Greylisting problem with wide range ip senders

[sandor]

Hi!

I notice that if a sender have a big range of outgoing smtp servers, and their mails is sent from random ip in the range every time, the mail like to never arrive by greylist.
Outlook hosted custom domain mails produce this error. The following log entrys shows that:

Mar 11 09:28:36 pmg postfix/smtpd[7562]: NOQUEUE: reject: RCPT from mail-db8eur05on2122.outbound.protection.outlook.com[40.107.20.122]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR05-DB8-obe.outbound.protection.outlook.com>
Mar 11 09:44:28 pmg postfix/smtpd[7730]: NOQUEUE: reject: RCPT from mail-eopbgr20138.outbound.protection.outlook.com[40.107.2.138]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR02-VE1-obe.outbound.protection.outlook.com>
Mar 11 10:02:53 pmg postfix/smtpd[7728]: NOQUEUE: reject: RCPT from mail-eopbgr40093.outbound.protection.outlook.com[40.107.4.93]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR03-DB5-obe.outbound.protection.outlook.com>
Mar 11 10:32:06 pmg postfix/smtpd[7726]: NOQUEUE: reject: RCPT from mail-eopbgr30112.outbound.protection.outlook.com[40.107.3.112]: 450 4.7.1 <us@ourdomain.hu>: Recipient address rejected: Service is unavailable (try later); from=<they@theirdomain.hu> to=<us@ourdomain.hu> proto=ESMTP helo=<EUR03-AM5-obe.outbound.protection.outlook.com>

So that will be a good way to allow us to configure a wildcard "sender server domain", like *.outbound.protection.outlook.com to white list on greylist.
Is it possible trough the Mail filter? I can't find a relevant option.
Thanks for your help!

 

[dietmar]

Yes, simply add that domain to the SMTP whitelist

 

[sandor]

Can you tell me where can i find "SMTP whitelist"?
I don't see this in Mail Filter menu. Can you provide a screen shot please?

 

[Stoiko Ivanov]

Can you tell me where can i find "SMTP whitelist"?

GUI->Configuration->Mail Proxy->Whitelist

I hope this helps!

 

[Stefano Giunchi]

As more and more companies go office365, gsuite, or other "big farms", greylisting is much more problematic.
Can I suggest a function to retrieve whitelist ip from a sender's domain spf?

 

[Stoiko Ivanov]

Can I suggest a function to retrieve whitelist ip from a sender's domain spf?

from a quick glance that should happen if you have enabled 'Use SPF' in GUI->Configuration->Mail Proxy->Options ?

if this does not work for you - please post the logs of a mail, which should come from an ip in the SPF record but is rejected/greylisted

Thanks

 

[Stefano Giunchi]

from a quick glance that should happen if you have enabled 'Use SPF' in GUI->Configuration->Mail Proxy->Options ?

if this does not work for you - please post the logs of a mail, which should come from an ip in the SPF record but is rejected/greylisted

Thanks

I think that is for the normal use of SPF, not to whitelist from graylisting the ip addresses retrievable from SPF.
All external servers, even with a correct SPF record, get graylisted. That is normal.
My proposal is to add an "IP Address from Domain SPF (Sender)" here:



Adding a domain using this method, it would retrieve all SPF IP hosts and networks and add them to whitelist.
Using this on only one domain which uses o365 servers, would whitelist all o365 servers thus I don't have to do it for every domain which uses them.

I'll create a bugzilla RFE if I'm not totally wrong about this.

 

[some-admins]

We would like to have that feature as well. How can we track that request?

 

[Stoiko Ivanov]

We would like to have that feature as well. How can we track that request?

with PMG 6.2 you can configure the network-size for which greylisting is active (it used to be that IPs from the same /24 were considered similar now you can set it to something larger (e.g. /19)) - see GUI->Configuration->Mail Proxy-> Options -> Netmask for Greylisting

maybe this solves your problem!

 

[Stefano Giunchi]

The new network-size configuration helps for sure, but it doesn't resolve the problem. Google or Office365 servers are in wide, separate network ranges. All these ranges are written on SPF records, and updated by the sender's server owners.
I think that updating the greylist fetching from the SPF record of the newly-connected server would be elegant and resolutive.

Obviously, it's just a suggestion, maybe there are problems I'm not considering on this. For example, the spammer could use a real SPF record effectively whitelisting all its servers...

 

[some-admins]

Because of protection.outlook.com, we have to add:

* 40.92.0.0/15
* 40.107.0.0/16
* 52.100.0.0/14
* 104.47.0.0/17
* 51.4.72.0/24
* 51.5.72.0/24
* 51.5.80.0/27
* 51.4.80.0/27

It would be nice to achieve this with a single entry.

 

[Stoiko Ivanov]

The one issue I see with this, is that the large cloud providers (e.g. google, office 365) do add and remove IP-ranges more often, and caching the SPF-result for a particular domain over the uptime of PMG seems a bit of a bad fit.

* Why not simply enable the use SPF feature? (all domains using office 365 need to have them added to their spf record, for this to work)
* you can always whitelist those domains which don't have a working SPF record
* a correct SPF record does disable greylisting for a domain

I hope this helps!

 

[some-admins]

How about a daily check for the specified domains?

 

[Stefano Giunchi]

The one issue I see with this, is that the large cloud providers (e.g. google, office 365) do add and remove IP-ranges more often, and caching the SPF-result for a particular domain over the uptime of PMG seems a bit of a bad fit.

Manually editing the greylist' whitelist is worse

* Why not simply enable the use SPF feature? (all domains using office 365 need to have them added to their spf record, for this to work)

I already have SPF check enabled, but AFAIK it doesn't work with Greylisting.
SPF tells if a mail server can send for that domain AT ALL (or give a bad evaluation if SPF is "~" and not "-")
Graylisting stops the first connection of SPF allowed servers, and accepts the server in the next try (or the bigger range to whom the server belongs, with PMG 6.2)

* you can always whitelist those domains which don't have a working SPF record
* a correct SPF record does disable greylisting for a domain

I may be wrong, but I think a correct SPF record does not disable greylisting for a domain

 

[some-admins]

I use https://github.com/0xbharath/assets-from-spf for semi-automated (recursive) checks:

assets-from-spf$ python3 ./assets_from_spf.py outlook.com
spf-a.outlook.com
spf-b.outlook.com
157.55.9.128/25
spf.protection.outlook.com
spf-a.hotmail.com
_spf-ssg-b.microsoft.com
_spf-ssg-c.microsoft.com
assets-from-spf$ python3 ./assets_from_spf.py spf.protection.outlook.com
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
2a01:111:f400::/48
2a01:111:f403::/48
spfd.protection.outlook.com
git/assets-from-spf$ python3 ./assets_from_spf.py spfd.protection.outlook.com
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
51.4.80.0/27
2a01:4180:4051:0800::/64
2a01:4180:4050:0800::/64
2a01:4180:4051:0400::/64
2a01:4180:4050:0400::/64

But I don't want to maintain the Whitelist manually or by custom scripts. :-/

 

[Stoiko Ivanov]

I may be wrong, but I think a correct SPF record does not disable greylisting for a domain

seems odd - could you post the log of a mail from a domain with a working SPF record, which got greylisted?

 

[Stefano Giunchi]

seems odd - could you post the log of a mail from a domain with a working SPF record, which got greylisted?

I did a quick check, and a good part of graylisted mails come from a domain with good SPF.
I can private message some of the domains if you wish.

 

[Stoiko Ivanov]

I would need the logs of a few of these mails as well as the output of `pmgconfig dump`

you can e-mail them to 's.ivanov _at_ proxmox.com'

 

[Stoiko Ivanov]

for the 3 mails, where you sent me the logs - the connection came from an IP which was not inside the SPF record for the sender-domain.

SPF work only if you have an explicit accept in the record for the ip - if there is no positive result - greylisting is used (if there is a hard-fail in the record the mail is rejected)


I hope this helps!

 

[Stefano Giunchi]

for the 3 mails, where you sent me the logs - the connection came from an IP which was not inside the SPF record for the sender-domain.

SPF work only if you have an explicit accept in the record for the ip - if there is no positive result - greylisting is used (if there is a hard-fail in the record the mail is rejected)

I hope this helps!

You're totally right. The greylisted emails are without or with wrong SPF.
Thank you for the time spent for convincing me

Stefano