Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
romanr
Valued Contributor

Deep Header Check and X-Originating-IP

Hi, does anyone got some details about the Black/White IP checking on the Fortimail? Esp on the use of the X-Originating-IP attribute? I always thought, that Blacklisted Sender IPs will not hit if the e-mail comes from a whatever not listed ip address unless " Deep Header Check" Option is used. Then the Fortimail will also look into the headers of the mail and apply antispam actions if it finds a listed IP in the header section of the mail. Exchange 2013 Frontent Proxy Service sets the X-Originating-IP Attribute in the mail header when transporting authenticated mail. Fine! When this outbound mail now gets routed to a Fortimail - The Fortimail will also check the X-Originating-IP attribute - even if Deep Header Scanning isn' t enabled... It also tells me, there is a SPF violation (even this is disabled on the session profile) somehow confusing.... Br, Roman
16 REPLIES 16
Bromont_FTNT
Staff
Staff

Can you post screenshots of this in the logs?
SteveRoadWarrior
New Contributor III

roman, We' ve seen similar issue with Fortimail SPF checking even if deep header check was not enabled. We had to resolve our issue another way (whitelisting, etc). Curious to see what you people find. Steve
romanr
Valued Contributor

Hi, here is the text of the History log and Antispam log of one of the mentioned messages - So this is outbound from Exchange Server to Fortimail! (10.232.1.30 is the Exchange Server) 193.171.X.X is the Fortimail in the DMZ Column Content Log Type History Date 2014-04-25 Time 17:21:02 Classifier Not Spam Disposition Accept From s300000@domain.at To romanr@extdomain.net Subject Proxy Session ID s3PFL2Jb026983-s3PFL2Jd026983 Client [10.232.1.30] Level information Type statistics Destination IP 193.171.X.X Length 619 Resolved OK Mailer mta Direction out Policy IDs 1:3:1 Log ID 0200026984 Column Content Log Type AntiSpam Date 2014-04-25 Time 17:21:02 From s300000@domain.at To romanr@extdomain.net Subject Proxy Session ID s3PFL2Jb026983-s3PFL2Jd026983 Client [10.232.1.30] Message SPF (envelope) indicates that MTA (213.208.X.X) is not permitted to send email for domain.at Level information Type spam Destination IP 193.171.X.X Log ID 0300026984 From the mail header: Subject: Proxy Content-Type: text/plain; charset=" ISO-8859-15" ; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [213.208.X.X] X-FEAS-SPF: PASS / PASS ( ip=" 193.171.X.X" , helo=" mail.domain.at" , mailFrom=" s300000@domain.at" ) ( headerFrom=" s300000@domain.at" ) Return-Path: s300000@domain.at
romanr
Valued Contributor

Steve, in my opinion this would be a design failure or just a bug... Proving SPF or any other IP based method on the X-Originating-IP is just wrong in my opinion... This should only happen with Deep Header scanning for blacklisted IPs, where this would be okay! Good to know, I am not the only one thinking this is incorrect - I think I' ll report this bug. Br, Roman
Bromont_FTNT
Staff
Staff

I don' t think this is caused because of the X-Originating-IP header... You likely have " Treat SPF checking failed email as spam" checked in your AS profile and that IP is in the " Received: from" headers.
romanr
Valued Contributor

I don' t think this is caused because of the X-Originating-IP header... You likely have " Treat SPF checking failed email as spam" checked in your AS profile and that IP is in the " Received: from" headers.
As you can see in the posted log entry - The mail was not blocked. The Fortimail must not check the " Received:from" without Deep Header check enabled - And for this case the Fortimail behaves solid - it doesn' t check it in all cases I monitored. The only difference in all the mails I looked tokay was the X-Originating-IP part.... I also know, that I haven' t checked SPF checking on outgoing mail...
emnoc
Esteemed Contributor III

So confusion, did the fortimail have deep-header check enabled or not? I thought all IP address where checked with the deep-header check enable? This would include SPF checks and Fortiguard AS. Or is this not the case?

PCNSE 

NSE 

StrongSwan  

romanr
Valued Contributor

No - Deep Header Check was disabled. SPF checking was also disabled on the session policy for the Exchange server. This is what annoys me. I opened a support ticket - Lets see! br, Roman
Bromont_FTNT
Staff
Staff

But in your outgoing AS profile you have " Treat SPF checking failed email as spam" enabled right?