Automatically allow for subdomains of configured upstream relays.

REJECTED:  black.rbl.ctipd.astaro.local

Not sure what changed earlier today, but it was necessary to add msf1  to my existing upstream relay. 

What about an upstream relay entry like:  *


  • I'm confused, William.

    I don't understand what was REJECTED or where you saw that message.

    What is your upstream relay and what is msf1?

    If you're talking about a network definition, wildcards don't work.

    Cheers - Bob

  • In reply to BAlfson:

    Sorry,  msf1 being a subdomain of  --

    I  had an existing upstream exclusion for that's been working since forever, but I'm guessing DME began forwarding via the msf1 subdomain which wasn't explicitly trusted. 

    Thanks for the response and info regarding wildcards.  


    BTW, here's a UTM rejection subsequently reported back to the sender by DME (sent by me via gmail.)


    This is the mail system at host

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

    The mail system

    <>: host[##.###.###.###] said:
    550-delivery from is rejected. Check at
    Reference 550 code:tid=#####.#######.#####.##### (in reply to RCPT TO



  • In reply to WilliamByrne:

    Ah, I understand now, William.  I've moved this thread to the Mail Protection forum - I should have realized that as your first post used the term "upstream relay."

    That CommTouch link is an old link.  The current one is:  That is the basis for being included in black.rbl.ctipd.astaro.local.  It's the only RBL kept locally in the UTM and is the first one considered by the SMTP Proxy.  That IP is no longer listed and so should have disappeared from black.rbl.ctipd.astaro.local.

    DNSMadeEasy should have informed you that they were changing the IP that they were sending from.  Part of the advantage of using one of those outside services is the ability to select 'Allow upstream/relay hosts only'.  They don't charge much though, so it may be too much to expect.

    Cheers - Bob

  • In reply to BAlfson:

    Good to know re CommTouch.  

    I'll check to see if there were any related notices from DME that I overlooked; otherwise, I'll get in touch to request notices in the future.

    Thanks again!

  • In reply to WilliamByrne:

    I saw a Sophos employee post in another thread that CommTouch/Cyren had had a glitch that resulted in a blowup of false positives, but that it's now repaired.

    Cheers - Bob