Greylisting defers emails from senders that use multiple IP addresses

Follow

Comments

12 comments

  • Avatar
    Fouad Ahmed Fouad

    I didn't use Greylisting for this issue, it's not Outlook domains only what use many ip addresses, it's all major companies like Google and other major hosting companies.

    0
    Comment actions Permalink
  • Avatar
    Pavel Mikhaylov

    Hello, Fouad Ahmed Fouad,

    The article addresses a particular issue related to greylisting and Office 365 services.

    In case you are experiencing an issue with different symptoms and the information from our knowledge base does not help, please create a request to our Support team: https://support.plesk.com/hc/en-us/articles/213608509

    0
    Comment actions Permalink
  • Avatar
    smbraun

    I do not get this solved:

    Apr 24 18:42:22 mail postfix/cleanup[9088]: 4CDAA102851: message-id=<88749E0A-A221-439B-A8B5-3A9DB8D2208D@SENDERSDOMAIN.nl>
    Apr 24 18:42:32 mail postfix/cleanup[9088]: 4CDAA102851: milter-reject: END-OF-MESSAGE from mail-eopbgr10066.outbound.protection.outlook.com[40.107.1.66]: 4.7.24 SPF validation defer.; from=<info@SENDERSDOMAIN.nl> to=<somebody@mydomain.com> proto=ESMTP helo=<EUR02-HE1-obe.outbound.protection.outlook.com>

    I think 40.107.*.* and all according domains should be whitelisted. 😫

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @smbraun

    According to log message, mail was deferred during SPF validation. To avoid it, you can add 'include:outbound.protection.outlook.com' to  SPF local rules as described here - https://support.plesk.com/hc/en-us/articles/115000168149

    0
    Comment actions Permalink
  • Avatar
    smbraun

    @Denis Bykov

    I set up already the following local rule yesterday:

    v=spf1 include:reply.MYDOMAIN.com include:PARTNERDOMAIN.nl include:outlook.com a mx ptr ~all

    This was not enough?

    My /etc/psa/dmar.conf includes

    SPFSelfValidate 0

    Could this be a problem?

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @smbraun,

    Thank you for your question.

    The correct SPF local rule as following should be set at Tools & Settings > Mail Server Settings > SPF Spam Protection:

    include:outbound.protection.outlook.com include:reply.MYDOMAIN.com include:PARTNERDOMAIN.nl

    As for the /etc/psa/dmarc.conf file:
    The value of SPFSelfValidate can be only boolean one only.
    Currently no issues are encountered with DMARC, so I recommend to leave this file empty.
    If emails are started to be rejected by DMARC, then it will be needed to add the record as following in /etc/psa/dmarc.conf:

    IgnoreMailFrom example.com

    But please note, currently there is no need in it.

    0
    Comment actions Permalink
  • Avatar
    smbraun (Edited )

    Hello @Daria

    Before I configured this /etc/psa/dmarc.conf , I had to move several hundred mails from quaratine to the inbox in the fetchall mailbox everyday or were blocked which was even worse.

    IgnoreMailFrom ANOTHERPARTNER.com,PARTNER.nl,*.outbound.protection.outlook.com

    # 2019-04-25 - nothing changes for PARTNER.nl
    #SPFSelfValidate 0
    #SPFIgnoreResults 1
    RejectFailures 1
    # Interesting Fact "RejectFailures 1" leads to our-external-newsletter-sender mails in inbox instead of spam

    I had a lot a problems to avoid our OWN newsletter with perfectly configured SPF und DKIM settings was blocked and another partner's mails months ago.

    Now everything was fine except some greylisting loops with changing IPs like mail.instagram.com, but whitelisting always worked until this dutch partner which makes me crazy.

    For positive values, the following are accepted: "T", "t", "Y", "y", "1". For negative values, the following are accepted: "F", "f", "N", "n", "0".

    So 1 and 0 should be totally ok for boolean.

     

    The "Lokale SPF-Regeln" field inside plesk is:

    v=spf1 include:reply.OURDOMAIN.com include:PARTNER.nl include:outlook.com include:outbound.protection.outlook.com a mx ptr ~all
    0
    Comment actions Permalink
  • Avatar
    Nikita Nikushkin

    Hi @smbraun,

    Local rules - the rules that are used by the spam filter before the SPF check is actually done by the mail server.

    These rules are concatenated with the rules specified in the SPF-related DNS record or the sender.

    For example, if the sender has the following SPF policy:

    example.com TXT v=spf1 +a +mx –all

    and the local rule is:

    a:test.plesk.com

    then the resulting policy will be:

    example.com. TXT v=spf1 +a +mx +a:test.plesk.com –all

    Right now, you have too long "Local SPF" rule:

    v=spf1 include:reply.OURDOMAIN.com include:PARTNER.nl include:outlook.com include:outbound.protection.outlook.com a mx ptr ~all

    Change it to this one:

    include:reply.OURDOMAIN.com include:PARTNER.nl include:outlook.com include:outbound.protection.outlook.com

    If the issue still occurs, I suggest creating a request to the Support Department - we will be glad to take a look at the issue and figure it out

    0
    Comment actions Permalink
  • Avatar
    smbraun

    Is there no possibility to simply whitelist this senders domain?

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov (Edited )

    Hello @smbraun,

    Plesk uses several spam-filters which can be configured independently.

    Server-wide Plesk white-list can be configured using the following instruction:
    https://support.plesk.com/hc/en-us/articles/115002796793
    Please note that IP addresses should be specified instead of domain names, for example:

    CONFIG_TEXT: 203.0.113.*

    Spam-filter gray listing is configured using the command from this article:

    # /usr/local/psa/bin/grey_listing -u -domains-whitelist add:*PARTNERDOMAIN.nl

    SPF policy was already applied by you above.
    ( https://support.plesk.com/hc/en-us/articles/115000168149 )

    If after whitelisting the domain name emails from the partner still cannot be delivered, please contact Plesk Support department for assistance:
    https://support.plesk.com/hc/en-us

    0
    Comment actions Permalink
  • Avatar
    smbraun

    Hello,

    thank you for the help. I already have this settings for days and still get the errors in the log without any emails.

     

    greylisting:

    # /usr/local/psa/bin/grey_listing --info-server
    Grey listing configuration.

    Grey listing checking enabled
    Grey interval 5 minutes
    Expire interval 51840 minutes
    Penalty interval 2 minutes
    Penalty disabled
    Personal grey listing
    configuration allowed

    Server-wide black list:

    Server-wide white list:
    *@*.outbound.protection.outlook.com
    *@*.outlook.com
    *@PARTNERDOMAIN.nl
    ...

    White domains patterns list:
    *.office365.com
    *.outbound.protection.outlook.com
    *.outlook.com
    *.outlook.office.com
    *google.com
    *mail.ru
    *outbound.protection.outlook.com
    *parallels.com
    *plesk.com
    *rambler.ru
    *yahoo.com
    *yandex.ru
    PARTNERDOAMAIN.nl
    mail.instagram.com
    ...

    Black domains patterns list:
    *[0-9][0-9]-[0-9][0-9]-[0-9][0-9]*
    *[0-9][0-9].[0-9][0-9].[0-9][0-9]*
    *[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]*
    *[0-9][0-9][0-9].[0-9][0-9][0-9].[0-9[0-9]][0-9]*
    dsl|broadband|hsd
    dynamic|static|ppp|dyn-ip|dial-up

    SUCCESS: Gathering of server wide information complete.

    log:

    ./mail.log.1:1125722:Apr 26 16:12:52 mail postfix/cleanup[16074]: D30CA10084C: milter-reject: END-OF-MESSAGE from mail-eopbgr80070.outbound.protection.outlook.com[40.107.8.70]: 4.7.24 SPF validation defer.; from=<info@PARTNERDOMAIN.nl> to=<someone@MYDOMAIN.com> proto=ESMTP helo=<EUR04-VI1-obe.outbound.protection.outlook.com>

     

    We have gotten Plesk to our Server-Hosting I do not think I can enter a support request.

     

    Thank you

    smbraun

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @smbraun,

    The issue requires the deeper investigation on the server directly.
    So it is recommend to contact your Server-Hosting provider if it is not possible to create the support request to Plesk directly.

    If you would like to get the direct support assistance from Plesk, you may purchase the support subscription and then create the support request.

    We do appreciate your user experience, but the deeper technical investigation should be done in the scope of support request.

    Thank you for understanding.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request