Mailgateway Greylisted email

[Adri]

I have some problems with emails which get greylisted even if they are on the whitelist





OUTPUT in greylist tracking center :


Aug 3 12:46:12 mailgateway postfix/smtpd[6211]: connect from e2i123.smtp2go.com[103.2.140.123]
Aug 3 12:46:12 mailgateway postfix/smtpd[6211]: Anonymous TLS connection established from e2i123.smtp2go.com[103.2.140.123]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
Aug 3 12:46:12 mailgateway postfix/smtpd[6211]: NOQUEUE: reject: RCPT from e2i123.smtp2go.com[103.2.140.123]: 450 4.7.1 <xxxx@bertraminterieur.nl>: Recipient address rejected: Service is unavailable (try later); from=<xxxxx@hubo.nl> to=<xxxx@bertraminterieur.nl> proto=ESMTP helo=<e2i123.smtp2go.com>
Aug 3 12:46:12 mailgateway postfix/smtpd[6211]: disconnect from e2i123.smtp2go.com[103.2.140.123] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7

Can someone help what i am doing wrong here ? or better how to solve it ;-)

 

[dcsapak]

greylisting happens before the rule system can act. but you can edit the 'smtp whitelist' under configuration -> mail proxy -> whitelist

 

[Adri]

Ah tnxs, i will add the domain there !

 

[Fra]

I am about to do the same, but I see in https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_configuration_files_overview

SMTP Whitelist

Exclude senders from SMTP blocking. To prevent all SMTP checks (Greylisting, Receiver Verification, SPF and DNSBL) and accept all emails for analysis in the filter rule system, you can add the following to this list: Domains (Sender/Receiver), Mail address (Sender/Receiver), Regular Expression (Sender/Receiver), IP address (Sender), IP network (Sender).

so, but adding a domain there I am not just disabling greylisting for that domain, but also a lot of other userful checks: am I right?

we do really need to *only* disable greylisting for some domains: I see a message sent by microsoft/outlook take about 2.5 hours to reach our users, and this is really too much: is the above SMTP whitelisting the only way? (we will have to add there *a log* of domain ..almost all our customers)

 

[dcsapak]

is the above SMTP whitelisting the only way? (we will have to add there *a log* of domain ..almost all our customers)

yes that is currently the only way do do that, alternatively you can disable greylisting on the whole pmg
(you could have 2 pmg servers, one with greylisting and one without and move the customers to the appropriate one)

 

[dcsapak]

what you could also try is to increase the greylisting netmask so that a bigger portion of the source network is considered

 

[Fra]

thank you for the very quick reply!



yes, we would like to, at least, reduce the 2.5 hours needed to receive an email (we do not want to disable greylisting: btw: the customer using pmg is only one, the one I work for, then he, I mean the company, have many customers with many super reliable mail server that send the pmg mails pretty often: w):

I think there is something wrong 'cause we do not see often this delay (which for a specific domain I am 100% postiive the delay is 'pure' greylisting delay)

> what you could also try is to increase the greylisting netmask so that a bigger portion of the source network is considered

ah, I did not know, thanks!
( https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration

so, since those emails comes from `eurprd08.prod.outlook.com` I guess the pool of servers (IPs) are really pretty big, so the result is that almost all messages from senders using microsoft get always greylisted?

so, I have the default:

greylistmask4 = 24
greylistmask6 = 64

for those microsoft mail servers, what should I set? maybe 18 (so 16.000 IPs) instead of 24 ?

 

[dcsapak]

for those microsoft mail servers, what should I set? maybe 18 (so 16.000 IPs) instead of 24 ?

yeah you could start with that. it largely depends on how their infrastructure is setup though
i'd try not to have too much ips in that range though..

 

[mgutt]

greylisting happens before the rule system can act. but you can edit the 'smtp whitelist' under configuration -> mail proxy -> whitelist

The Admin Guide does not contain further explanations regarding the options:



IP Address and Network refer to the sending mailserver or to the IP of the domain which is part of the mail address? And what about Domain and Regular Expression?

 

[dcsapak]

well the ip address/network matches the ip address of the sending smtp client (thus the 'Sender')
and the domain is either the domain of the sending or receiving domain (thus sender or receiver)
(same for the regex)

 

[mgutt]

and the domain is either the domain of the sending or receiving domain (thus sender or receiver)

Does the "Sending domain" contain the PTR of the Mailserver (SMTP Client) which connected to the Proxmox MGW, too, or only the "From:" part which is mentioned in the mail content?

Or an example. Does this work?

 

[Stoiko Ivanov]

Does the "Sending domain" contain the PTR of the Mailserver (SMTP Client) which connected to the Proxmox MGW, too, or only the "From:" part which is mentioned in the mail content?

The Sender Domain as Sender Address in this context refers to the envelope-sender address - not the reverse PTR of the client