Hello,
Is it possible in any way to configure proxmox mail gateway to whitelist a domain and use their SPF record as a reference. This would mean for example
We would like to whitelist dhl.com and if you look at their SPF record they have
v=spf1 include:dpdhl._spf.dhl.com include:3a._spf.dhl.com include:3b._spf.dhl.com include:3c._spf.dhl.com include:3d._spf.dhl.com include:3e._spf.dhl.com include:3f._spf.dhl.com include:mrsc._spf.dhl.com include:e2ma.net include:spf.mandrillapp.com ~all
If you do lookup for dpdhl._spf.dhl.com you get:
v=spf1 ip4:165.72.200.0/24 ip4:199.40.206.0/26 ip4:68.232.128.0/19 ip4:149.239.170.0/24 ip4:149.239.48.15 ip4:149.239.48.16 ip4:194.1.155.240 ip4:165.72.191.0/24 ip4:199.40.8.0/26 ip4:216.71.128.0/19 ip4:94.100.241.12 ip4:94.100.241.75 ip4:94.100.245.113 ip4:94.100.245.122 ip4:93.188.245.175 ip4:93.188.245.185 ~all
We would like to whitelist all email send from following IP addresses and domain dhl.com
165.72.200.0/24
199.40.206.0/26
68.232.128.0/19
149.239.170.0/24
149.239.48.15
149.239.48.16
194.1.155.240
165.72.191.0/24
199.40.8.0/26
216.71.128.0/19
94.100.241.12
94.100.241.75
94.100.245.113
94.100.245.122
93.188.245.175
93.188.245.185
There is a lot more IP addresses in the spf record of dhl.com and it's extremely time consuming and hard to keep up to date if you would like to add all IP addresses they have in the spf record to the whitelist.
The main problem with adding the domain on whitelist is that malicious senders can spoof send as address and they bypass our filters because dhl.com domain is whitelist. The only way to properly whitelist domain is to look into the spf record and add the IP addresses in the spf to the whitelist.
We had the same problem with paypal.com malicious senders spoofed send as address that was added on our whitelist and our users received dangerous email.
Example we had service@intl.paypal.com on the whitelist and because the senders spoofed the send as address to service@intl.paypal.com they could sent the message
X-SPAM-LEVEL: Spam detection results: 18
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_ADSP_DISCARD 1.8 No valid author signature, domain signs all mail and suggests discarding the rest
FROM_PAYPAL_SPOOF 0.001 From PayPal domain but matches SPOOFED
HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to background
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_SHORT 1 Use of a URL Shortener for very short URL
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
NORDNS_LOW_CONTRAST 1.883 No rDNS + hidden text
RCVD_IN_RP_RNBL 2.5 Relay in RNBL, https://senderscore.org/blacklistlookup/
RDNS_NONE 2 Delivered to internal network by a host with no rDNS
SPF_SOFTFAIL 4 SPF: sender does not match SPF record (softfail)
TO_NO_BRKTS_NORDNS_HTML 1.999 To: lacks brackets and no rDNS and HTML only
T_SPF_HELO_TEMPERROR 0.01 SPF: test of HELO record failed (temperror)
URIBL_DBL_ABUSE_REDIR 0.001 Contains an abused redirector URL listed in the Spamhaus DBL blocklist [bit.do]
URIBL_SBL_A 3 Contains URL's A record listed in the Spamhaus SBL blocklist [bit.do]
URI_GOOGLE_PROXY 2 Accessing a blacklisted URI or obscuring source of phish via Google proxy?
Please advice. Thank you!
Is it possible in any way to configure proxmox mail gateway to whitelist a domain and use their SPF record as a reference. This would mean for example
We would like to whitelist dhl.com and if you look at their SPF record they have
v=spf1 include:dpdhl._spf.dhl.com include:3a._spf.dhl.com include:3b._spf.dhl.com include:3c._spf.dhl.com include:3d._spf.dhl.com include:3e._spf.dhl.com include:3f._spf.dhl.com include:mrsc._spf.dhl.com include:e2ma.net include:spf.mandrillapp.com ~all
If you do lookup for dpdhl._spf.dhl.com you get:
v=spf1 ip4:165.72.200.0/24 ip4:199.40.206.0/26 ip4:68.232.128.0/19 ip4:149.239.170.0/24 ip4:149.239.48.15 ip4:149.239.48.16 ip4:194.1.155.240 ip4:165.72.191.0/24 ip4:199.40.8.0/26 ip4:216.71.128.0/19 ip4:94.100.241.12 ip4:94.100.241.75 ip4:94.100.245.113 ip4:94.100.245.122 ip4:93.188.245.175 ip4:93.188.245.185 ~all
We would like to whitelist all email send from following IP addresses and domain dhl.com
165.72.200.0/24
199.40.206.0/26
68.232.128.0/19
149.239.170.0/24
149.239.48.15
149.239.48.16
194.1.155.240
165.72.191.0/24
199.40.8.0/26
216.71.128.0/19
94.100.241.12
94.100.241.75
94.100.245.113
94.100.245.122
93.188.245.175
93.188.245.185
There is a lot more IP addresses in the spf record of dhl.com and it's extremely time consuming and hard to keep up to date if you would like to add all IP addresses they have in the spf record to the whitelist.
The main problem with adding the domain on whitelist is that malicious senders can spoof send as address and they bypass our filters because dhl.com domain is whitelist. The only way to properly whitelist domain is to look into the spf record and add the IP addresses in the spf to the whitelist.
We had the same problem with paypal.com malicious senders spoofed send as address that was added on our whitelist and our users received dangerous email.
Example we had service@intl.paypal.com on the whitelist and because the senders spoofed the send as address to service@intl.paypal.com they could sent the message
X-SPAM-LEVEL: Spam detection results: 18
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_ADSP_DISCARD 1.8 No valid author signature, domain signs all mail and suggests discarding the rest
FROM_PAYPAL_SPOOF 0.001 From PayPal domain but matches SPOOFED
HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to background
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_SHORT 1 Use of a URL Shortener for very short URL
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
NORDNS_LOW_CONTRAST 1.883 No rDNS + hidden text
RCVD_IN_RP_RNBL 2.5 Relay in RNBL, https://senderscore.org/blacklistlookup/
RDNS_NONE 2 Delivered to internal network by a host with no rDNS
SPF_SOFTFAIL 4 SPF: sender does not match SPF record (softfail)
TO_NO_BRKTS_NORDNS_HTML 1.999 To: lacks brackets and no rDNS and HTML only
T_SPF_HELO_TEMPERROR 0.01 SPF: test of HELO record failed (temperror)
URIBL_DBL_ABUSE_REDIR 0.001 Contains an abused redirector URL listed in the Spamhaus DBL blocklist [bit.do]
URIBL_SBL_A 3 Contains URL's A record listed in the Spamhaus SBL blocklist [bit.do]
URI_GOOGLE_PROXY 2 Accessing a blacklisted URI or obscuring source of phish via Google proxy?
Please advice. Thank you!
