When using a Microsoft ISA firewall to publish the email appliance for SMTP traffic, you may experience a higher number of spam messages than expected. Also, you may notice false-positive detections by the Sender Genotype (IP reputation) service.
NOTE: This issue may affect other firewalls, depending on their configuration. Please contact your firewall vendor for details.
Known to apply to the following Sophos product(s) and version(s)
Sophos Email Appliance
The ISA SMTP publishing rule can modify both the TCP connection and information in the Received headers. This prevents the Sender Genotype Service from scanning the Senders' IP correctly.
This happens when the SMTP publishing rule has the following setting enabled:
'Requests appear to come from the ISA server computer'
What to do
This issue occurs because the Sender Genotype tries to ascertain the 'First Unknown Relay' I.P. address to determine it's reputation. The First Unknown Relay I.P. address should always be the I.P. of the sending mail server.
Sender Genotype Connection Level Blocking
Normally, when an SMTP connection is initiated the connecting relay is the Senders' I.P. address. However, the ISA can be configured to modify the connection so it appears to originate from the ISA server.
In this scenario, connection level blocking is not possible.
Sender Genotype Policy Level Blocking
If policy level blocking is enabled, or if connection level blocking fails, we will receive the message and then analyze the headers to determine the 'First Unknown Relay'.
Consider this correct Received Header:
Received: from test (mailserver.sender.tld [188.8.131.52]) by ESA.domain.tld (Sophos Email Appliance) with ESMTP id 2A7DC1F2488F_CF3CC27F for <firstname.lastname@example.org>; Mon, 29 Nov 2010 15:51:57 +0000 (GMT)
When the appliance receives the message we will scan the I.P. address 184.108.40.206 as the 'First Unknown Relay' address. This is correct, because in this example 220.127.116.11 was the sender of the message.
Now, consider the same Received header when the message has passed through an ISA:
Received: from test (unknown [192.168.1.254]) by ESA.domain.tld (Sophos Email Appliance) with SMTP id F31151F248BA_CF3CB8EF for <email@example.com>; Mon, 29 Nov 2010 15:49:18 +0000 (GMT)
In this example, the ISA has replaced the I.P. of the sending mail server with it's own I.P. address 192.168.1.254
As the ISA server in this scenario is using a private I.P. address, we will continue looking through the received chain for the First Unknown Relay. This can cause the appliance to reject legitimate mail. For example we could choose a dynamically assigned I.P. address as the First Unknown Relay and therefore reject this as a suspicious sender.
Sender Genotype service does not work correctly (in either mode) when ISA SMTP publishing rule has the following setting enabled:
'Requests appear to come from the ISA server computer''
Configure the ISA SMTP publishing rule so that requests appear to come from the original client:
- Open the Firewall Policy in ISA (usually within ‘Arrays > SERVERNAME > Firewall Policy’
- Find the SMTP Server publishing rule
- Right-click this rule and select ‘Properties’
- Go to the ‘To’ tab
- There are two options here: (a) Requests appear to come from the ISA server computer (b) Requests appear to come from the original client
- Set this to option (b) Requests appear to come from the original client
- Remember to save and commit the changes
Please contact Microsoft for assistance with configuring your ISA server.
For help with configuring the Sender Genotype Service, please see this article: KBA 112944 - Configuring the Sender Genotype Service
You can check the reputation of an I.P. address, and request that the I.P. be re-classified by using our online tool here: http://www.sophos.com/security/ip-lookup