1

Topic: How to whitelist IP range

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I would like to ask if how does whitelisting of IP range can be done. We have a salesforce account in our company which uses about 30 different IP's and are getting blocked.

Tried doing test email deliverability in Salesforce to a certain email, salesforce sends 30 emails to that user coming from 15 different IP's and all are blocked in the first attempt as can be seen in the logs.

Any idea how can this be done.

We are using 0.9.5-1

Thanks,
NNN

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: How to whitelist IP range

- Could you please show us related log in Postfix log file?
- What's the domain name of salesforge sender addresses?

3 (edited by phantompilusan 2018-04-06 01:51:25)

Re: How to whitelist IP range

Hi Zhang,

Here's the related logs.
You see below that theres a lot of smtps, IP address. All of them are added in whitelist.

Apr  5 17:41:18 xxxx postfix/smtpd[26845]: NOQUEUE: reject: RCPT from smtp07-lon.mta.salesforce.com[136.146.128.70]: 451 4.7.1 <**********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__0-154ugxsqqxbnuy@kxa3uspc8l18jj.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp07-lon-sp9.mta.salesforce.com>
Apr  5 17:41:18 xxxx postfix/smtpd[26846]: NOQUEUE: reject: RCPT from smtp08-lon.mta.salesforce.com[136.146.128.71]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__1haasodajghzfa01@tqvsxpggavbw.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp08-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26847]: NOQUEUE: reject: RCPT from smtp09-lon.mta.salesforce.com[136.146.128.72]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__2ah3xblznyeqs7x5@eq7vr6yycds3.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp09-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26848]: NOQUEUE: reject: RCPT from smtp10-lon.mta.salesforce.com[136.146.128.73]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__0-90lwofdumgmsjz@0w5xyw2gg1hown.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp10-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26850]: NOQUEUE: reject: RCPT from smtp12-lon.mta.salesforce.com[136.146.128.75]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__0-6w422jra8a8zph@6oqqm34p68jj6r.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp12-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26851]: NOQUEUE: reject: RCPT from smtp13-lon.mta.salesforce.com[136.146.128.76]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__0-2c3lc3fqid43i2@697vp30pqfcilf.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp13-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26853]: NOQUEUE: reject: RCPT from smtp15-lon.mta.salesforce.com[136.146.128.78]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__0-9bt1gawxcser1q@v2ot1bwg18eb0q.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp15-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26854]: NOQUEUE: reject: RCPT from smtp06-lon.mta.salesforce.com[136.146.128.69]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__0-7csjdk127rcrfu@ba99a3o6owzec2.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp06-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26852]: NOQUEUE: reject: RCPT from smtp14-lon.mta.salesforce.com[136.146.128.77]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__0-4ac871daibod8o@328okzlf0clslp.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp14-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26849]: NOQUEUE: reject: RCPT from smtp11-lon.mta.salesforce.com[136.146.128.74]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__3ylim745rpsvhm7x@tbm28brp944b.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp11-lon-sp9.mta.salesforce.com>
Apr  5 17:41:19 xxxx postfix/smtpd[26855]: NOQUEUE: reject: RCPT from smtp16-lon.mta.salesforce.com[136.146.128.79]: 451 4.7.1 <*********>: Recipient address rejected: Intentional greylisting policy rejection, please try aga
in in 2 minutes; from=<yyyyyyyyyyy__9ufndw98ves8pzaj@wcpo9gpep7jt.0-7zlzeay.eu6.bnc.salesforce.com> to=<*********> proto=ESMTP helo=<smtp16-lon-sp9.mta.salesforce.com>


But emails are getting blocked the first time it was sent. We only received after retry.

Thanks,
NNNNN

4

Re: How to whitelist IP range

Try this:

cd /opt/iredapd/tools/
python spf_to_greylist_whitelists.py --submit 'salesforce.com'

Then it should be fine.

if you're running iRedAdmin-Pro, you can whitelist domain 'salesforce.com' for greylisting service in iRedAdmin-Pro directly: System -> Anti Spam -> Greylisting, then add domain 'salesforce.com'. It may take 10-30 minutes - depends on the cron job which runs script '/opt/iredapd/tools/spf_to_greylist_whitelists.py'.

5

Re: How to whitelist IP range

Thanks Zhang,

How do i revert the changes if something goes wrong smile

I am not saying I don't have confidence in that, but just in case. You know as they always say, sometimes shit happens everywhere. smile  smile

6

Re: How to whitelist IP range

Hi Zhang,

I haven't yet run what you suggested.

However, when I run it without argument as suggested when I read the content of that script, salesforce.com is already there.

$ python spf_to_greylist_whitelists.py

Thanks

7

Re: How to whitelist IP range

Run command without '--submit', but add a new one: --debug:

python spf_to_greylist_whitelists.py --debug 'salesforce.com'

It will list all allowed mail server IP addresses for mail domain 'salesforce.com'. Is the rejected IPs listed there?

8

Re: How to whitelist IP range

Hi Zhang,

Here's the result when I run what you suggested:

                + SPF -> v=spf1 mx ip4:208.75.120.0/22 ip4:205.207.104.0/22 ip4:50.207.218.237 ip4:216.17.150.251 ip4:216.17.150.242 ip4:174.129.194.241 ip4:198.37.149.128 ip4:208.74.204.9 include:support.zendesk.com include:_spf.salesforce.com include:_spf.google.com ~all
                + [constantcontact.com] include: -> support.zendesk.com, _spf.salesforce.com
                + [include: _spf.salesforce.com] v=spf1 exists:%{i}._spf.mta.salesforce.com -all
                + [include: p._spf.ebay.com] v=spf1 ip4:67.72.99.26 ip4:206.165.246.80/29 ip4:64.127.115.252 ip4:194.64.234.128/27 ip4:65.110.161.77 ip4:204.13.11.48/30 ip4:72.3.237.64/28 ip4:63.111.28.137 ip4:208.74.204.0/22 ip4:46.19.168.0/23 include:emarsys.net include:_spf.salesforce.com
                + [include: zuora.com] v=spf1 ip4:64.79.155.0/24 ip4:207.218.90.0/24 ip4:192.254.118.63 ip4:146.20.91.152/31 include:_spf.google.com include:_spf.salesforce.com include:mail.zendesk.com include:mktomail.com include:stspg-customer.com ~all
        + [salesforce.com]
                + SPF -> v=spf1 include:_spf.google.com include:_spf.salesforce.com  include:spf.mandrillapp.com exists:%{i}._spf.corp.salesforce.com ~all
                + [salesforce.com] include: ->
                + [include: partners.sendgrid.com] v=spf1 ip4:64.79.155.192 ip4:74.63.194.126 ip4:167.89.60.95 ip4:198.37.145.250 ip4:198.37.151.26 include:_spf.salesforce.com include:stspg-customer.com -all


If I run  this command -- python wblist_admin.py --list --whitelist

The IP's listed in here are missing to the result above.

136.146.128.64
136.146.128.65
136.146.128.66
136.146.128.67
136.146.128.68
136.146.128.69
136.146.128.70
136.146.128.71
136.146.128.72
136.146.128.73
136.146.128.74
136.146.128.75
136.146.128.76
136.146.128.77
136.146.128.78
136.146.128.79
85.222.130.224
85.222.130.225
85.222.130.226
85.222.130.227
85.222.130.228
85.222.130.229
85.222.130.230
85.222.130.231
85.222.130.232
85.222.130.233
85.222.130.234
85.222.130.235
85.222.130.236
85.222.130.237
85.222.130.238
85.222.130.239
85.222.138.237

Am I doing whitelisting incorrectly.

Thanks for your response.

9

Re: How to whitelist IP range

phantompilusan wrote:

The IP's listed in here are missing to the result above.

I think this is salesforge's mistake that they didn't list these IP addresses/networks in their SPF record.

The only one SPF syntax missed by iRedAPD is the "exists:%{i}._spf.corp.salesforce.com", but i queried it manually, it doesn't contain the missed IP addresses either.

dig -t a 136.146.128.64._spf.corp.salesforce.com
dig -t a 64.128.146.136._spf.corp.salesforce.com

FYI:

- SPF DNS record syntax: http://www.openspf.org/SPF_Record_Syntax#exists
- Macros in SPF DNS record syntax: http://www.openspf.org/RFC_4408#macros

Please try to contact salesforge mail server admin to update the SPF DNS record.

Currently, you have to whitelist these addresses manually with iRedAdmin-Pro, or if you prefer command line tool - /opt/iredapd/tools/greylisting_admin.py.

cd /opt/iredapd/tools/
python greylisting_admin.py --disable --from '136.146.128.64'

FYI: https://docs.iredmail.org/manage.iredap … reylisting