Thanks David for taking the time and helping us gain a better understanding. Always looking to learn. Although, in this case, I still must be missing something.
To me, the chain of Received Headers looks intact: 1. Mail received from dnsstuff by declude, apparently forwarded to be relayed to final recipient Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 2. Mail handed off to Postini, received by their incoming server: Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT 3. Mail sent from Postini to recipient's mail server (with the clock off by a few minutes): Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xxxxxx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Header #1 is created by Declude's server - and appears to be intact? Header #3 is created by recipient's mail server after Postini was done? Header #2 is created by Postini's mail server - as it should? So I really don't understand where supposedly Postini "changed or deleted a Received header that had been added previously" by the Declude server? Header #2 seems to be a header that was prepended by Postini when it received the email - just as it should? I then looked up the reference you cited to see if there was anything wrong with the FORMATTING of Header #2: http://tools.ietf.org/html/rfc5321#section-4.4 Can you tell me where the formatting of header #2 violates which specific aspect of the RFC? - According to the standard it seems perfectly VALID for a single RECEIVED header to contain TWO IP addresses, one in the FROM clause and one in the BY clause? Obviously, Declude would need to inspect the IP address in the "FROM" clause and ignore any IP addresses that it encounters in/after the "BY" clause? - It sounds like you're saying that Declude has a general problem with correctly interpreting Received Headers that happen to have two IP addresses? As I'm typing this, I do recall having run into this problem in the past. But, if my understanding is correct, then this would be a problem in the Declude parser, if indeed the headers is formatted in accordance with the RFCs? Best Regards, Andy -----Original Message----- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 3:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Here is a message going through a Postini server. ---EXAMPLE 1--------------------------------------------------------------------------- -------------- Received: from xxxx.xxxxx.local ([127.0.0.1]) by xxxxxx.xom with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Sep 2009 12:18:03 -0400 Return-Path: <dbar...@declude.com> Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xxxxxx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 Reply-To: <dbar...@declude.com> From: "David Barker" <dbar...@declude.com> To: "xxx xxxx'" <x...@xxxxx.com> ---------------------------------------------------------------------------- ------------------------------- This line is good. Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xxxxxx.net with SMTP; However this line is a problem. Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line. The problem occurs when there are two IP addresses on the same line. The first IP is considered as BOGUS and Declude picks up the second IP address on this line. For more information please review RFC 5321: [4.4] David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, November 04, 2009 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi David: I'm interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isn't the MX of the recipient domain pointed to Postini's server? So Postini would be the first "received" header to be inserted before relaying the message to the client's internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what I'm not grasping is, who inserted the "original" header that Postini has tampered with - if Postini is the domain's MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] " An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. " Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIX ON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIX OFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
