Email being bounced to me - Connection was not encrypted

[americanintel]

Had someone at my bank try to send me an email. I'm receiving email all day at the same address.

In my /var/log/exim/rejectlog

2014-07-21 13:48:58 H=(emfserver.mycu.org) [216.60.132.15] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [216.60.132.15]() was not encrypted.

Trying to decipher this. Had her forward me the bounced email. They are using Exchange and some sort of Tumbleweed email firewall. I've stripped out valid names/domains so let me know if you need to see a non munged version.

From: [email protected] [mailto:[email protected]]
Sent: Monday, July 21, 2014 1:46 PM
To: Name Deleted
Subject: Undeliverable: MYCU Home Loan Info

 

Delivery has failed to these recipients or distribution lists:

[email protected]
This message was rejected by the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the recipient's e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: mail.mymail.us..






Diagnostic information for administrators:

Generating server: emfserver.mycu.org

[email protected]
mail.mymail.us. #<mail.mymail.us. #5.1.0> #SMTP#

Original message headers:

Received: from [10.10.110.30] by emfserver.mycu.org with SMTP ( Tumbleweed

 Email Firewall SMTP Relay (Email Firewall v6.5)); Mon, 21 Jul 2014 13:41:01

 -0500

Received: from EXCHMB01.myCU.DOM ([127.0.0.1]) by EXCHHC01.myCU.DOM (

 [10.10.110.30]) with mapi; Mon, 21 Jul 2014 13:45:21 -0500

From: Name Deleted <[email protected]>

To: "'[email protected]'" <[email protected]>

Date: Mon, 21 Jul 2014 13:45:20 -0500

Subject: MYCU Home Loan Info

Message-ID: <7956A35797F88847814190A5C86D0D7611E26C4125@EXCHMB01>

Content-Language: en-US

MIME-Version: 1.0

Content-Type: multipart/related;

        boundary="_004_7956A35797F88847814190A5C86D0D7611E26C4125EXCHMB01_";

        type="multipart/alternative"

Content-Transfer-Encoding: 7bit

 

[americanintel]

I'm wondering if this is part of it? http://forum.directadmin.com/showthread.php?t=43500&p=226662#post226662

However, when I send an email from an unencrypted email account it goes through.

 

[americanintel]

Getting legitimate email bounced still. Seeing in the rejectlogs:

2014-07-21 09:46:58 H=p3plsmtpa08-08.prod.phx3.secureserver.net [173.201.193.109] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [173.201.193.109]() was not encrypted.

It's legitimate mail but not making an encrypted connection from his mail server to mine I guess.

 

[americanintel]

I hate to kill forcing encrypted connections but I'm getting mail bounced because of it. It's also blocking a lot of spam on it's own since they try to make the connection without encryption.

[root@mail exim]# tail rejectlog
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.
2014-07-22 08:40:55 H=(eyou.net) [61.175.199.155] F=<[email protected]> rejected RCPT <[email protected]>: Connection from [61.175.199.155]() was not encrypted.

However if you read this section of a thread discussing it: http://forum.directadmin.com/showthread.php?t=43500&p=226662#post226662

You will find the same concerns and John suggested this:

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

which as he says:

I've found this, which would help, as it forces TLS for any sort of authentication, but still allows standard plain-text deliveries

Which puts me back at relying on SA to block the spam and backscatter type emails.

I have this change in my exim.conf file under Edit 26 per the first post in the thread above:

# Prevents unencrypted mail submission.
  accept  encrypted     = *
  drop    message       = Your connection must be encrypted.
          log_message   = Connection from \
                          [$sender_host_address]($authenticated_id) was \
                          not encrypted.
# Change End

I'm not real sure how to best address this.

 

[nobaloney]

Are you really trying to accept only encrypted email from all senders, even when destined for your users on your server? Makes no sense to me, as almost no mail servers (not even that bank server) send encrypted email between servers. I don't know how you'd advertise to them that you require encrypted transmission to force them to send it, even if they could.

Perhaps you or someone else will explain to me how and why you expect to be able to get mail from me, and from anyone els who might want to write you, because I'm confused.

Thanks.

Jeff

 

[americanintel]

It's not a viable process. I've been working with John on this. While I received 95% of legit mail there was that small portion that could/would not make the connection. So I ditched the encrypted portion above and am relying completely on verifying the sender and RBL's.

require verify = sender

and this which can also be enabled via DA admin (or by CLI below): Admin Level>Administrator Settings>RBL blocking. This is the key to stopping backscatter/NDR spam as it never reaches the server so no reply is sent.

cd /etc/virtual
rm -f use_rbl_domains
ln -s domains use_rbl_domains

What I found interesting is that requiring an encrypted connection stopped 99% of the backscatter type spam. Having said that, the RBL blocking stops it from being delivered to the server and is VERY effective thus preventing it from being processed and sent to our archive servers as well...which is what I was really after. Combined with everything else you have in Exim it stops 99.9% of the spam and probably 99% of anything reaching the archive server, aka, being processed by Exim.

I've only had a couple of light traffic domains on the server (this is a DA powered mail server only) but am moving 'production' accounts there as we speak to get more realistic loads. So far so good.