Koozali.org: home of the SME Server

Inbound emails all show that they originate from the router

Offline pmulroney

  • *
  • 35
  • +0/-0
Inbound emails all show that they originate from the router
« on: February 24, 2023, 07:59:54 AM »
Hi there,

We recently changed ISPs to Aussie Broadband.  Overall a better service, but we've had a few problems with the changeover.

The main one now is this - they supplied us with a NetComm NF20Mesh router, and every email that we receive to our SME server has headers that look like this:

Received: from Unknown (HELO mail-lj1-f178.google.com) (192.168.1.1)

Every single email that we receive looks similar to this. This is a problem because it thinks they are all spam. See the other headers in the email:

Authentication-Results: logicaldevelopments.com.au; auth=none; spf=softfail smtp.mailfrom=gmail.com; dkim=pass header.i=@gmail.com; dmarc=pass (p=none) d=gmail.com
Received: from Unknown (HELO mail-lj1-f178.google.com) (192.168.1.1)
 by logicaldevelopments.com.au (qpsmtpd/0.96) with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Fri, 24 Feb 2023 14:34:57 +0800
X-DKIM-Authentication: domain: gmail.com, selector: 20210112, result: pass, policy: o=~, name: sender, policy_result: accept, policy: o=~, name: author, policy_result: accept, policy: , name: ADSP, policy_result: accept
Received-SPF: softfail (gmail.com ... _spf.google.com: Sender is not authorized by default to use 'pmulroney@gmail.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail.logicaldevelopments.com.au; identity=mailfrom; envelope-from="pmulroney@gmail.com"; helo=mail-lj1-f178.google.com; client-ip=192.168.1.1


Aussie Broadband say that it's our mail server.  If we swap back to our rubbish iiNet Technicolour modem, the email headers start showing the correct IP addresses.  They send out a loan unit and I've setup the port forwarding rules in that, and it behaves the same way.

Has anyone used the Netcomm router in their setup?  Is there a magic setting in the server that I need to check, or is the ISP just "passing the buck"?

Any suggestions gratefully received!

Regards,
Paul.



Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: Inbound emails all show that they originate from the router
« Reply #1 on: February 24, 2023, 08:25:54 AM »
Sounds like there's a combination of NAT,reverse NAT and port forwarding that's different between the router configs. Have a poke around in the good and bad devices (routers/modems) to see what's different.
try a traceroute from the server to an external IP using both routers and see if there is a difference.

Thinking further, adblock or something on the router. on the server do a 'host mail-lj1-f178.google.com' with both routers.
My server (port forwarded behind an openwrt gateway) reports:
 host mail-lj1-f178.google.com
mail-lj1-f178.google.com has address 209.85.208.178

[edit] and you are aware that ABB appear to use cgnat and block outgoing smtp by default unless you contact them? https://www.aussiebroadband.com.au/help-centre/internet/tech-support/port-blocking/
and here (yes, I know it refers to a vpn but the cgnat issue is mentioned https://www.purevpn.com/blog/aussie-broadband-cgnat-port-forwarding/ doesn't necessarily explain why one modem works and the other doesn't though.

« Last Edit: February 24, 2023, 09:31:35 AM by sages »
...

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Inbound emails all show that they originate from the router
« Reply #2 on: February 24, 2023, 12:46:42 PM »
try disabling dns proxy on the router. 

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Inbound emails all show that they originate from the router
« Reply #3 on: February 24, 2023, 01:11:04 PM »
According to the NF20MESH Port Forwarding guide, there is a check box in the port forward setup for "Enable LAN Loopback".

Make sure "Lan Loopback" is disabled. 

LAN Loopback would cause the router to NAT all LAN traffic with the router IP -- maybe their implementation does the same thing for incoming WAN traffic...

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Inbound emails all show that they originate from the router
« Reply #4 on: February 25, 2023, 02:32:31 AM »
Had a look in my  Technicolour TG789vac v3 and doesnt seem to have that feature "Enable LAN Loopback"

So would explain why it works Ok but new hardware doesnt.
--
qui scribit bis legit

Offline pmulroney

  • *
  • 35
  • +0/-0
Re: Inbound emails all show that they originate from the router
« Reply #5 on: February 27, 2023, 12:25:07 AM »
Sounds like there's a combination of NAT,reverse NAT and port forwarding that's different between the router configs. Have a poke around in the good and bad devices (routers/modems) to see what's different.
try a traceroute from the server to an external IP using both routers and see if there is a difference.

Thinking further, adblock or something on the router. on the server do a 'host mail-lj1-f178.google.com' with both routers.
My server (port forwarded behind an openwrt gateway) reports:
 host mail-lj1-f178.google.com
mail-lj1-f178.google.com has address 209.85.208.178

[edit] and you are aware that ABB appear to use cgnat and block outgoing smtp by default unless you contact them? https://www.aussiebroadband.com.au/help-centre/internet/tech-support/port-blocking/
and here (yes, I know it refers to a vpn but the cgnat issue is mentioned https://www.purevpn.com/blog/aussie-broadband-cgnat-port-forwarding/ doesn't necessarily explain why one modem works and the other doesn't though.

When we setup the account, I asked for a static IP address and to turn off all port blocking.  They are aware that we host our own mailserver. 

The host command returns the same for both modems:
host mail-lj1-f178.google.com
mail-lj1-f178.google.com has address 209.85.208.178


Traceroute for the broken router is below:
traceroute mail-lj1-f178.google.com
traceroute to mail-lj1-f178.google.com (209.85.208.178), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.361 ms  0.390 ms  0.420 ms
 2  loop1591962000.bng.per.aussiebb.net (159.196.200.1)  2.194 ms  3.542 ms  3.577 ms
 3  10.241.12.121 (10.241.12.121)  50.786 ms  50.788 ms  50.656 ms
 4  HundredGigE0-0-0-12.core1.vdc01.per.aussiebb.net (202.142.143.46)  50.428 ms HundredGigE0-0-0-12.core2.vdc01.per.aussiebb.net (202.142.143.44)  50.495 ms  50.497 ms
 5  * * *
 6  10.241.16.177 (10.241.16.177)  50.338 ms 10.241.16.183 (10.241.16.183)  50.351 ms 10.241.16.177 (10.241.16.177)  50.302 ms
 7  be32.lsr2.nextdc-s2.syd.aussiebb.net (202.142.143.54)  53.310 ms  53.314 ms  51.587 ms
 8  be2.lsr2.equinix-sy4.syd.aussiebb.net (159.196.252.106)  49.870 ms  49.794 ms  49.810 ms
 9  10.241.12.121 (10.241.12.121)  50.347 ms  50.308 ms  50.370 ms
10  google.equinix-sy3.syd.aussiebb.net (119.18.32.91)  50.323 ms  50.312 ms  50.286 ms
11  * * *
12  142.250.212.136 (142.250.212.136)  49.462 ms 108.170.247.49 (108.170.247.49)  49.909 ms  49.869 ms
13  108.170.247.74 (108.170.247.74)  50.685 ms 108.170.247.90 (108.170.247.90)  49.695 ms 108.170.247.67 (108.170.247.67)  50.342 ms
14  142.250.214.119 (142.250.214.119)  52.351 ms 216.239.56.31 (216.239.56.31)  50.327 ms 142.251.242.75 (142.251.242.75)  50.968 ms
15  108.170.236.104 (108.170.236.104)  186.924 ms 172.253.65.130 (172.253.65.130)  1382.923 ms  1385.432 ms
16  142.250.213.61 (142.250.213.61)  227.847 ms 142.250.213.71 (142.250.213.71)  227.475 ms *
17  142.251.65.6 (142.251.65.6)  241.958 ms 142.251.64.248 (142.251.64.248)  241.869 ms  241.641 ms
18  142.251.54.116 (142.251.54.116)  320.364 ms 142.250.225.140 (142.250.225.140)  327.205 ms 142.251.71.158 (142.251.71.158)  335.058 ms
19  142.251.51.214 (142.251.51.214)  334.959 ms 209.85.248.6 (209.85.248.6)  335.160 ms 108.170.236.40 (108.170.236.40)  335.649 ms
20  72.14.233.133 (72.14.233.133)  341.803 ms 142.250.235.91 (142.250.235.91)  343.388 ms 142.251.52.9 (142.251.52.9)  343.354 ms
21  72.14.232.76 (72.14.232.76)  343.462 ms 142.250.235.74 (142.250.235.74)  343.644 ms 142.250.233.0 (142.250.233.0)  342.363 ms
22  172.253.79.115 (172.253.79.115)  341.243 ms 108.170.233.163 (108.170.233.163)  342.620 ms 142.250.56.125 (142.250.56.125)  343.127 ms
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Offline pmulroney

  • *
  • 35
  • +0/-0
Re: Inbound emails all show that they originate from the router
« Reply #6 on: February 27, 2023, 12:30:38 AM »
try disabling dns proxy on the router.

Disabling the DNS proxy has no effect.

Offline pmulroney

  • *
  • 35
  • +0/-0
Re: Inbound emails all show that they originate from the router
« Reply #7 on: February 27, 2023, 12:40:24 AM »
According to the NF20MESH Port Forwarding guide, there is a check box in the port forward setup for "Enable LAN Loopback".

Make sure "Lan Loopback" is disabled. 

LAN Loopback would cause the router to NAT all LAN traffic with the router IP -- maybe their implementation does the same thing for incoming WAN traffic...

Hmmm by default when you setup the port forwarding rules, this isn't enabled by default.  I tried re-creating the rules with it turned on, but once you create the rule it doesn't show the Loopback setting anywhere.

I re-created the rules again, this time I made sure that LAN Loopback was not checked, and it seems to now be working.  Very very weird.

It's possible that this and the disabling DNS proxy made the difference, whatever it was, it seems to be working now.

Thank you all for your help, it's much appreciated!

Thank you for your help, much appreciated.

Offline pmulroney

  • *
  • 35
  • +0/-0
Re: Inbound emails all show that they originate from the router
« Reply #8 on: February 27, 2023, 02:23:33 AM »
try disabling dns proxy on the router.

One side-effect is that now we can't use our external server addresses internally.  For example, if I want to go to https://mail.logicaldevelopments.com.au/ld_external/mantis, it complains that the certificate "example.com" is invalid (this is generated by the router).  If you click "Proceed anyway", it then takes you to the external IP address with a similar error. If you click "Proceed anyway" again, it then takes you to the router login screen.

Any recommendations for a better quality router, one that won't create these kinds of headaches?

Offline pmulroney

  • *
  • 35
  • +0/-0
Re: Inbound emails all show that they originate from the router
« Reply #9 on: February 27, 2023, 02:46:03 AM »
With the last issue, I re-created the NAT port forwarding rules for HTTPS, so that LAN Loopback was enabled.  This allowed me to use the external address.

It's all very complicated ...

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Inbound emails all show that they originate from the router
« Reply #10 on: February 27, 2023, 03:26:31 AM »
With the last issue, I re-created the NAT port forwarding rules for HTTPS, so that LAN Loopback was enabled.  This allowed me to use the external address.

It's all very complicated ...

What are you on Paul, FTTN, FTTC etc..... using the voip or not?

Pick one :-) https://whirlpool.net.au/wiki/fttn_registered_modem_router
--
qui scribit bis legit

Offline pmulroney

  • *
  • 35
  • +0/-0
Re: Inbound emails all show that they originate from the router
« Reply #11 on: February 27, 2023, 03:58:01 AM »
What are you on Paul, FTTN, FTTC etc..... using the voip or not?

Pick one :-) https://whirlpool.net.au/wiki/fttn_registered_modem_router

Fibre To The Premises.
We're using Voip, we have FreePBX setup on our internal network.

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
--
qui scribit bis legit

Offline pmulroney

  • *
  • 35
  • +0/-0
Re: Inbound emails all show that they originate from the router
« Reply #13 on: February 27, 2023, 06:23:03 AM »
Worth a read - https://forums.whirlpool.net.au/archive/9246yz81

Thanks Terry!  We already have wifi setup, so all I really need is a router.  I've fiddled with the NetComm settings, and based on the feedback from others I think it's working now.  I'm a bit afraid to poke it tbh!

If this fails, I have some Billion routers in my stack of old tech.  The routing functions in those were pretty reliable from memory.  Failing that, I'm looking at this one: https://www.ple.com.au/Products/643986/tp-link-er605-safestream-gigabit-multi-wan-vpn-router

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Inbound emails all show that they originate from the router
« Reply #14 on: February 27, 2023, 07:42:48 AM »
Billion was always my prefered option or anything with a Broadcom chipset..

Currently just use the iiNet supplied TG789vac v3 as also have the voip service..use an old Netgear Nighthawk for wifi and other routing jobs..iinet locks down the voip side,

Only FTTN here so until the copper is replaced pretty futile chasing anything better just yet :-)
--
qui scribit bis legit