Articles in this section

See more

Greylisting defers emails from senders that use multiple IP addresses

Avatar
Kuzma Ivanov
Updated
Follow
Plesk for Linux kb: technical ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  • Messages from senders that use different IP addresses (e.g. Office365 email accounts) are deferred by greylisting handler with the following messages in /var/log/maillog:

    CONFIG_TEXT: /usr/lib64/plesk-9.0/psa-pc-remote[956]: DEFER during call 'grey' handler
    /usr/lib64/plesk-9.0/psa-pc-remote[956]: Message aborted.
    postfix/smtpd[2028]: 61AF6E27BAB4: milter-reject: DATA from mail-*.outbound.protection.outlook.com[10.10.10.10]: 451 4.7.1 Service unavailable - try again later; from=<user1@officeaccount.com> to=<user2@pleskaccount.com> proto=ESMTP helo=<*.outbound.protection.outlook.com>

    CONFIG_TEXT: server postfix/cleanup[17368]: C860512160C: milter-reject: END-OF-MESSAGE from mail-eopbgr60135.outbound.protection.outlook.com[40.107.6.135]: 4.7.24 SPF validation error.; from=user@office365account.com to=user@pleskaccount.com proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>

  • In some cases, email messages are delivered within 1-2 days.

  • The following message can be delivered to a sender (e.g. Office365 email account):

    PLESK_INFO: Final-recipient: RFC822; 1@pleskaccount.com
    Action: failed
    Status: 5.4.0
    X-Supplementary-Info: < #5.4.300 smtp;550 5.4.300 Message expired -> 451 4.7.1 Service unavailable - try again later>

Cause

This is expected behavior when greylisting is enabled: The first message is rejected, and the next message sent from the same address (sender server IP address and 'From:') will be accepted after a certain length of time passes. So if an email address is the same, but IP address is different, emails from this email address will be rejected.

For example, emails from *protection.outlook.com are sent from multiple IP addresses. This causes greylisting treat every new retry as a new message, so there is a delay in message delivery until the same pair of email/IP address is logged.

Resolution

Set up a server-wide white-list for Office 365 domains - a list of hosts which emails will be accepted without greylisting check-ups:

  1. Connect to the Plesk server via SSH.

  2. Add the main part of a sender hostname in the command below (in this example, it is for Office365) and run it:

    # /usr/local/psa/bin/grey_listing -u -domains-whitelist add:*outbound.protection.outlook.com

    To learn more about greylisting configuration options, visit this KB article.

 

To make sure that the network allows connections from all Exchange Online Protection (EOP) IP address ranges., visit this Microsoft Docs page.

Comments

12 comments

Sort by Date Votes
  • Avatar
    Fouad Ahmed Fouad

    I didn't use Greylisting for this issue, it's not Outlook domains only what use many ip addresses, it's all major companies like Google and other major hosting companies.

    1
    Comment actions Permalink
  • Avatar
    Pavel Mikhaylov

    Hello, Fouad Ahmed Fouad,

    The article addresses a particular issue related to greylisting and Office 365 services.

    In case you are experiencing an issue with different symptoms and the information from our knowledge base does not help, please create a request to our Support team: https://support.plesk.com/hc/en-us/articles/213608509

    0
    Comment actions Permalink
  • Avatar
    smbraun

    I do not get this solved:

    Apr 24 18:42:22 mail postfix/cleanup[9088]: 4CDAA102851: message-id=<88749E0A-A221-439B-A8B5-3A9DB8D2208D@SENDERSDOMAIN.nl>
    Apr 24 18:42:32 mail postfix/cleanup[9088]: 4CDAA102851: milter-reject: END-OF-MESSAGE from mail-eopbgr10066.outbound.protection.outlook.com[40.107.1.66]: 4.7.24 SPF validation defer.; from=<info@SENDERSDOMAIN.nl> to=<somebody@mydomain.com> proto=ESMTP helo=<EUR02-HE1-obe.outbound.protection.outlook.com>

    I think 40.107.*.* and all according domains should be whitelisted. 😫

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @smbraun

    According to log message, mail was deferred during SPF validation. To avoid it, you can add 'include:outbound.protection.outlook.com' to  SPF local rules as described here - https://support.plesk.com/hc/en-us/articles/115000168149

    0
    Comment actions Permalink
  • Avatar
    smbraun

    @Denis Bykov

    I set up already the following local rule yesterday:

    v=spf1 include:reply.MYDOMAIN.com include:PARTNERDOMAIN.nl include:outlook.com a mx ptr ~all

    This was not enough?

    My /etc/psa/dmar.conf includes

    SPFSelfValidate 0

    Could this be a problem?

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @smbraun,

    Thank you for your question.

    The correct SPF local rule as following should be set at Tools & Settings > Mail Server Settings > SPF Spam Protection:

    include:outbound.protection.outlook.com include:reply.MYDOMAIN.com include:PARTNERDOMAIN.nl

    As for the /etc/psa/dmarc.conf file:
    The value of SPFSelfValidate can be only boolean one only.
    Currently no issues are encountered with DMARC, so I recommend to leave this file empty.
    If emails are started to be rejected by DMARC, then it will be needed to add the record as following in /etc/psa/dmarc.conf:

    IgnoreMailFrom example.com

    But please note, currently there is no need in it.

    0
    Comment actions Permalink
  • Avatar
    smbraun (Edited )

    Hello @Daria

    Before I configured this /etc/psa/dmarc.conf , I had to move several hundred mails from quaratine to the inbox in the fetchall mailbox everyday or were blocked which was even worse.

    IgnoreMailFrom ANOTHERPARTNER.com,PARTNER.nl,*.outbound.protection.outlook.com

    # 2019-04-25 - nothing changes for PARTNER.nl
    #SPFSelfValidate 0
    #SPFIgnoreResults 1
    RejectFailures 1
    # Interesting Fact "RejectFailures 1" leads to our-external-newsletter-sender mails in inbox instead of spam

    I had a lot a problems to avoid our OWN newsletter with perfectly configured SPF und DKIM settings was blocked and another partner's mails months ago.

    Now everything was fine except some greylisting loops with changing IPs like mail.instagram.com, but whitelisting always worked until this dutch partner which makes me crazy.

    For positive values, the following are accepted: "T", "t", "Y", "y", "1". For negative values, the following are accepted: "F", "f", "N", "n", "0".

    So 1 and 0 should be totally ok for boolean.

     

    The "Lokale SPF-Regeln" field inside plesk is:

    v=spf1 include:reply.OURDOMAIN.com include:PARTNER.nl include:outlook.com include:outbound.protection.outlook.com a mx ptr ~all
    0
    Comment actions Permalink
  • Avatar
    Nikita Nikushkin

    Hi @smbraun,

    Local rules - the rules that are used by the spam filter before the SPF check is actually done by the mail server.

    These rules are concatenated with the rules specified in the SPF-related DNS record or the sender.

    For example, if the sender has the following SPF policy:

    example.com TXT v=spf1 +a +mx –all

    and the local rule is:

    a:test.plesk.com

    then the resulting policy will be:

    example.com. TXT v=spf1 +a +mx +a:test.plesk.com –all

    Right now, you have too long "Local SPF" rule:

    v=spf1 include:reply.OURDOMAIN.com include:PARTNER.nl include:outlook.com include:outbound.protection.outlook.com a mx ptr ~all

    Change it to this one:

    include:reply.OURDOMAIN.com include:PARTNER.nl include:outlook.com include:outbound.protection.outlook.com

    If the issue still occurs, I suggest creating a request to the Support Department - we will be glad to take a look at the issue and figure it out

    0
    Comment actions Permalink
  • Avatar
    smbraun

    Is there no possibility to simply whitelist this senders domain?

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov (Edited )

    Hello @smbraun,

    Plesk uses several spam-filters which can be configured independently.

    Server-wide Plesk white-list can be configured using the following instruction:
    https://support.plesk.com/hc/en-us/articles/115002796793
    Please note that IP addresses should be specified instead of domain names, for example:

    CONFIG_TEXT: 203.0.113.*

    Spam-filter gray listing is configured using the command from this article:

    # /usr/local/psa/bin/grey_listing -u -domains-whitelist add:*PARTNERDOMAIN.nl

    SPF policy was already applied by you above.
    ( https://support.plesk.com/hc/en-us/articles/115000168149 )

    If after whitelisting the domain name emails from the partner still cannot be delivered, please contact Plesk Support department for assistance:
    https://support.plesk.com/hc/en-us

    0
    Comment actions Permalink
  • Avatar
    smbraun

    Hello,

    thank you for the help. I already have this settings for days and still get the errors in the log without any emails.

     

    greylisting:

    # /usr/local/psa/bin/grey_listing --info-server
    Grey listing configuration.

    Grey listing checking  enabled
    Grey interval          5 minutes
    Expire interval        51840 minutes
    Penalty interval       2 minutes
    Penalty                disabled
    Personal grey listing
    configuration          allowed

    Server-wide black list:

    Server-wide white list:
     *@*.outbound.protection.outlook.com
     *@*.outlook.com
     *@PARTNERDOMAIN.nl
    ...

    White domains patterns list:
     *.office365.com
     *.outbound.protection.outlook.com
     *.outlook.com
     *.outlook.office.com
     *google.com
     *mail.ru
     *outbound.protection.outlook.com
     *parallels.com
     *plesk.com
     *rambler.ru
     *yahoo.com
     *yandex.ru
     PARTNERDOAMAIN.nl
     mail.instagram.com
    ...

    Black domains patterns list:
     *[0-9][0-9]-[0-9][0-9]-[0-9][0-9]*
     *[0-9][0-9].[0-9][0-9].[0-9][0-9]*
     *[0-9][0-9][0-9]-[0-9][0-9][0-9]-[0-9][0-9][0-9]*
     *[0-9][0-9][0-9].[0-9][0-9][0-9].[0-9[0-9]][0-9]*
     dsl|broadband|hsd
     dynamic|static|ppp|dyn-ip|dial-up

    SUCCESS: Gathering of server wide information complete.

    log:

    ./mail.log.1:1125722:Apr 26 16:12:52 mail postfix/cleanup[16074]: D30CA10084C: milter-reject: END-OF-MESSAGE from mail-eopbgr80070.outbound.protection.outlook.com[40.107.8.70]: 4.7.24 SPF validation defer.; from=<info@PARTNERDOMAIN.nl> to=<someone@MYDOMAIN.com> proto=ESMTP helo=<EUR04-VI1-obe.outbound.protection.outlook.com>

     

    We have gotten Plesk to our Server-Hosting I do not think I can enter a support request.

     

    Thank you

    smbraun

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @smbraun,

    The issue requires the deeper investigation on the server directly.
    So it is recommend to contact your Server-Hosting provider if it is not possible to create the support request to Plesk directly.

    If you would like to get the direct support assistance from Plesk, you may purchase the support subscription and then create the support request.

    We do appreciate your user experience, but the deeper technical investigation should be done in the scope of support request.

    Thank you for understanding.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles