Hi gregconway,
And now we are trying to explain to the client why the email from <
[email protected]> took 6 hrs to arrive yesterday and when they can expect the email they expected 2 hrs ago!
This is one of the disadvantages of greylisting, with domains with a lot of IPs, during the "setup time".
I think you should be informed about some facts. You seem to think, that adding a whitelist - domain as for example "*.outbound.protection.outlook.com", will automatically whitelist all depending IPs - which is NOT the case. Your system has to learn each of the IPs, which is in the "*.outbound.protection.outlook.com" - case:
Code:
23.103.132.0/22
23.103.144.0/22
23.103.191.0/24
23.103.198.0/23
23.103.200.0/21
23.103.136.0/21
40.107.0.0/16
64.4.22.64/26
65.55.83.128/27
65.55.88.0/24
65.55.169.0/24
94.245.120.64/26
104.47.0.0/17
134.170.132.0/24
134.170.140.0/24
134.170.171.0/24
157.55.133.160/27
157.55.158.0/23
157.55.206.0/23
157.55.234.0/24
157.56.73.0/24
157.56.87.192/26
157.56.108.0/24
157.56.110.0/24
157.56.111.0/24
157.56.112.0/24
157.56.206.0/24
157.56.208.0/22
207.46.51.64/26
207.46.100.0/24
207.46.101.128/26
207.46.163.0/24
213.199.154.0/24
213.199.180.128/26
216.32.180.0/24
216.32.181.0/24
and
Code:
2a01:111:f400:7c00::/54
2a01:111:f400:fc00::/54
Please note, this are not single IPs, but IP - ranges!
Now we are jumping over to the greylisting - function itself:
I am trying to explain the worst case scenario, because this will point directly to the disadvantages of greylisting.
Mail - server A with IP 111.111.111.111 ( mailA-1.domain.com ), 111.111.111.1112 ( mailA-2.domain.com ) and 111.111.111.113 ( mailA-3.domain.com ) delivers a mail to your server, where you setup greylisting for *.domain.com .
The
first mail delivery from "111.111.111.111" will be temporarily rejected, because your mail - server doesn't know the IP "111.111.111.111". This is a absolute normal behaviour from greylisting!
The first retry will now be delivered over "111.111.111.112", but again rejected from your server, because it now knows "111.111.111.111", but not yet "111.111.111.112".
The second retry will now be delivered over "111.111.111.113" and again, your server didn't see this IP before and so it will be rejected again temporarily, because like with the previous deliveries, the first IP - delivery will always be rejected.
But due to the case, that *.domain.com only has 3 mail - IPs, the waiting is now over for the third retry, becaue what ever IP is used now, your server saw the IP before and due to the case, that the domain is whitelisted, the mail - delivery will now succeed.
Again, we are now jumping back to "*.outbound.protection.outlook.com" and its IPs. Due to the case that your server didn't see all IPs yet, you will experience issues like described as often that a mail - delivery is sent over a "*.outbound.protection.outlook.com" - IP for a very first time and you will experience delays, as long as not all depending IPs from "*.outbound.protection.outlook.com" are known to your server.
Let's have a look what "Google" has to say about such issues ( Source:
https://support.google.com/mail/answer/180063?hl=en ):
Message delays due to greylisting
With greylisting, the recipient domain temporarily rejects messages from IPs that it may not recognize, with the expectation that if the message is legitimate the sender will try again. However, Gmail may not always retry from the same IP. As a result, messages sent from Gmail to a domain that employs greylisting may be delayed.
If you are a domain owner and you're finding that messages from Gmail are delayed, we recommend not using greylisting, and instead use SPF or DKIM authentication to ensure fewer message delays from Gmail. If using SPF or DKIM isn't feasible, then we recommend whitelisting
gmail.com and
googlemail.com specifically.
Apart from all, your settings for
Code:
account.microsoft.com
addlocalhost6
addlocalhost6.localdomain6
localhost
localhost.localdomain
localhost4
localhost4.localdomain4
gmlnt.com
and "*@*.gmlnt.com" are incorrect / nonsense and will never match. The correct usage is:
*@subdomain.domain.com ( whitelists all mail-names from "@subdomain.domain.com" )
*.subdomain.domain.com ( whitelists all mail-names from all subdomains of "*.subdomain.domain.com" )
*.domain.com ( whitelists all mail-names from all subdomains of "*.domain.com" ).
Greylisting is a constant process and the configuration is never "finished". You have to control your log - files and you will add/remove/modify based on the actual logs.
You might consider to use as well "postfix - postgrey" for example. That gives you the possibilty to use "/etc/postfix/postgrey_whitelist_clients", "
/etc/postfix/postgrey_whitelist_clients.local" and "/etc/postfix/postgrey_whitelist_recipients", where you can define your whitelist a bit more easier. Please see "
http://linux.die.net/man/8/postgrey" for the documentation and use for example:
For Office 365 - servers:
Code:
/.*outbound.protection.outlook.com$/
Facebook
Twitter
