Applicable to:
- Plesk for Linux
Symptoms
-
Messages from senders that use different IP addresses (e.g. Office365 email accounts) are deferred by greylisting handler with the following messages in
/var/log/maillog
:CONFIG_TEXT: /usr/lib64/plesk-9.0/psa-pc-remote[956]: DEFER during call 'grey' handler
/usr/lib64/plesk-9.0/psa-pc-remote[956]: Message aborted.
postfix/smtpd[2028]: 61AF6E27BAB4: milter-reject: DATA from mail-*.outbound.protection.outlook.com[10.10.10.10]: 451 4.7.1 Service unavailable - try again later; from=<user1@officeaccount.com> to=<user2@pleskaccount.com> proto=ESMTP helo=<*.outbound.protection.outlook.com>
CONFIG_TEXT: server postfix/cleanup[17368]: C860512160C: milter-reject: END-OF-MESSAGE from mail-eopbgr60135.outbound.protection.outlook.com[40.107.6.135]: 4.7.24 SPF validation error.; from=user@office365account.com to=user@pleskaccount.com proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>
-
In some cases, email messages are delivered within 1-2 days.
-
The following message can be delivered to a sender (e.g. Office365 email account):
PLESK_INFO: Final-recipient: RFC822; 1@pleskaccount.com
Action: failed
Status: 5.4.0
X-Supplementary-Info: < #5.4.300 smtp;550 5.4.300 Message expired -> 451 4.7.1 Service unavailable - try again later>
Cause
This is expected behavior when greylisting is enabled: The first message is rejected, and the next message sent from the same address (sender server IP address and 'From:') will be accepted after a certain length of time passes. So if an email address is the same, but IP address is different, emails from this email address will be rejected.
For example, emails from *protection.outlook.com are sent from multiple IP addresses. This causes greylisting treat every new retry as a new message, so there is a delay in message delivery until the same pair of email/IP address is logged.
Resolution
Set up a server-wide white-list for Office 365 domains - a list of hosts which emails will be accepted without greylisting check-ups:
-
Connect to the Plesk server via SSH.
-
Add the main part of a sender hostname in the command below (in this example, it is for Office365) and run it:
# /usr/local/psa/bin/grey_listing -u -domains-whitelist add:*outbound.protection.outlook.com
To learn more about greylisting configuration options, visit this KB article.
To make sure that the network allows connections from all Exchange Online Protection (EOP) IP address ranges., visit this Microsoft Docs page.
Comments
12 comments
I didn't use Greylisting for this issue, it's not Outlook domains only what use many ip addresses, it's all major companies like Google and other major hosting companies.
Hello, Fouad Ahmed Fouad,
The article addresses a particular issue related to greylisting and Office 365 services.
In case you are experiencing an issue with different symptoms and the information from our knowledge base does not help, please create a request to our Support team: https://support.plesk.com/hc/en-us/articles/213608509
I do not get this solved:
I think 40.107.*.* and all according domains should be whitelisted. 😫
@smbraun
According to log message, mail was deferred during SPF validation. To avoid it, you can add 'include:outbound.protection.outlook.com' to SPF local rules as described here - https://support.plesk.com/hc/en-us/articles/115000168149
@Denis Bykov
I set up already the following local rule yesterday:
This was not enough?
My /etc/psa/dmar.conf includes
Could this be a problem?
Hello @smbraun,
Thank you for your question.
The correct SPF local rule as following should be set at Tools & Settings > Mail Server Settings > SPF Spam Protection:
As for the /etc/psa/dmarc.conf file:
The value of SPFSelfValidate can be only boolean one only.
Currently no issues are encountered with DMARC, so I recommend to leave this file empty.
If emails are started to be rejected by DMARC, then it will be needed to add the record as following in /etc/psa/dmarc.conf:
But please note, currently there is no need in it.
Hello @Daria
Before I configured this /etc/psa/dmarc.conf , I had to move several hundred mails from quaratine to the inbox in the fetchall mailbox everyday or were blocked which was even worse.
I had a lot a problems to avoid our OWN newsletter with perfectly configured SPF und DKIM settings was blocked and another partner's mails months ago.
Now everything was fine except some greylisting loops with changing IPs like mail.instagram.com, but whitelisting always worked until this dutch partner which makes me crazy.
So 1 and 0 should be totally ok for boolean.
The "Lokale SPF-Regeln" field inside plesk is:
Hi @smbraun,
Local rules - the rules that are used by the spam filter before the SPF check is actually done by the mail server.
These rules are concatenated with the rules specified in the SPF-related DNS record or the sender.
For example, if the sender has the following SPF policy:
and the local rule is:
then the resulting policy will be:
Right now, you have too long "Local SPF" rule:
Change it to this one:
If the issue still occurs, I suggest creating a request to the Support Department - we will be glad to take a look at the issue and figure it out
Is there no possibility to simply whitelist this senders domain?
Hello @smbraun,
Plesk uses several spam-filters which can be configured independently.
Server-wide Plesk white-list can be configured using the following instruction:
https://support.plesk.com/hc/en-us/articles/115002796793
Please note that IP addresses should be specified instead of domain names, for example:
CONFIG_TEXT: 203.0.113.*
Spam-filter gray listing is configured using the command from this article:
# /usr/local/psa/bin/grey_listing -u -domains-whitelist add:*PARTNERDOMAIN.nl
SPF policy was already applied by you above.
( https://support.plesk.com/hc/en-us/articles/115000168149 )
If after whitelisting the domain name emails from the partner still cannot be delivered, please contact Plesk Support department for assistance:
https://support.plesk.com/hc/en-us
Hello,
thank you for the help. I already have this settings for days and still get the errors in the log without any emails.
greylisting:
log:
We have gotten Plesk to our Server-Hosting I do not think I can enter a support request.
Thank you
smbraun
Hello @smbraun,
The issue requires the deeper investigation on the server directly.
So it is recommend to contact your Server-Hosting provider if it is not possible to create the support request to Plesk directly.
If you would like to get the direct support assistance from Plesk, you may purchase the support subscription and then create the support request.
We do appreciate your user experience, but the deeper technical investigation should be done in the scope of support request.
Thank you for understanding.
Please sign in to leave a comment.