This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configure Greylisting to accept SPF?

I think greylisting can be a great anti-spam provision, however, it can e a killer when the sender employs multiple sending MTAs. For example, those sending via outlook.com may theretically come from one of more than half a million hosts (according to their SPF records, which include two among others ipv4/14 nets - not to mention that they also mention an ip6/48).

Is it possible to exclude such sender domains from greylisting (apart from manually configuring each time a user complaints about an urgent mail having taken hours)? As in configuring something like

IF (sender ip is listed in SPF of sender domain as "Pass") THEN (skip greylisting)

This thread was automatically locked due to age.

Parents

0 BAlfson over 6 years ago

I'm not a fan of greylisting, but for those that appreciate it, an Exception for greylisting for outlook.com and other email services is a must.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 hagman_01 over 6 years ago in reply to BAlfson

I agree, but how would one keep pace with M$ adding (or removing) a few thousand addresses every now and then?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to hagman_01

Instead of making the Exception for sending IPs, make it for Sender addresses like *@outlook.com.

Here's another reason I'm not a fan of greylisting...

Most undesirable email will be rejected by requiring TLSv1.2. Everyone subject to GDPR should already have done that anyway. Rejections based on TLS occur before the SMTP Proxy even has enough information to do greylisting.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 6 years ago in reply to BAlfson

whitelisting services like Outlook com might work well if itwas baed on host name, but UTM/Exim does no filtering based on Reverse DNS or HELO/EHLO name, with or without forward confirmation. It is a big oversight.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to DouglasFoster

I had a typo in my post above, so it was confusing. I've repaired it now to *@outlook.com. That's the way to whitelist a mail domain.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 hagman_01 over 6 years ago in reply to BAlfson

Unfortunately, not everyone using the outlook.com infractructure uses *@outlook.com sender addreses.

Meanwhile, I created network definitions from all I could excerpt from their nested SPF record and exception rules accordingly. In addition, I have a cron job that daily checks for changes in said spf records. It has triggered a few times since, so I added/deleted/changed network definitions manually. Fortunately, the changes happen not so often that I get tempted to automate this update via REST-API ;)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 hagman_01 over 6 years ago in reply to BAlfson

Unfortunately, not everyone using the outlook.com infractructure uses *@outlook.com sender addreses.

Meanwhile, I created network definitions from all I could excerpt from their nested SPF record and exception rules accordingly. In addition, I have a cron job that daily checks for changes in said spf records. It has triggered a few times since, so I added/deleted/changed network definitions manually. Fortunately, the changes happen not so often that I get tempted to automate this update via REST-API ;)
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data