[SOLVED] How can I whitelist sending mail servers?

larsen

Active Member
Feb 28, 2020
155
17
38
As far as I understand the documentation, the whitelist (Configuration > Mail Proxy) only applies to MAIL FROM.

As we use greylisting, I would like to whitelist known servers like this with a regex "mail[0-9].bemta[0-9][0-9].messagelabs.com"
Code:
NOQUEUE: reject: RCPT from mail1.bemta25.messagelabs.com[195.245.230.69]: 450 4.7.1


Lars
 
Exactly that won't work. You could define IP subnetworks in the mail proxy whitelist. Alternatively you could enable the SPF checks. If the sending servers are part of the SPF record, there will be no greylisting.
 
Ah ok, that's good. We already use SPF checks.

However, I just checked the corresponding SPF record, so now I wonder "shouldn't this have not been greylisted"?
Code:
dig +short txt nets1.spf.messagelabs.com nets2.spf.messagelabs.com | grep 195.245.230
"v=spf1 ip4:85.158.136.0/21 ip4:193.109.254.0/23 ip4:194.106.220.0/23 ip4:195.245.230.0/23 ip4:95.131.104.0/21 ip4:46.226.48.0/21"
 
hmm, are they shown in the tracking center? If they are greylisted, you will need to enable the checkbox. If so, what are the logs for those mails saying?
 
I can see that a mail got greylisted, then delivered from the same host/ip some minutes later:
Code:
Oct 13 12:00:54 gateway postfix/smtpd[146215]: connect from mail1.bemta26.messagelabs.com[85.158.142.4]
Oct 13 12:00:55 gateway postfix/smtpd[146215]: NOQUEUE: reject: RCPT from mail1.bemta26.messagelabs.com[85.158.142.4]: 450 4.7.1 <ad@receiver>: Recipient address rejected: Service is unavailable (try later); from=<rs@sender> to=<ad@receiver> proto=ESMTP helo=<mail1.bemta26.messagelabs.com>
Oct 13 12:01:00 gateway postfix/smtpd[146215]: disconnect from mail1.bemta26.messagelabs.com[85.158.142.4] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Anything else you would need from the logs?
 
Okay, is the sending mail server also in the SPF record of the sending domain as it is used in the envelope from field?
 
Ah ok. The sending domain doesn't have any SPF record, so this would be the culprit?
 
Yes, SPF checks against the from domain present in the envelope, not the DNS/PTR record of the sending server.

If the messagelabs servers are part of your own mail pipeline, you will most likely have to set their IPs / IP ranges in the Mail Proxy Whitelist.
 
Last edited:
  • Like
Reactions: larsen

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!