Back to Community Threads
3
Greylisting glitch
Problem reported by Sean Middlemore - 5/19/2016 at 7:41 AM
Submitted
We have an email address setup and when I email to it, it greylists as per usual but doesn't let the email go through after it tries again. I'm a bit stumped. Here is the log and the settings used:
 
[2016.05.19] 14:45:18 [209.85.223.199][20805362] rsp: 220 XLVets Mail Server
[2016.05.19] 14:45:18 [209.85.223.199][20805362] connected at 5/19/2016 2:45:18 PM
[2016.05.19] 14:45:18 [209.85.223.199][20805362] cmd: EHLO mail-io0-f199.google.com
[2016.05.19] 14:45:18 [209.85.223.199][20805362] rsp: 250-mail.xlvets.co.uk Hello [209.85.223.199]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2016.05.19] 14:45:18 [209.85.223.199][20805362] cmd: STARTTLS
[2016.05.19] 14:45:18 [209.85.223.199][20805362] rsp: 220 Start TLS negotiation
[2016.05.19] 14:45:19 [209.85.223.199][20805362] cmd: EHLO mail-io0-f199.google.com
[2016.05.19] 14:45:19 [209.85.223.199][20805362] rsp: 250-mail.xlvets.co.uk Hello [209.85.223.199]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.05.19] 14:45:19 [209.85.223.199][20805362] cmd: MAIL FROM:<sean.middlemore@xlvets.co.uk> SIZE=7060
[2016.05.19] 14:45:22 [209.85.223.199][20805362] rsp: 250 OK <sean.middlemore@xlvets.co.uk> Sender ok
[2016.05.19] 14:45:22 [209.85.223.199][20805362] cmd: RCPT TO:<rebates@xlvets.co.uk>
[2016.05.19] 14:45:22 [209.85.223.199][20805362] rsp: 451 Greylisted, please try again in 60 seconds
[2016.05.19] 14:45:22 [209.85.223.199][20805362] cmd: QUIT
[2016.05.19] 14:45:22 [209.85.223.199][20805362] rsp: 221 Service closing transmission channel
[2016.05.19] 14:45:22 [209.85.223.199][20805362] disconnected at 5/19/2016 2:45:22 PM
[2016.05.19] 14:53:05 [209.85.218.69][50383278] rsp: 220 XLVets Mail Server
[2016.05.19] 14:53:05 [209.85.218.69][50383278] connected at 5/19/2016 2:53:05 PM
[2016.05.19] 14:53:05 [209.85.218.69][50383278] cmd: EHLO mail-oi0-f69.google.com
[2016.05.19] 14:53:05 [209.85.218.69][50383278] rsp: 250-mail.xlvets.co.uk Hello [209.85.218.69]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2016.05.19] 14:53:05 [209.85.218.69][50383278] cmd: STARTTLS
[2016.05.19] 14:53:05 [209.85.218.69][50383278] rsp: 220 Start TLS negotiation
[2016.05.19] 14:53:06 [209.85.218.69][50383278] cmd: EHLO mail-oi0-f69.google.com
[2016.05.19] 14:53:06 [209.85.218.69][50383278] rsp: 250-mail.xlvets.co.uk Hello [209.85.218.69]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.05.19] 14:53:06 [209.85.218.69][50383278] cmd: MAIL FROM:<sean.middlemore@xlvets.co.uk> SIZE=7060
[2016.05.19] 14:53:10 [209.85.218.69][50383278] rsp: 250 OK <sean.middlemore@xlvets.co.uk> Sender ok
[2016.05.19] 14:53:10 [209.85.218.69][50383278] cmd: RCPT TO:<rebates@xlvets.co.uk>
[2016.05.19] 14:53:10 [209.85.218.69][50383278] rsp: 451 Greylisted, please try again in 60 seconds
[2016.05.19] 14:53:10 [209.85.218.69][50383278] cmd: QUIT
[2016.05.19] 14:53:10 [209.85.218.69][50383278] rsp: 221 Service closing transmission channel
[2016.05.19] 14:53:10 [209.85.218.69][50383278] disconnected at 5/19/2016 2:53:10 PM
[2016.05.19] 15:13:52 [209.85.213.198][17422152] rsp: 220 XLVets Mail Server
[2016.05.19] 15:13:52 [209.85.213.198][17422152] connected at 5/19/2016 3:13:52 PM
[2016.05.19] 15:13:52 [209.85.213.198][17422152] cmd: EHLO mail-ig0-f198.google.com
[2016.05.19] 15:13:52 [209.85.213.198][17422152] rsp: 250-mail.xlvets.co.uk Hello [209.85.213.198]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2016.05.19] 15:13:52 [209.85.213.198][17422152] cmd: STARTTLS
[2016.05.19] 15:13:52 [209.85.213.198][17422152] rsp: 220 Start TLS negotiation
[2016.05.19] 15:13:53 [209.85.213.198][17422152] cmd: EHLO mail-ig0-f198.google.com
[2016.05.19] 15:13:53 [209.85.213.198][17422152] rsp: 250-mail.xlvets.co.uk Hello [209.85.213.198]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.05.19] 15:13:53 [209.85.213.198][17422152] cmd: MAIL FROM:<sean.middlemore@xlvets.co.uk> SIZE=7063
[2016.05.19] 15:14:02 [209.85.213.198][17422152] rsp: 250 OK <sean.middlemore@xlvets.co.uk> Sender ok
[2016.05.19] 15:14:02 [209.85.213.198][17422152] cmd: RCPT TO:<rebates@xlvets.co.uk>
[2016.05.19] 15:14:02 [209.85.213.198][17422152] rsp: 451 Greylisted, please try again in 60 seconds
[2016.05.19] 15:14:02 [209.85.213.198][17422152] cmd: QUIT
[2016.05.19] 15:14:02 [209.85.213.198][17422152] rsp: 221 Service closing transmission channel
[2016.05.19] 15:14:02 [209.85.213.198][17422152] disconnected at 5/19/2016 3:14:02 PM

8 Replies

Reply to Thread
3
Scarab Replied
5/19/2016 at 12:52 PM
Sean,
 
This isn't a glitch. It's W.A.I. (Working As Intended). Greylisting is not just based upon the Sender Address but also on the Server IP that is attempting delivery. If a Mail Service is using Round-Robin or Elastic IPs to deliver an email then it won't pass Greylisting UNTIL delivery is reattempted from the same IP Address.
 
Fortunately there aren't many services that use Round-Robin or Elastic IPs for email delivery. Google Mail and AmazonSES are two of the biggest exceptions. In these cases you would want to add their IP Ranges to your SECURITY > GREYLISTING > FILTERS. Over time you'll discover other rare occurrences where you may have to setup a service's IP Range in the Greylisting Filters but thankfully it doesn't happen very often.

On another note Google, despite using Round-Robin will eventually pass Greylisting successfully without being added to the Greylisting Filters. It just takes a larger number of retries before delivery from the original IP Address is retried.
0
Sean Middlemore Replied
5/20/2016 at 2:08 AM
Scarab,

Many thanks for the explanation. I realise now how it completely makes sense to greylist both email addresses and IP addresses.

Sean
1
Tim DeMeza Replied
9/23/2016 at 10:21 AM
I am having the exact same problem with senders from office 365 accounts.  There has to be a better way than finding IP ranges.  I have really MAD not frustrated users.  Can we do anything about this? 
 
By the way, I found this as well.  I hate to admit that I don't even know how to add some of these ranges.
 
https://technet.microsoft.com/en-us/library/dn163581(v=exchg.150).aspx
 
Thanks!
1
Nathan Replied
9/23/2016 at 2:38 PM
A couple of useful additions to the greylisting implementation would be the following (although they should be optional):
 
1) Once an IP address/sender has passed through greylisting any further emails from the same IP address should be accepted regardless of the sender as we have established it will retry so there is no point in delaying.
 
2) Have the option during the deferal to switch from a /32 match to a /24 so where a provider round robins in the same /24 it passes. This won't address where they are in different networks but would be a help.
0
John C. Reid Replied
9/23/2016 at 2:57 PM
I am in the middle of adding the Exchange Online Protection IPs myself right now. It appears that there are close to 400,000 IP addresses in about 27 different CDIR ranges. After that I need to track down the Google IPs. Then possibly Yahoo and AOL, etc.
 
This brings up two points:
 
1) this should have been a prepopulation option from SmarterTools. I should at least have the ability to say, for example, allow Exchange Online Protection somewhere and not have to track all this down and enter it manually as this completely breaks Greylisting. How long do you think it will take for the mail server to pass a message when it could come from 400,000 different IPs? Longer than 4 days I would suspect.
 
2) Once you have added exceptions for all the big providers, where has the value of Greylisting gone? Practically into the toilet. You have now excluded the vast majority of locations you will receive mail from.
 
This needs to be rewritten as this seems to be a very poor implementation, and it is not described by SmarterTools as working in this way. It is described as being done via the From: address, so that is how it should work. Don't say one thing and do another.
 
Just my two cents.
John C. Reid / Technology Director John@prime42.net / (530) 691-0042 1300 West Street, Suite 206, Redding, CA 96001
0
John C. Reid Replied
9/23/2016 at 3:17 PM
FYI - As of today (9/23/2016) here are all of Microsoft's Exchange Online Protection IP addresses converted from the published CDIR to IP Ranges for easy entry into SmarterMail. I used this tool to do it quickly, in bulk. The tool can export to CSV, if there was a way to import it (HINT - HINT) [  w w w . ipconvertertools . com / cidr2ipranges ] I can't post hyperlinks, so remove the spaces.
 
ID CIDR Network address First IP Last IP Subnet mask Broadcast Total IP's
1 23.103.132.0/22 23.103.132.0 23.103.132.1 23.103.135.254 255.255.252.0 23.103.135.255 1022
2 23.103.136.0/21 23.103.136.0 23.103.136.1 23.103.143.254 255.255.248.0 23.103.143.255 2046
3 23.103.144.0/20 23.103.144.0 23.103.144.1 23.103.159.254 255.255.240.0 23.103.159.255 4094
4 23.103.198.0/23 23.103.198.0 23.103.198.1 23.103.199.254 255.255.254.0 23.103.199.255 510
5 23.103.200.0/21 23.103.200.0 23.103.200.1 23.103.207.254 255.255.248.0 23.103.207.255 2046
6 40.92.0.0/14 40.92.0.0 40.92.0.1 40.95.255.254 255.252.0.0 40.95.255.255 262142
7 40.107.0.0/16 40.107.0.0 40.107.0.1 40.107.255.254 255.255.0.0 40.107.255.255 65534
8 65.55.88.0/24 65.55.88.0 65.55.88.1 65.55.88.254 255.255.255.0 65.55.88.255 254
9 65.55.169.0/24 65.55.169.0 65.55.169.1 65.55.169.254 255.255.255.0 65.55.169.255 254
10 94.245.120.64/26 94.245.120.64 94.245.120.65 94.245.120.126 255.255.255.192 94.245.120.127 62
11 104.47.0.0/17 104.47.0.0 104.47.0.1 104.47.127.254 255.255.128.0 104.47.127.255 32766
12 134.170.101.0/24 134.170.101.0 134.170.101.1 134.170.101.254 255.255.255.0 134.170.101.255 254
13 134.170.140.0/24 134.170.140.0 134.170.140.1 134.170.140.254 255.255.255.0 134.170.140.255 254
14 134.170.171.0/24 134.170.171.0 134.170.171.1 134.170.171.254 255.255.255.0 134.170.171.255 254
15 157.55.133.0/25 157.55.133.0 157.55.133.1 157.55.133.126 255.255.255.128 157.55.133.127 126
16 157.56.87.192/26 157.56.87.192 157.56.87.193 157.56.87.254 255.255.255.192 157.56.87.255 62
17 157.56.110.0/23 157.56.110.0 157.56.110.1 157.56.111.254 255.255.254.0 157.56.111.255 510
18 157.56.112.0/24 157.56.112.0 157.56.112.1 157.56.112.254 255.255.255.0 157.56.112.255 254
19 157.56.116.0/25 157.56.116.0 157.56.116.1 157.56.116.126 255.255.255.128 157.56.116.127 126
20 157.56.120.0/25 157.56.120.0 157.56.120.1 157.56.120.126 255.255.255.128 157.56.120.127 126
21 207.46.51.64/26 207.46.51.64 207.46.51.65 207.46.51.126 255.255.255.192 207.46.51.127 62
22 207.46.100.0/24 207.46.100.0 207.46.100.1 207.46.100.254 255.255.255.0 207.46.100.255 254
23 207.46.108.0/25 207.46.108.0 207.46.108.1 207.46.108.126 255.255.255.128 207.46.108.127 126
24 207.46.163.0/24 207.46.163.0 207.46.163.1 207.46.163.254 255.255.255.0 207.46.163.255 254
25 213.199.154.0/24 213.199.154.0 213.199.154.1 213.199.154.254 255.255.255.0 213.199.154.255 254
26 213.199.180.128/26 213.199.180.128 213.199.180.129 213.199.180.190 255.255.255.192 213.199.180.191 62
27 216.32.180.0/23 216.32.180.0 216.32.180.1 216.32.181.254 255.255.254.0 216.32.181.255 510
              TOTAL: 374218
 
 
 
John C. Reid / Technology Director John@prime42.net / (530) 691-0042 1300 West Street, Suite 206, Redding, CA 96001
1
Matthew Leyda Replied
9/23/2016 at 5:56 PM
We use the Whitelist from SPF records. This is a free tool from Mighty Blue software.
 
SmarterMail Whitelist from SPF (free) - We have written a free tool for the community that will whitelist the major providers from being Greylisted, and update SmarterMail.

Download the tool from:

http://www.mightyblue.com/mbdownloads/SMWhiteListFromSPF.zip
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
0
John C. Reid Replied
9/24/2016 at 3:25 PM
Thank you Matthew. This helps with the labor, and certainly is a great tool filling a current need. However, it should not be needed.

The requirement to whitelist major providers at all is a fundamental flaw. Without the IP check, at least the greylisting function is there doing its job on the from address. Now that you are whitelisting the vast majority of IP addresses E-mail will realistically be coming from, greylisting is not even being performed on the majority of your inbound mail anymore. You have exempted it by creating an exception.

Adding the IP check element breaks greylisting. I can't put a finer point on it. This is a classic case of adding checks decreasing security rather than enchanting it.
John C. Reid / Technology Director John@prime42.net / (530) 691-0042 1300 West Street, Suite 206, Redding, CA 96001
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus
Set up SmarterMail as an IIS Site in IIS 10SmarterMail > Server Configuration and Management
Migrating SmarterMail to LinuxSmarterMail > Server Configuration and Management