Posts Tagged ‘mimecast’

 

Failed authentication for XXXX, Date: 2019-11-26, Time: 13:26:01 AEDT, IP: X.X.X.X, Application: MfO, Method: IWA, Reason: Wrong password

 

Failed authentication for XXXX, Date: 2019-11-22, Time: 15:13:23 AEDT, IP: X.X.X.X, Application: App Launcher, Method: EWS Basic, Reason: Wrong password

Application: MfO = Mimecast for Outlook

Application: App Launcher = MyApps Webbased portal

Method = IWA ( Intergrated Windows Authentication ) usually from the Mimecast Outlook Add In

Method =  EWS Basic ( Used by Domain Authentication to check onprem ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Latency Threshold – I would say to start with 50-60 Seconds to avoid any false positives.

Failure Counter threshold –  I would suggest to start with 5-6 for the same reasons.

Admin Notifications – I would suggest to notify via SMS as well, in case email is down. But if you are doing that, you will firstly have to make sure you are syncing the Mobile numbers from AD using the correct AD Attribute in Mimecast(https://community.mimecast.com/docs/DOC-1478). Then you also have to make sure that you set that attribute up to be used as the mobile attribute for SMS notifications in Administration > Account > Account Settings > System Notification Options. Then, you also have to make sure that the admins that need these SMS notifications, subscribe to them. Guidance on subscribing here – https://community.mimecast.com/docs/DOC-2085. Further details on using SMS in Continuity Here – https://community.mimecast.com/docs/DOC-2104.

Affected Group – You have to select a group that covers all users. Otherwise when you get the notification, if you opt to start a Continuity Event from the dashboard, it will only affect the Admin group you have selected.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Recently I tried to setup a 365 Send connector to relay it through another third party Mimecast ( https://community.mimecast.com/docs/DOC-1623 ) . Mimecast confirmed they had enabled the Tenant domains to relay through Mimecast.

 

The send connector was Failing as the last Step, however I was receiving the email. After numerous calls with office 365 support they came back with the reply “We don’t support technical help with Third Party SMTP Servers”

Checking the headers on the email that came through showed the validator wasn’t even relaying through Mimecast.

Enabling the Send Connector and trying again resolved the issue , however it’s a flawed design , because after enabling it during the validation if any user tries to send out and it doesn’t work they will produce an NDR

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently had a customer that was getting 15 – 20 minute delays in receiving emails from MailChimp. The same email to services such as Office 365 , Gmail and other email providers came through straight away.

We had whitelisted Mailchimps IP’s per below from Greylisting and Spam to no avail. The Message tracking proved that the message wasn’t hitting the Administration console for the 15 Minutes delay

Source IP Ranges (n.n.n.n/x): 
205.201.128.0/20
198.2.128.0/18
148.105.0.0/16

 

We lodged a Mimecast support ticket and got this escalated to Level 2 and waited a week for a response. In the end a retry of the issue with the technician came through straight away which means there must have been a block somewhere in Mimecast

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Many internal companies use Newsletter services such as Mailchimp to email out internal newsletters. The From Address of this is usually an internal email address which means it will get rejected by the anti spoofing policy

Option 1

In Mimecast Administration Panel go to : 

Administration -> Gateway -> Policies -> Anti Spoofing SPF based Bypass

  1. Add the following Policy, this will only whitelist IP’s in your SPF Record,  so putting servers.mcsv.net will not work , you will also have to put “ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.0.0/16” in your SPF record. If your SPF is over 255 characters : try option 2

 

Option 2

Administration -> Gateway -> Policies -> Anti Spoofing

Add the policy below , you can get a list of IP’s Mailchimp user here

Find the From Address its spoofing along with the IP

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Great a Computer Configuration Group Policy Object for Windows Firewall per below

Whitelist the below files Inbound and Outbound

C:\program files\mimecast\mimecast windows service\msddsk.exe ( 32 bit ) 

C:\program files (x86)\mimecast\mimecast windows service\msddsk.exe  ( 64 bit ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a email came in from a third party which wasn’t blocked by the Impersonation Protection

Administration > Gateway > Policies > Impersonation Protection Definitions  

Default Impersonation Protection for Mimecast 

  • Similar Internal Domain (Similarity Distance 2 ) 
  • Newly Observed Domain ( Checked ) 
  • Internal User Name ( Checked ) 
  • Reply-to Address Mismatch ( Uncheck ) 
  • Targeted Threat Dictionary ( Checked ) 
  • Mimecast Threat Dictionary ( Checked ) 
  • Number of Hits : 2
  • Ignore Signed Messages ( Unchecked ) 

For executives, particularly those who are disclosed on the company website I recommend implementing a hit score of 1 on emails with their name as a display name. 

Exec Impersonation Protection

  • Similar Internal Domain  ( Checked ) 
  • Newly Observed Domain  ( Checked ) 
  • Internal User name  ( Checked ) 
  • Number of Hits: 1 


Administration > Gateway > Policies > Impersonation Protection > New Policy 


Selection Option: Choose the new definition that was just created 
Addresses based on: Both 
Applies from: Header Display Name 
Specifically: INSERT NAME 
Applies To: Internal Addresses 
Save and Exit 

I would advise that display name checks are in place all high profile targets, particularly those disclosed on the company website or other public sources. You also may want to consider alternative spellings. An individual policy is required for each display name. 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently had a customer stop being able to send items to Mimecast with the following 

554 Email rejected due to security policies - https://community.mimecast.com/docs/DOC-1369#554

This was happening to Multiple emails and Mimecast Logs showed : Bounce – Message content not accepted

Also users trying to email the customer by replying to their email would get the same bounce back

So something generic in the content was causing this

Generic would be email signatures and Links in email signatures are usually the cause, removing one of the domains in the email signature fixed this , we lodged a Support case with Mimecast who removed this domain from their blocklist

The actual cause was the company was sending mass emails with using something like mailchimp so it did not have an unsubscribe button so domains in the email were blocked in third party lists like : http://lookup.uribl.com/

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)