This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configure Greylisting to accept SPF?

I think greylisting can be a great anti-spam provision, however, it can e a killer when the sender employs multiple sending MTAs. For example, those sending via outlook.com may theretically come from one of more than half a million hosts (according to their SPF records, which include two among others ipv4/14 nets - not to mention that they also mention an ip6/48).

Is it possible to exclude such sender domains from greylisting (apart from manually configuring each time a user complaints about an urgent mail having taken hours)? As in configuring something like

    IF (sender ip is listed in SPF of sender domain as "Pass") THEN (skip greylisting)

?



This thread was automatically locked due to age.
Parents
  • I'm not a fan of greylisting, but for those that appreciate it, an Exception for greylisting for outlook.com and other email services is a must.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I agree, but how would one keep pace with M$ adding (or removing) a few thousand addresses every now and then?

  • Instead of making the Exception for sending IPs, make it for Sender addresses like *@outlook.com.

    Here's another reason I'm not a fan of greylisting...

    Most undesirable email will be rejected by requiring TLSv1.2.  Everyone subject to GDPR should already have done that anyway.  Rejections based on TLS occur before the SMTP Proxy even has enough information to do greylisting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • whitelisting services like Outlook com might work well if itwas baed on host name, but UTM/Exim does no filtering based on Reverse DNS or HELO/EHLO name, with or without forward confirmation.  It is a big oversight.

  • I had a typo in my post above, so it was confusing.  I've repaired it now to *@outlook.com.  That's the way to whitelist a mail domain.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Unfortunately, not everyone using the outlook.com infractructure uses *@outlook.com sender addreses.

    Meanwhile, I created network definitions from all I could excerpt from their nested SPF record and exception rules accordingly. In addition, I have a cron job that daily checks for changes in said spf records. It has triggered a few times since, so I added/deleted/changed network definitions manually. Fortunately, the changes happen not so often that I get tempted to automate this update via REST-API ;)

Reply
  • Unfortunately, not everyone using the outlook.com infractructure uses *@outlook.com sender addreses.

    Meanwhile, I created network definitions from all I could excerpt from their nested SPF record and exception rules accordingly. In addition, I have a cron job that daily checks for changes in said spf records. It has triggered a few times since, so I added/deleted/changed network definitions manually. Fortunately, the changes happen not so often that I get tempted to automate this update via REST-API ;)

Children
No Data