Greylisting problem with wide range ip senders

sandor

Member
Aug 12, 2019
17
2
23
30
Hi!

I notice that if a sender have a big range of outgoing smtp servers, and their mails is sent from random ip in the range every time, the mail like to never arrive by greylist.
Outlook hosted custom domain mails produce this error. The following log entrys shows that:

Code:
Mar 11 09:28:36 pmg postfix/smtpd[7562]: NOQUEUE: reject: RCPT from mail-db8eur05on2122.outbound.protection.outlook.com[40.107.20.122]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR05-DB8-obe.outbound.protection.outlook.com>
Mar 11 09:44:28 pmg postfix/smtpd[7730]: NOQUEUE: reject: RCPT from mail-eopbgr20138.outbound.protection.outlook.com[40.107.2.138]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR02-VE1-obe.outbound.protection.outlook.com>
Mar 11 10:02:53 pmg postfix/smtpd[7728]: NOQUEUE: reject: RCPT from mail-eopbgr40093.outbound.protection.outlook.com[40.107.4.93]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR03-DB5-obe.outbound.protection.outlook.com>
Mar 11 10:32:06 pmg postfix/smtpd[7726]: NOQUEUE: reject: RCPT from mail-eopbgr30112.outbound.protection.outlook.com[40.107.3.112]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR03-AM5-obe.outbound.protection.outlook.com>

So that will be a good way to allow us to configure a wildcard "sender server domain", like *.outbound.protection.outlook.com to white list on greylist.
Is it possible trough the Mail filter? I can't find a relevant option.
Thanks for your help!
 
Can you tell me where can i find "SMTP whitelist"?
I don't see this in Mail Filter menu. Can you provide a screen shot please?
 
Can I suggest a function to retrieve whitelist ip from a sender's domain spf?
from a quick glance that should happen if you have enabled 'Use SPF' in GUI->Configuration->Mail Proxy->Options ?

if this does not work for you - please post the logs of a mail, which should come from an ip in the SPF record but is rejected/greylisted

Thanks
 
from a quick glance that should happen if you have enabled 'Use SPF' in GUI->Configuration->Mail Proxy->Options ?

if this does not work for you - please post the logs of a mail, which should come from an ip in the SPF record but is rejected/greylisted

Thanks
I think that is for the normal use of SPF, not to whitelist from graylisting the ip addresses retrievable from SPF.
All external servers, even with a correct SPF record, get graylisted. That is normal.
My proposal is to add an "IP Address from Domain SPF (Sender)" here:

1586175814393.png

Adding a domain using this method, it would retrieve all SPF IP hosts and networks and add them to whitelist.
Using this on only one domain which uses o365 servers, would whitelist all o365 servers thus I don't have to do it for every domain which uses them.

I'll create a bugzilla RFE if I'm not totally wrong about this.
 
We would like to have that feature as well. How can we track that request?
with PMG 6.2 you can configure the network-size for which greylisting is active (it used to be that IPs from the same /24 were considered similar now you can set it to something larger (e.g. /19)) - see GUI->Configuration->Mail Proxy-> Options -> Netmask for Greylisting

maybe this solves your problem!
 
The new network-size configuration helps for sure, but it doesn't resolve the problem. Google or Office365 servers are in wide, separate network ranges. All these ranges are written on SPF records, and updated by the sender's server owners.
I think that updating the greylist fetching from the SPF record of the newly-connected server would be elegant and resolutive.

Obviously, it's just a suggestion, maybe there are problems I'm not considering on this. For example, the spammer could use a real SPF record effectively whitelisting all its servers...
 
  • Like
Reactions: sandor
Because of protection.outlook.com, we have to add:

* 40.92.0.0/15
* 40.107.0.0/16
* 52.100.0.0/14
* 104.47.0.0/17
* 51.4.72.0/24
* 51.5.72.0/24
* 51.5.80.0/27
* 51.4.80.0/27

It would be nice to achieve this with a single entry.
 
The one issue I see with this, is that the large cloud providers (e.g. google, office 365) do add and remove IP-ranges more often, and caching the SPF-result for a particular domain over the uptime of PMG seems a bit of a bad fit.

* Why not simply enable the use SPF feature? (all domains using office 365 need to have them added to their spf record, for this to work)
* you can always whitelist those domains which don't have a working SPF record
* a correct SPF record does disable greylisting for a domain

I hope this helps!
 
The one issue I see with this, is that the large cloud providers (e.g. google, office 365) do add and remove IP-ranges more often, and caching the SPF-result for a particular domain over the uptime of PMG seems a bit of a bad fit.
Manually editing the greylist' whitelist is worse :)

* Why not simply enable the use SPF feature? (all domains using office 365 need to have them added to their spf record, for this to work)

I already have SPF check enabled, but AFAIK it doesn't work with Greylisting.
SPF tells if a mail server can send for that domain AT ALL (or give a bad evaluation if SPF is "~" and not "-")
Graylisting stops the first connection of SPF allowed servers, and accepts the server in the next try (or the bigger range to whom the server belongs, with PMG 6.2)

* you can always whitelist those domains which don't have a working SPF record
* a correct SPF record does disable greylisting for a domain
I may be wrong, but I think a correct SPF record does not disable greylisting for a domain
 
I use https://github.com/0xbharath/assets-from-spf for semi-automated (recursive) checks:
Code:
assets-from-spf$ python3 ./assets_from_spf.py outlook.com
spf-a.outlook.com
spf-b.outlook.com
157.55.9.128/25
spf.protection.outlook.com
spf-a.hotmail.com
_spf-ssg-b.microsoft.com
_spf-ssg-c.microsoft.com
assets-from-spf$ python3 ./assets_from_spf.py spf.protection.outlook.com
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
2a01:111:f400::/48
2a01:111:f403::/48
spfd.protection.outlook.com
git/assets-from-spf$ python3 ./assets_from_spf.py spfd.protection.outlook.com
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
51.4.80.0/27
2a01:4180:4051:0800::/64
2a01:4180:4050:0800::/64
2a01:4180:4051:0400::/64
2a01:4180:4050:0400::/64
But I don't want to maintain the Whitelist manually or by custom scripts. :-/
 
I may be wrong, but I think a correct SPF record does not disable greylisting for a domain
seems odd - could you post the log of a mail from a domain with a working SPF record, which got greylisted?
 
I would need the logs of a few of these mails as well as the output of `pmgconfig dump`

you can e-mail them to 's.ivanov _at_ proxmox.com'
 
for the 3 mails, where you sent me the logs - the connection came from an IP which was not inside the SPF record for the sender-domain.

SPF work only if you have an explicit accept in the record for the ip - if there is no positive result - greylisting is used (if there is a hard-fail in the record the mail is rejected)


I hope this helps!
 
for the 3 mails, where you sent me the logs - the connection came from an IP which was not inside the SPF record for the sender-domain.

SPF work only if you have an explicit accept in the record for the ip - if there is no positive result - greylisting is used (if there is a hard-fail in the record the mail is rejected)

I hope this helps!

You're totally right. The greylisted emails are without or with wrong SPF.
Thank you for the time spent for convincing me :)

Stefano
 
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!