[SOLVED] How can I whitelist sending mail servers?

larsen

Member
Feb 28, 2020
87
8
8
As far as I understand the documentation, the whitelist (Configuration > Mail Proxy) only applies to MAIL FROM.

As we use greylisting, I would like to whitelist known servers like this with a regex "mail[0-9].bemta[0-9][0-9].messagelabs.com"
Code:
NOQUEUE: reject: RCPT from mail1.bemta25.messagelabs.com[195.245.230.69]: 450 4.7.1


Lars
 

aaron

Proxmox Staff Member
Staff member
Jun 3, 2019
2,456
345
88
Exactly that won't work. You could define IP subnetworks in the mail proxy whitelist. Alternatively you could enable the SPF checks. If the sending servers are part of the SPF record, there will be no greylisting.
 

larsen

Member
Feb 28, 2020
87
8
8
Ah ok, that's good. We already use SPF checks.

However, I just checked the corresponding SPF record, so now I wonder "shouldn't this have not been greylisted"?
Code:
dig +short txt nets1.spf.messagelabs.com nets2.spf.messagelabs.com | grep 195.245.230
"v=spf1 ip4:85.158.136.0/21 ip4:193.109.254.0/23 ip4:194.106.220.0/23 ip4:195.245.230.0/23 ip4:95.131.104.0/21 ip4:46.226.48.0/21"
 

aaron

Proxmox Staff Member
Staff member
Jun 3, 2019
2,456
345
88
hmm, are they shown in the tracking center? If they are greylisted, you will need to enable the checkbox. If so, what are the logs for those mails saying?
 

larsen

Member
Feb 28, 2020
87
8
8
I can see that a mail got greylisted, then delivered from the same host/ip some minutes later:
Code:
Oct 13 12:00:54 gateway postfix/smtpd[146215]: connect from mail1.bemta26.messagelabs.com[85.158.142.4]
Oct 13 12:00:55 gateway postfix/smtpd[146215]: NOQUEUE: reject: RCPT from mail1.bemta26.messagelabs.com[85.158.142.4]: 450 4.7.1 <ad@receiver>: Recipient address rejected: Service is unavailable (try later); from=<rs@sender> to=<ad@receiver> proto=ESMTP helo=<mail1.bemta26.messagelabs.com>
Oct 13 12:01:00 gateway postfix/smtpd[146215]: disconnect from mail1.bemta26.messagelabs.com[85.158.142.4] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Anything else you would need from the logs?
 

aaron

Proxmox Staff Member
Staff member
Jun 3, 2019
2,456
345
88
Okay, is the sending mail server also in the SPF record of the sending domain as it is used in the envelope from field?
 

larsen

Member
Feb 28, 2020
87
8
8
Ah ok. The sending domain doesn't have any SPF record, so this would be the culprit?
 

aaron

Proxmox Staff Member
Staff member
Jun 3, 2019
2,456
345
88
Yes, SPF checks against the from domain present in the envelope, not the DNS/PTR record of the sending server.

If the messagelabs servers are part of your own mail pipeline, you will most likely have to set their IPs / IP ranges in the Mail Proxy Whitelist.
 
Last edited:
  • Like
Reactions: larsen

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!