able to block a blacklisted IP address based on X-Originating-IP even with deep header enabled.

Yes sure - I update you here! I found that trouble with the totally opposite way - We got some users who are blacklisted on their internet access, but need to send via SMTPS over the Exchange. And those users where blocked due to normal Fortiguard Black IP scan on mails coming from Exchange - As Deep Scanning was disabled and the only thing new was the X-Originating-IP Attribute, which came with Exchange 2013 into this infrastructure - Postfix didn' t use it...