[SOLVED] Some domains in a whitelist work while others don't

ramaza

Member
Jun 21, 2017
8
0
6
44
Hi, I'm evaluating PMG since several days and am trying hard to narrow down a problem with whitelisting domains.

I have a list of domains that should be delivered immediately without being Spam checked. I verify this list by using the "Notify Admin" action. The problem is that some entries in this whitelist work while others don't.

Here's an anonymized header of a sample email that should have matched the existing entry "secure.lottoland.com":

Code:
Delivered-To: aaaaa.hhhhhh@ssssss.com
Return-Path: v-bjiiimd_bgdklbffad_fheaoodb_fheaoodb_a@bounce.lottoland.mkt5210.com
Received-SPF: pass (bounce.lottoland.mkt5210.com: 74.112.71.8 is authorized to use 'v-bjiiimd_bgdklbffad_fheaoodb_fheaoodb_a@bounce.lottoland.mkt5210.com' in 'mfrom' identity (mechanism 'ip4:74.112.71.8' matched)) receiver=smtp.oooooo.com; identity=mailfrom; envelope-from="v-bjiiimd_bgdklbffad_fheaoodb_fheaoodb_a@bounce.lottoland.mkt5210.com"; helo=mail5504.lottoland.mkt6102.com; client-ip=74.112.71.8
Received: from mail5504.lottoland.mkt6102.com (mail5504.lottoland.mkt6102.com [74.112.71.8])
    by smtp.oooooo.com (Proxmox) with ESMTP id AC53843139
    for <aaaaa.hhhhhh@ssssss.com>; Thu, 16 May 2019 17:00:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=spop1024; d=secure.lottoland.com;
 h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; i=mail@secure.lottoland.com;
 bh=bUpks0hAVuwIq8KMU09mD7LyXbk=;
 b=caA1lzfEBFifByhqpiA4X5L5/ksWuV2kGheMybprAaN1qiiDbKsFIoeUpHDLsC/IBzdKqyX+qUWK
   AQaWWC0n1eiFWnQK8sCUQtUCe04GxVUj43mAk3N7aS+OQ4mbvvSJ1qUDWwo+nvBK/+yew28GwuNh
   A6EYuMDAeGd7xvmuoqw=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=spop1024; d=secure.lottoland.com;
 b=SvjxeJVNOiqsCpa5LHs9f+WcGdHkPY7A/JHvgcQBL15z/phGT9+/X1GBTE40Oyl0648koHi8y3zg
   ONzu4M2q5Bn6le5lOIZZ0WQxLIlWLkO1MwVM6n3NIeBvUZ2cK9R2kn1T85ofGDmUveJRv8taR9f/
   90kcCeDRXOAM2u2lw7U=;
Received: by mail5504.lottoland.mkt6102.com id hrlth019if42 for <aaaaa.hhhhhh@ssssss.com>; Thu, 16 May 2019 15:00:25 +0000 (envelope-from <v-bjiiimd_bgdklbffad_fheaoodb_fheaoodb_a@bounce.lottoland.mkt5210.com>)
Date: Thu, 16 May 2019 15:00:25 +0000 (GMT)
From: Lottoland Meldung <mail@secure.lottoland.com>
Reply-To: mail@secure.lottoland.com
To: aaaaa.hhhhhh@ssssss.com
Message-ID: <2021558021.93653381558018825707.JavaMail.app@rbg11.atlis1>
Subject: =?utf-8?Q?aaaaa,_genau_was_du_heute_brauchst!_=F0=9F=91=8D?=
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_37507_1900521545.1558018818994"
x-mid: 26773699
X-CSA-Complaints: whitelist-complaints@eco.de
x-rpcampaign: sp26773699
Feedback-ID: pod1_2914_26773699_1463873073:pod1_2914:ibmsilverpop
x-job: 26773699
x-orgId: 2914
List-Unsubscribe: <mailto:v-bjiiimd_bgdklbffad_fheaoodb_fheaoodb_a@bounce.lottoland.mkt5210.com?subject=Unsubscribe>
X-SPAM-LEVEL: Spam detection results:  0
    AWL                     0.255 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIMWL_WL_HIGH         -0.001 DKIMwl.org - Whitelisted High sender
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    HEADER_FROM_DIFFERENT_DOMAINS  0.001 From and EnvelopeFrom 2nd level mail domains are different
    HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to background
    HTML_MESSAGE            0.001 HTML included in message
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
 
I further investigated the problem. My first thought was that it's related to subdomains like "secure.lottoland.com" but also emails from domains like "weltbild.at" aren't processed by my domain-whitelist. Here's an anonymized email header. So far I couldn't identify a similarity between this two samples that make them both misbehave.

Code:
Delivered-To: aaaaa@ssssss.com
Return-Path: g-3686408143-7186-354666382-1558242554248@bounce.mail.weltbild.at
Received-SPF: pass (bounce.mail.weltbild.at: 195.140.187.206 is authorized to use 'g-#-#-#-#@bounce.mail.weltbild.at' in 'mfrom' identity (mechanism 'ip4:195.140.184.0/22' matched)) receiver=smtp.oooooo.com; identity=mailfrom; envelope-from="g-#-#-#-#@bounce.mail.weltbild.at"; helo=duonullasx.gamma.eccluster.com; client-ip=195.140.187.206
Received: from duonullasx.gamma.eccluster.com (duonullasx.gamma.eccluster.com [195.140.187.206])
    by smtp.oooooo.com (Proxmox) with ESMTP id C22534157E
    for <aaaaa@ssssss.com>; Sun, 19 May 2019 07:09:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.weltbild.at;
    q=dns/txt; s=ecm1; bh=vhZqqsLuVj38OQqTb0MD41jM1miOsqGYFKxdOfzIoOE=;
    h=date:from:reply-to:to:subject:message-id:mime-version:content-type:list-id:list-unsubscribe:list-help:x-csa-complaints;
    b=oerQ6mKbEpK3wi26Ajj6lrqIqzGOFqZGFs1xpgX2jF0YpkIFYUcG8Ga9OlYCGo87aHVkcVf2M
    eJrL+VXKx4om37Ah/ltjCboyQwPMmYIA0NH+HM13NZbZJZj6NthBtRTEIb52qD5bjB6/XnKGazm
    M4p5NWAGyEywX81cwgxy0LI=
Received: from app31.muc.ec-messenger.com (app31.muc.ec-messenger.com [172.16.8.61])
    (envelope-from <g-3686408143-7186-354666382-1558242554248@bounce.mail.weltbild.at>)
    by hp13mtaq114 (mtaq-receiver/2.20190311.1) with ESMTP id wa1cSCRbHsfK
    for <aaaaa@ssssss.com>; Sun, 19 May 2019 07:09:14 +0200
Date: Sun, 19 May 2019 07:09:14 +0200 (CEST)
From: "Weltbild.at" <newsletter@weltbild.at>
Reply-To: "Weltbild.at" <haupt-newsletter-reply@mail.weltbild.at>
To: Aaaaa Sssssss <aaaaa@ssssss.com>
Message-ID: <mlt9ai.jvuhdtvq6vjk04l@weltbild.at>
Subject: =?UTF-8?Q?=E2=9E=A0_Bitte_=C3=B6ffnen:_Ihr_20.-_=E2=82=AC_GUTSCHEIN!?=
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_2677122_1787251606.1558242554205"
X-eC-messenger-mid: 354666382
List-Id: <700002647.mail.weltbild.at>
X-eC-messenger-cid: 7186
X-eC-messenger-token: 5v5qbyI1oysiq7
List-Unsubscribe: <http://mail.weltbild.at/public/list_unsubscribe.jsp?action=listUnsubscribe&gid=700002647&uid=3686408143&mid=354666382&siglistunsub=KNMPMGNNAMJCLGIG&errorPage=/public/list_unsubscribe.jsp>, <mailto:listunsubscribe-700002647-354666382-3686408143@mail.weltbild.at>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
X-eC-messenger-sender-domain: bounce.mail.weltbild.at
X-eC-messenger-sendouttypeid: 0
X-eC-messenger-addresseeroleid: 1
X-eC-messenger-recipienttypeid: 2
List-Help: <mailto:abuse@mapp.com>
X-CSA-Complaints: whitelist-complaints@eco.de
X-Mailer: eC-Messenger Build 6.90.3975.1
X-eC-messenger-email: aaaaa@ssssss.com
X-SPAM-LEVEL: Spam detection results:  0
    AWL                     0.159 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    HTML_IMAGE_RATIO_02     0.437 HTML has a low ratio of text to image area
    HTML_MESSAGE            0.001 HTML included in message
    KAM_MXURI                 1.5 URI begins with a mail exchange prefix, i.e. mx.[...]
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
 
I think the problem here is that the white-/blacklist match the envelope sender and not the 'From' header you see in your mailclient.
Those should be the actual domains you need to add to the whitelist for it to work (probably best achieved with a regular expression)

Hope this helps!
 
I understand. That makes it quite difficult to manage the whitelist the way it would be most efficient in our specific case. I will need to switch to the user-based whitelist instead which is unfortunately more time-consuming to manage.

Thanks anyway!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!