cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Greylisting flexibility for dynamic sender IP addresses

rclemings shared this idea 6 years ago
Open Discussion

This came up in the thread "Greylisting -- requesting enhancements" but I don't see a feature request for it:

https://features.cpanel.net/topic/greylisting-requesting-enhancements#comment-45858

What's needed is a way to deal with a sender who uses a different IP address for each attempt, and as a result, never matches an existing triplet, and therefore is repeatedly delayed.

This came up on my server with an email from aa.com (American Airlines) that was rejected more than a dozen times from different IP addresses and never was accepted.

I'm not sure of the best approach to fixing this, but it could help to have more flexibility in matching the sender IP address in the triplet.

Replies (6)

photo
1

I would be interested in ideas to solve this issue as well. I do think that senders take some of the responsibility for this issue as well, though. Greylisting has been around for a long time, but now is a lot more popular now that it is supported in cPanel/WHM. Senders need to come up with better solutions for when they receive a deferral. They "should" be able to resend the message 10 minutes later from the same IP. I realize it may not be easy and might take some programming logic, but senders will eventually have to consider their practices, if they want to improve deliverability.

photo
2

What about allowing admins to set which netblock would be authorised upon successfull delevery ?


We would for instance choose /16 so that neighbouring IP's would also be allowed. With /16 it's very likley that a big organisation like American Airlines would retry with an IP in that same netblock.


If this was configurable, wehosts would be able to choose how many IP's they would allow, ones that only want one IP at a time could choose /32, ones that want to allow just a few IP's might allow /29 etc.

photo
1

A simple whitelist where one can enter a FROM domain or specific email address to account for senders that rotate through multiple outgoing mail servers would do the trick I think.

photo
1

With more Greylisting experience under my belt, I can say for sure that we need a "fix" for this issue. The easy solution would be to allow the "triplet" to match if the FROM and TO are the same, as well as the IP being in the same /24 subnet. For the vast majority of Greylisting issues we are seeing right now, this would solve the problem.


Any provider that is retrying using multiple IPs outside of a single /24 probably deserve to be a part of cPanel's planned "whitelist" service. If I understand correctly, cPanel plans to help with organizing known blocks of IPs that major mail service providers use, to allow us to whitelist the "big guys".


- Scott

photo
2

There is pre-existing functionality in cpanel, before Greylisting was built, that lists trusted mail hosts in /etc/trustedmailhosts


I don't understand why Greylisting disregards this list of trusted mail hosts. These should be automatically white-listed.


I use Spam Experts for external mail filtering. They don't use a fixed set of IPs. The FQDN should be sufficient to whitelist, and specifically the contents of /etc/trustedmailhosts - very disappointed this was overlooked.

photo
1

@lbeachmike, you should open a feature request about that.

photo
photo
1

Hello, I'm here supporting this feature request because I found out the same happens with several huge senders. Specially those using several mail servers on Amazon: I've seen that Zapier have started to being constantly deferrerd due to their reports being sent via Amazon SES load balancers, which caused a lot of emails coming from the same reply-to but originating at different IP addresses (nearly 15+), and I've just get tired of whitelisting every new IP they used every time. And nope, they don't posted any webpage with their IP's nor even an SPF record to apply.


So, a solution to this issue will be more than welcomed.


I see the last message here is from 5 months ago. No progress since then?


Best regards

Leave a Comment
 
Attach a file