Delays in mail deliveries

Diego diego at rosanegra.org
Tue Mar 1 22:35:06 CET 2022


Hi Nikolaos,

I think whitelistening those emails with policies is the best option.

You are worried about scams and phishing, but SPF and DKIM checks should 
protect your server from those attacks, shouldn't they?

Diego Palacios

El 1/3/22 a las 22:20, Nikolaos Milas escribió:
> Hello,
>
> In our organizational mail architecture we have two mail gateway 
> servers accepting mail from the Internet; the servers are Rocky Linux 
> running postfix, amavis, spamassassin, clamav (as usual). These two 
> servers process incoming mail and deliver to the final destination, a 
> mailbox server (running postfix/dovecot), also being the outgoing mail 
> server.
>
> The current problem:
>
> Some incoming mails are verification messages which include a code so 
> that users can use it (along with their credentials) to login to 
> various services; Typically Microsoft is using this model 
> (officeonline, sharepointonline etc). These codes expire in a short 
> time, after which they are rendered useless.
>
> Unfortunately, the mail gateway servers may delay while processing 
> mail (esp. if there is some increased load at the time, so the queue 
> may take longer to get processed), so such mails may delay for an 
> unacceptable amount of time.
>
> What are the options we have to achieve short delivery times for such 
> mails?
>
> Can you identify some very specific characteristics of these mails 
> (see at the end an example of such a verification mail) so that these 
> can be used to safely exclude them from scanning?
>
> A suggestion was to whitelist the sender address (at the example 
> below: no-reply at sharepointonline.com), but we fear that this (or other 
> similar) commonly used sender address may be deceptively used in 
> third-party phishing/malicious mail which will then get through 
> unprocessed/unfiltered.
>
> What are your suggestions or your solutions in similar problems as 
> mail admins?
>
> Thanks in advance for your advice and experience.
>
> Regards,
> Nick
>
> ====================================================== Verification 
> Mail Example / Start ===================================================
>
> Return-Path: <no-reply at sharepointonline.com>
> Delivered-To: nuserxyz at noa.gr
> Received: from vmail2.noa.gr
>     by vmail2.noa.gr with LMTP id ENPiG+K/HWI1WwAAcV+qjQ
>     for <nuserxyz at noa.gr>; Tue, 01 Mar 2022 08:40:34 +0200
> Received: from mailgw1.noa.gr (mailgw1.noa.gr 
> [IPv6:2001:648:2ffc:1115::27])
>     (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
>     (No client certificate requested)
>     by vmail2.noa.gr (IC-XC-NI-KA) with ESMTPS id 2B2AB800279E8
>     for <nuserxyz at noa.gr>; Tue,  1 Mar 2022 08:36:19 +0200 (EET)
> Authentication-Results: vmail2.noa.gr;
>     dkim=pass (1024-bit key) header.d=spoemeaeop.onmicrosoft.com 
> header.i=@spoemeaeop.onmicrosoft.com header.b="duygZdT7";
>     dkim=pass (2048-bit key) header.d=sharepointonline.com 
> header.i=@sharepointonline.com header.b="NSIBSpc4"
> Received: from localhost (localhost [127.0.0.1])
>     by mailgw1.noa.gr (NOA MAIL ICXC-NIKA) with ESMTP id 4K76w30stzzLrN6
>     for <nuserxyz at noa.gr>; Tue,  1 Mar 2022 08:36:19 +0200 (EET)
> X-Virus-Scanned: amavisd-new at noa.gr
> X-Spam-Flag: NO
> X-Spam-Score: -1.198
> X-Spam-Level:
> X-Spam-Status: No, score=-1.198 tagged_above=-999 required=3.4
>     tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
>     DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
>     MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
>     RCVD_IN_MSPIKE_H2=-0.4, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1,
>     URIBL_BLOCKED=0.001] autolearn=disabled
> Authentication-Results: mailgw1.noa.gr (amavisd-new); dkim=pass 
> (1024-bit key)
>     header.d=spoemeaeop.onmicrosoft.com header.b="duygZdT7";
>     dkim=pass (2048-bit key) header.d=sharepointonline.com
>     header.b="NSIBSpc4"
> Received: from mailgw1.noa.gr ([127.0.0.1])
>     by localhost (mailgw1.noa.gr [127.0.0.1]) (amavisd-new, port 10024)
>     with LMTP id EG6CD8_ppl7r for <nuserxyz at noa.gr>;
>     Tue,  1 Mar 2022 08:36:17 +0200 (EET)
> Received: from EUR05-AM6-obe.outbound.protection.outlook.com 
> (mail-am6eur05on2107.outbound.protection.outlook.com [40.107.22.107])
>     by mailgw1.noa.gr (NOA MAIL ICXC-NIKA) with ESMTPS id 4K76w10b2bzLrN2
>     for <nuserxyz at noa.gr>; Tue,  1 Mar 2022 08:36:16 +0200 (EET)
> ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
>  b=DQy/HPfqgVGVzhRDDPblc7PYpVyj8tDb7cAzuyhxNBekKL6VhobTOHxFA8aVda731s7TUOidf0oWdRcIVUYN59ESUa6PhOR9yatOv/jo5usAF0saLkK3W39tpmTaCKTdWfWOuxrydvPY8pFhPUD13IF25NeGc9muK7XeuvqE0CZ/pguxL72orX2Tnipph52Gxe1ywNowof9Non+ZIaauQaPT8PgeJ9qB6aTntCngDAbOK6R96fV0JsF/t6lX1hHwrHaoz94P8cusUmiVpIna9Lj8TgqkeUDGW1Izi3BIxmJFeuUXVw8Bqbkc7OoKdxDs0iQipqZnxp80TbQC3JKJhQ== 
>
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
> d=microsoft.com;
>  s=arcselector9901;
>  h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; 
>
>  bh=d7bSMeveuuT/xdNhkJBNqGHH/RPI6FAO2VsSzVp8VOg=;
>  b=LI56/Wj4Z2+4QWNIrW97b3VL8N+qsLrNLiIttbrDkxuPJGRRbjEVE7zmOkf0tDSHq3FILulZPPvtGepBLE7GmqO0m+V96PP1cHcVB2EE5Gp81g816GLAzey64c0TzyiQLddsnMjewPrmGMIRaNFTyKsPGQZYsI9HP9ebTAIFUOytlfgJmIbua6Yhp64ZNA63vObVJfuz6NeV1/7gZL0B+Wyr04uLC2tOJMhKRaJmaVCFO9LOdB71U8CVXD3T2igMJjxRNRudIh4p8zi6DR1a267tlRRE9D/r3foAZslFIqr49BkGxi5f42xQS5p1KJl4uJCqHw1uMI6g9NrPk6Sa1Q== 
>
> ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none
>  action=none header.from=sharepointonline.com; dkim=none (message not 
> signed);
>  arc=none
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>  d=spoemeaeop.onmicrosoft.com; s=selector1-spoemeaeop-onmicrosoft-com;
>  h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; 
>
>  bh=d7bSMeveuuT/xdNhkJBNqGHH/RPI6FAO2VsSzVp8VOg=;
>  b=duygZdT7LI/NtfjuuCp3OsLKWBAUVi35sK8KmVZKML0TmLz+RifN1gF9W4s28KpeyNR78S0sIRGO3WdPdaSCHvI4nM10+cTRPuoZSEaSOkGRstLnMcJ+WeRNc0lFaxgMGePEumlky3jsGlDnrUx4KlawX6W0USyoX265RVWBZCk= 
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
> d=sharepointonline.com;
>  s=selector1;
>  h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; 
>
>  bh=d7bSMeveuuT/xdNhkJBNqGHH/RPI6FAO2VsSzVp8VOg=;
>  b=NSIBSpc4fhf0CSrvzYoI0drAvSDPw7diyzdQE40a6CDzltOIToSHaxcVoWnktYCmSkthZUAi2HpsbYyXOMrpzIytiS2F+csF5m81RjI6i/BKOIcB8Pxa6aUrBd7T13NLwjIkUgsCzz2CXzYXPXjGGhrzRR9/r3MHQpZmJJ9VTVKjTJKgBKxdmumkI/zk9VkQiwHps3ATrRJJy0kJihF/FfDjVJQmArKt0WnTi7/rqboX2m/JWiCU0QOE/yq98yfk5rM2SA8PpNbPPIFut3KnL7ZdD2y6/1C/LpiFdk5YbQ/ee+LPyCAMvEkl9tuya067OEwqHY0FsKT2UVakseMufQ== 
>
> Received: from AM6P192CA0108.EURP192.PROD.OUTLOOK.COM 
> (2603:10a6:209:8d::49)
>  by PR3PR09MB4443.eurprd09.prod.outlook.com (2603:10a6:102:35::21) with
>  Microsoft SMTP Server (version=TLS1_2,
>  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.24; Tue, 
> 1 Mar
>  2022 06:36:15 +0000
> Received: from VE1EUR03FT048.eop-EUR03.prod.protection.outlook.com
>  (2603:10a6:209:8d:cafe::8c) by AM6P192CA0108.outlook.office365.com
>  (2603:10a6:209:8d::49) with Microsoft SMTP Server (version=TLS1_2,
>  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22 via 
> Frontend
>  Transport; Tue, 1 Mar 2022 06:36:14 +0000
> X-MS-Exchange-Authentication-Results: spf=none (sender IP is 
> 52.232.126.143)
>  smtp.mailfrom=sharepointonline.com; dkim=none (message not signed)
>  header.d=none;dmarc=none action=none header.from=sharepointonline.com;
> Received: from westeurope0.notifyp.svc.ms (52.232.126.143) by
>  VE1EUR03FT048.mail.protection.outlook.com (10.152.19.8) with 
> Microsoft SMTP
>  Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
>  15.20.5017.22 via Frontend Transport; Tue, 1 Mar 2022 06:36:14 +0000
> Date: Tue, 01 Mar 2022 06:36:14 +0000
> Subject: 30362606 is your Microsoft SharePoint verification code.
> Message-Id: 
> <odspmicro-SpoShare-e66525a0-8010-c000-b666-00c1854ccaf9-90fd2a7f-b429-4326-b8dd-1502e232d603-71a3f397-006b-4288-922a-b7e9a3e8157e at RD501AC5BFEEBE>
> Sender: SharePoint Online <no-reply at sharepointonline.com>
> X-SpRequestGuid: e66525a0-8010-c000-b666-00c1854ccaf9
> X-SpMailMessageId: ee7db6d7-186d-4fd2-8525-21d939e0ca91
> To: nuserxyz at noa.gr
> Reply-To: no-reply at sharepointonline.com
> X-Crid: 
> =?us-ascii?q?e66525a0-8010-c000-b666-00c1854ccaf9-90fd2a7f-b429-4326-b8dd-?=
>  =?us-ascii?q?1502e232d603-71a3f397-006b-4288-922a-b7e9a3e8157e?=
> X-Tnid: 7a3603ac-db0c-4fe6-b725-0b64d501d886
> From: SharePoint Online <no-reply at sharepointonline.com>
> MIME-Version: 1.0
> Content-Type: text/html; charset=utf-8
> Content-Id: <F73SC7YA7GU4.IHSLFU3R01RX at RD501AC5BFEEBE>
> X-MS-TrafficTypeDiagnostic:
>  VE1EUR03FT048:EE_FirstParty-SPO-V3|PR3PR09MB4443:EE_FirstParty-SPO-V3
> X-MS-PublicTrafficType: Email
> X-MS-Office365-Filtering-Correlation-Id: 
> 51bb0214-9615-46e1-fab9-08d9fb4dc8bb
> X-Microsoft-Antispam-PRVS:
>  <PR3PR09MB44436E4976AB73FFB577027DE5029 at PR3PR09MB4443.eurprd09.prod.outlook.com> 
>
> X-MS-Exchange-AntiSpam-Relay: 0
> X-Microsoft-Antispam: BCL:0;
> X-Microsoft-Antispam-Message-Info:
>  7yuUdAwwNUF9b5MueqmNH8L8UuXp96Q9Ks5y4eC919OHhdxvNP7R7ppZk/+e6AoQb3Xt/2sYKVJIX4OqKJbbc3biUVUl739rthFirFSJCbC0XQePXLkRlfLVECyGbuSyeYOCdS8NnjQVrtjEVLLWyJBsM3Zf21ULLDmebv20imrAgRa2cUP9ywS3/3dpHkKtFyMqNyKyxPEeW54Eui1ODZ0PsSyr2kTwirATjpooWSYJD80Iq54Vb9Ip7LMDpLMy9vBwMnftqQYJ395QazO1m16Y8BvzS2/fOmAG7m7Jk36TXjI1R/zWrJB4jCvzJy8M/uytrs/5VwRzykLIBjZwDAOpkc6wiZ0lL7HurbALobEx5kLRluAWDYuyZRLyNIpJ5spBwO55rU3ciYOj4ippSug0HmZfujbsUsiEDnP+tjkKdpS7jlC4LUPm9WxDsx8GOktCiKOpDsANV0FLQ9zhP/tBPX8qv3yn7Bcf8tGpU2ZnJPiW0NZs+12yq+BpPGUBcB6xye+XzlITfIoQ6QDhWPy4XfB4QVfLDOWWSiH+bvBrJyFDflmGtLw1B63XJeWD1rsZoy+0Se6Z45nHJdY/uWNHEMfjiu+d4fw12psAHaKK+l4JHgGVQN5+6J2TZZKB3ApFleQZXvm+qe0QnuSqnA== 
>
> X-Forefront-Antispam-Report:
>  CIP:52.232.126.143;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:westeurope0.notifyp.svc.ms;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230001)(7916004)(346002)(39840400004)(396003)(376002)(136003)(47690400004)(47530400004)(6506007)(7846003)(26005)(6512007)(9686003)(6486002)(336012)(3450700001)(52230400001)(83380400001)(4744005)(118246002)(5660300002)(68406010)(8936002)(8676002)(33716001)(956004)(6916009)(166002)(356005)(81166007)(2906002)(15650500001)(316002)(508600001)(36736006)(86362001);DIR:OUT;SFP:1102; 
>
> X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
> X-MS-Exchange-AntiSpam-MessageData-0:
>  y+l04T9dNb1eJye8NxzGlQrpeHlEo6t4359n8NRs8zn3qDNdiDrkjinwPKxvojNgl67QwM4VDVEruhHTrijKG+CPKMUuAGUiERrwI4JE2oxibvP0rmevQo88BKZPpzzf 
>
> X-OriginatorOrg: spoemeaeop.onmicrosoft.com
> X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2022 06:36:14.7045
>  (UTC)
> X-MS-Exchange-CrossTenant-Network-Message-Id: 
> 51bb0214-9615-46e1-fab9-08d9fb4dc8bb
> X-MS-Exchange-CrossTenant-Id: 4d93e101-5f88-4b2c-b255-9a7bb7b1b764
> X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
> TenantId=4d93e101-5f88-4b2c-b255-9a7bb7b1b764;Ip=[52.232.126.143];Helo=[westeurope0.notifyp.svc.ms]
> X-MS-Exchange-CrossTenant-AuthAs: Internal
> X-MS-Exchange-CrossTenant-AuthSource: 
> TreatMessagesAsInternal-VE1EUR03FT048.eop-EUR03.prod.protection.outlook.com
> X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR09MB4443
>
>
> <style type="text/css">a { color: #0072bc; text-decoration: none; 
> }</style><table border="0" cellspacing="0" cellpadding="8" 
> style="width:100%" dir="ltr"><tr><td align="left" valign="top"><div 
> style="font-family: 'Segoe UI Semilight', 'Segoe UI', Verdana, 
> sans-serif; color: #444444;"><div style="margin-bottom: 21px; 
> font-size: 18px;"><!-- _lcid="1033" _dal="1" -->
> <!-- _LocalBinding -->
> <html dir="ltr">
> <head>
> <base 
> href="<ows:HttpVDir/>/_layouts/15/<%=System.Threading.Thread.CurrentThread.CurrentUICulture.LCID%>/emailattestationtemplate.htm">
> <meta name="SharePointError" content="">
> <meta name="Robots" content="NOINDEX">
>     <meta name="GENERATOR" content="Microsoft SharePoint">
>     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>     <meta http-equiv="Expires" content="0">
>
>     <title id="onetidTitle">Time of Access</title>
> <html lang="en-us">
> <head>
>   <title>Time of Access v2</title>
>   <meta charset="utf-8">
>   <meta http-equiv="x-ua-compatible" content="ie=edge">
>   <meta name="viewport" content="width=device-width, initial-scale=1">
> <style>
> table td {border-collapse:collapse;margin:0;padding:0;}
> </style>
> </head>
> <body>
> <table style="height: 100%; border-style: none; width: 100%; 
> border-spacing: 0; padding: 0; background-color: #f8f8f8;">
> <tbody style="height: 100%;">
> <tr style="height: 100%; background-color: #ffffff;">
> <td align="center" valign="bottom">
> <table border="0" width="640" cellspacing="0" cellpadding="0">
> <tbody>
> <tr>
> <td width="14"> </td>
> <td height="48"><img 
> src="https://wedoprojects.sharepoint.com/sites/WeDo-Projects/_layouts/15/images/SharePointBanner.png" 
> alt="SharePoint" width="80" height="13"></td>
> </tr>
> </tbody>
> </table>
> </td>
> </tr>
> <tr style="height: 100%;">
> <td style="height: 100%;" align="center" valign="bottom">
> <table style="height: 100%;" border="0" width="640" cellspacing="0" 
> cellpadding="0">
> <tbody style="height: 100%;">
> <tr>
> <td> </td>
> </tr>
> <tr>
> <td width="14"> </td>
> <td>
> <table border="0" width="100%" cellspacing="0" cellpadding="0">
> <tbody>
> <tr>
> <td>
> <table border="0" cellspacing="0" cellpadding="0" bgcolor="#FFFFFF">
> <tbody>
> <tr>
> <td width="32"> </td>
> <td height="32"> </td>
> <td width="32"> </td>
> </tr>
> <tr>
> <td> </td>
> <td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif; 
> font-size: 14px; padding: 0px 0px 0px 0px;" bgcolor="#ffffff">Hello,</td>
> </tr>
> <tr>
> <td> </td>
> <td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif; 
> font-size: 14px; padding: 12px 0px 14px 0px;" bgcolor="#ffffff">For 
> security purposes, you must enter the code below to verify your 
> account to access CULTURE Proposal folder. The code will only work for 
> 15 minutes and if you request a new code, this code will stop 
> working.</td>
> </tr>
> <tr>
> <td> </td>
> <td>
> <table border="0" cellspacing="0" cellpadding="0">
> <tbody>
> <tr>
> <td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif; 
> font-size: 14px; padding: 8px 16px 0px 16px;" 
> bgcolor="#FFF4CE">Account verification code:</td>
> </tr>
> <tr>
> <td style="color: #333333; font-family: 'Segoe UI',Arial,sans-serif; 
> font-size: 18px; padding: 0px 16px 8px 16px;" 
> bgcolor="#FFF4CE"><strong>30362606</strong></td>
> </tr>
> </tbody>
> </table>
> </td>
> </tr>
> <tr>
> <td> </td>
> <td style="padding: 24px 0px 0px; color: #333333; font-family: 'Segoe 
> UI',Arial,sans-serif; font-size: 14px;" 
> bgcolor="#ffffff"><strong>Having problems with the code?</strong></td>
> </tr>
> <tr>
> <td> </td>
> <td style="padding: 0px 0px 48px; color: #333333; font-family: 'Segoe 
> UI',Arial,sans-serif; font-size: 14px;">View the error and make sure 
> that the email identifier is "287G12B". If it's not, look for an 
> updated email or try requesting a new code.</td>
> </tr>
> </tbody>
> </table>
> </td>
> </tr>
> </tbody>
> </table>
> </td>
> <td width="14"> </td>
> </tr>
> <tr style="height: 100%;">
> <td width="14"> </td>
> <td style="padding-top: 20px; padding-bottom: 20px;" align="left" 
> valign="top">
> <p style="font-family: 'Segoe UI', Tahoma, sans-serif; margin: 0px 0px 
> 0px 5px; color: #000; font-size: 10px;">© 2017 Microsoft  <a 
> style="color: #072b60;" title="Privacy" 
> href="https://privacy.microsoft.com/privacystatement"> Privacy & 
> Cookies</a></p>
> </td>
> </tr>
> </tbody>
> </table>
> </td>
> </tr>
> </tbody>
> </table>
> </body>
> </html></head></html></div></div></td></tr></table>
>
> ====================================================== Verification 
> Mail Example / End ===================================================
>


More information about the amavis-users mailing list