outbound.protection.outlook.com

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

outbound.protection.outlook.com

ratatouille-2
Hello!

Do I really have to whitelist all the IPs of outbound.protection.outlook.com in postgrey?

Oct  2 10:57:28 bitclusive1 postfix/smtpd[20061]: NOQUEUE: reject: RCPT from mail-eopbgr680083.outbound.protection.outlook.com[40.107.68.83]: 450 4.2.0 <[hidden email]>: Recipient address rejected: Greylisted for 60 seconds; from=<bounces+SRS=6CNNV=[hidden email]> to=<[hidden email]> proto=ESMTP helo=<NAM04-BN3-obe.outbound.protection.outlook.com>

Kind regards

  Andreas
Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

Ansgar Wiechers
On 2019-10-02 ratatouille wrote:
> Do I really have to whitelist all the IPs of
> outbound.protection.outlook.com in postgrey?

No. You could simply stop graylisting and instead use spam protection
measures without its side effects (e.g. postscreen).

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

ratatouille-2
Ansgar Wiechers <[hidden email]> schrieb am 02.10.19 um 11:56:56 Uhr:

> On 2019-10-02 ratatouille wrote:
> > Do I really have to whitelist all the IPs of
> > outbound.protection.outlook.com in postgrey?  
>
> No. You could simply stop graylisting and instead use spam protection
> measures without its side effects (e.g. postscreen).

I use both, postscreen and postgrey.

  Andreas
Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

Matus UHLAR - fantomas
>> On 2019-10-02 ratatouille wrote:
>> > Do I really have to whitelist all the IPs of
>> > outbound.protection.outlook.com in postgrey?

>Ansgar Wiechers <[hidden email]> schrieb am 02.10.19 um 11:56:56 Uhr:
>> No. You could simply stop graylisting and instead use spam protection
>> measures without its side effects (e.g. postscreen).

On 02.10.19 14:12, ratatouille wrote:
>I use both, postscreen and postgrey.

with postscreen, postgrey is in fact obsolete.

I got rid of it, since of too many false positives related to outlook, gmail
etc.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

Henrik K
On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
>
> I got rid of it, since of too many false positives related to outlook, gmail
> etc.

Why would you greylist something that's easily skipped using DNSWL etc?

Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

ratatouille-2
Henrik K <[hidden email]> schrieb am 02.10.19 um 15:46:18 Uhr:

> On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> >
> > I got rid of it, since of too many false positives related to outlook, gmail
> > etc.  
>
> Why would you greylist something that's easily skipped using DNSWL etc?

Thank you! I'll look for that stuff.

  Andreas
Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

Henrik K
On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:

> Henrik K <[hidden email]> schrieb am 02.10.19 um 15:46:18 Uhr:
>
> > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> > >
> > > I got rid of it, since of too many false positives related to outlook, gmail
> > > etc.  
> >
> > Why would you greylist something that's easily skipped using DNSWL etc?
>
> Thank you! I'll look for that stuff.

Just use permit_dnswl_client before your postgrey

permit_dnswl_client list.dnswl.org
check_policy_service inet:127.0.0.1:12345

These should be pretty much last lines in your checks, remember that is
accepts the message at that stage when listed.

Of course you can also create manual whitelist lookup tables.

Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

Ralf Hildebrandt-2
In reply to this post by ratatouille-2
* ratatouille <[hidden email]>:
> Hello!
>
> Do I really have to whitelist all the IPs of outbound.protection.outlook.com in postgrey?

Yes. There's a script for that:

# Postwhite - Automatic Postcreen Whitelist / Blacklist Generator #
# https://github.com/stevejenkins/postwhite                       #
# By Steve Jenkins (https://www.stevejenkins.com/)                #

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
                                           
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

Jaroslaw Rafa
In reply to this post by ratatouille-2
Dnia  2.10.2019 o godz. 11:05:31 ratatouille pisze:
>
> Do I really have to whitelist all the IPs of outbound.protection.outlook.com in postgrey?

I just put the domain name outbound.protection.outlook.com into
/etc/postgrey/whitelist_clients.local and it works for me.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: outbound.protection.outlook.com

Stuart Henderson
In reply to this post by Henrik K
On 2019/10/02 16:13, Henrik K wrote:

> On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:
> > Henrik K <[hidden email]> schrieb am 02.10.19 um 15:46:18 Uhr:
> >
> > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> > > >
> > > > I got rid of it, since of too many false positives related to outlook, gmail
> > > > etc.  
> > >
> > > Why would you greylist something that's easily skipped using DNSWL etc?
> >
> > Thank you! I'll look for that stuff.
>
> Just use permit_dnswl_client before your postgrey
>
> permit_dnswl_client list.dnswl.org
> check_policy_service inet:127.0.0.1:12345
>
> These should be pretty much last lines in your checks, remember that is
> accepts the message at that stage when listed.
>
> Of course you can also create manual whitelist lookup tables.
>

dnswl doesn't have a good list of Microsoft servers, less than half of their
deliveries to me today came from servers listed on dnswl. I make my own list
from their SPF records to exempt them from greylist-type checks.

Examples of some currently used that aren't on dnswl:

104.47.0.33
104.47.4.33
104.47.9.33
104.47.9.36
104.47.12.33
104.47.13.33
104.47.46.33
104.47.58.33
104.47.125.33
104.47.126.33
Reply | Threaded
Open this post in threaded view
|

RE: outbound.protection.outlook.com

angelo
Hi, not sure if this helps but, these are the networks that my postfix server is setup to send email to O365 so users get their mail delivered

#  Microsoft Networks
23.103.132.0/22
23.103.136.0/21
23.103.144.0/20
23.103.198.0/23
23.103.200.0/22
23.103.212.0/22
40.92.0.0/14  
40.107.0.0/17
40.107.128.0/18
52.100.0.0/14  
65.55.88.0/24
65.55.169.0/24
94.245.120.64/26
104.47.0.0/17
157.55.234.0/24
157.56.110.0/23
157.56.112.0/24
207.46.100.0/24
207.46.163.0/24
213.199.154.0/24
213.199.180.128/26
216.32.180.0/23

You may need to lock things down more than me but this is the list that works for me.

-ANGELO FAZZINA

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Stuart Henderson
Sent: Wednesday, October 2, 2019 11:04 AM
To: [hidden email]
Subject: Re: outbound.protection.outlook.com

On 2019/10/02 16:13, Henrik K wrote:

> On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:
> > Henrik K <[hidden email]> schrieb am 02.10.19 um 15:46:18 Uhr:
> >
> > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> > > >
> > > > I got rid of it, since of too many false positives related to outlook, gmail
> > > > etc.  
> > >
> > > Why would you greylist something that's easily skipped using DNSWL etc?
> >
> > Thank you! I'll look for that stuff.
>
> Just use permit_dnswl_client before your postgrey
>
> permit_dnswl_client list.dnswl.org
> check_policy_service inet:127.0.0.1:12345
>
> These should be pretty much last lines in your checks, remember that is
> accepts the message at that stage when listed.
>
> Of course you can also create manual whitelist lookup tables.
>

dnswl doesn't have a good list of Microsoft servers, less than half of their
deliveries to me today came from servers listed on dnswl. I make my own list
from their SPF records to exempt them from greylist-type checks.

Examples of some currently used that aren't on dnswl:

104.47.0.33
104.47.4.33
104.47.9.33
104.47.9.36
104.47.12.33
104.47.13.33
104.47.46.33
104.47.58.33
104.47.125.33
104.47.126.33