outbound.protection.outlook.com

Hello!

Do I really have to whitelist all the IPs of outbound.protection.outlook.com in postgrey?

Oct  2 10:57:28 bitclusive1 postfix/smtpd[20061]: NOQUEUE: reject: RCPT from mail-eopbgr680083.outbound.protection.outlook.com[40.107.68.83]: 450 4.2.0 <[hidden email]>: Recipient address rejected: Greylisted for 60 seconds; from=<bounces+SRS=6CNNV=[hidden email]> to=<[hidden email]> proto=ESMTP helo=<NAM04-BN3-obe.outbound.protection.outlook.com>

Kind regards

  Andreas

On 2019-10-02 ratatouille wrote:
> Do I really have to whitelist all the IPs of
> outbound.protection.outlook.com in postgrey?

No. You could simply stop graylisting and instead use spam protection
measures without its side effects (e.g. postscreen).

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Ansgar Wiechers <[hidden email]> schrieb am 02.10.19 um 11:56:56 Uhr:

> On 2019-10-02 ratatouille wrote:
> > Do I really have to whitelist all the IPs of
> > outbound.protection.outlook.com in postgrey?  
>
> No. You could simply stop graylisting and instead use spam protection
> measures without its side effects (e.g. postscreen).

I use both, postscreen and postgrey.

  Andreas

>> On 2019-10-02 ratatouille wrote:
>> > Do I really have to whitelist all the IPs of
>> > outbound.protection.outlook.com in postgrey?

>Ansgar Wiechers <[hidden email]> schrieb am 02.10.19 um 11:56:56 Uhr:
>> No. You could simply stop graylisting and instead use spam protection
>> measures without its side effects (e.g. postscreen).

On 02.10.19 14:12, ratatouille wrote:
>I use both, postscreen and postgrey.

with postscreen, postgrey is in fact obsolete.

I got rid of it, since of too many false positives related to outlook, gmail
etc.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.

On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
>
> I got rid of it, since of too many false positives related to outlook, gmail
> etc.

Why would you greylist something that's easily skipped using DNSWL etc?

Henrik K <[hidden email]> schrieb am 02.10.19 um 15:46:18 Uhr:

> On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> >
> > I got rid of it, since of too many false positives related to outlook, gmail
> > etc.  
>
> Why would you greylist something that's easily skipped using DNSWL etc?

Thank you! I'll look for that stuff.

  Andreas

On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:
Just use permit_dnswl_client before your postgrey

permit_dnswl_client list.dnswl.org
check_policy_service inet:127.0.0.1:12345

These should be pretty much last lines in your checks, remember that is
accepts the message at that stage when listed.

Of course you can also create manual whitelist lookup tables.

* ratatouille <[hidden email]>:
> Hello!
>
> Do I really have to whitelist all the IPs of outbound.protection.outlook.com in postgrey?

Yes. There's a script for that:

# Postwhite - Automatic Postcreen Whitelist / Blacklist Generator #
# https://github.com/stevejenkins/postwhite                       #
# By Steve Jenkins (https://www.stevejenkins.com/)                #

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
                                           
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Dnia  2.10.2019 o godz. 11:05:31 ratatouille pisze:
>
> Do I really have to whitelist all the IPs of outbound.protection.outlook.com in postgrey?

I just put the domain name outbound.protection.outlook.com into
/etc/postgrey/whitelist_clients.local and it works for me.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

On 2019/10/02 16:13, Henrik K wrote:
dnswl doesn't have a good list of Microsoft servers, less than half of their
deliveries to me today came from servers listed on dnswl. I make my own list
from their SPF records to exempt them from greylist-type checks.

Examples of some currently used that aren't on dnswl:

104.47.0.33
104.47.4.33
104.47.9.33
104.47.9.36
104.47.12.33
104.47.13.33
104.47.46.33
104.47.58.33
104.47.125.33
104.47.126.33

Hi, not sure if this helps but, these are the networks that my postfix server is setup to send email to O365 so users get their mail delivered

#  Microsoft Networks
23.103.132.0/22
23.103.136.0/21
23.103.144.0/20
23.103.198.0/23
23.103.200.0/22
23.103.212.0/22
40.92.0.0/14  
40.107.0.0/17
40.107.128.0/18
52.100.0.0/14  
65.55.88.0/24
65.55.169.0/24
94.245.120.64/26
104.47.0.0/17
157.55.234.0/24
157.56.110.0/23
157.56.112.0/24
207.46.100.0/24
207.46.163.0/24
213.199.154.0/24
213.199.180.128/26
216.32.180.0/23

You may need to lock things down more than me but this is the list that works for me.

-ANGELO FAZZINA

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Stuart Henderson
Sent: Wednesday, October 2, 2019 11:04 AM
To: [hidden email]
Subject: Re: outbound.protection.outlook.com

On 2019/10/02 16:13, Henrik K wrote:
dnswl doesn't have a good list of Microsoft servers, less than half of their
deliveries to me today came from servers listed on dnswl. I make my own list
from their SPF records to exempt them from greylist-type checks.

Examples of some currently used that aren't on dnswl:

104.47.0.33
104.47.4.33
104.47.9.33
104.47.9.36
104.47.12.33
104.47.13.33
104.47.46.33
104.47.58.33
104.47.125.33
104.47.126.33