Topic: Email from domain greylisted even though I have whitelisted it
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MARIADB
- Deployed with iRedMail Easy or the downloadable installer?: Installer
- Linux/BSD distribution name and version: CentOS 7.8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
One of my users is trying to authenticate with Wells Fargo, and Wells Fargo is sending them a validation code via email, basically two-factor authentication by email. The code is only valid for eight minutes -- which I find a ridiculously short amount of time, but the rocket scientists at Wells Fargo know far more than I do.
However, their mail server only tries once or twice within a few seconds, and then doesn't try again for nine hours. Maybe the rocket scientists at Wells Fargo don't realise that nine hours is longer than eight minutes.
I have added wellsfargo.com and all sub-domains to the "Do not apply greylisting on emails sent from domains listed below" list, and added @.wellsfargo.com to the "Do not apply greylisting on listed senders" box in iRedAdmin.
The SPF record for wellsfargo.com is as follows:
v=spf1 redirect=wf.com
The SPF record for wf.com is as follows:
v=spf1 ip4:167.138.239.64/26 ip4:151.151.26.128/26 ip4:151.151.65.96/27 ip4:151.151.5.32/27 ip4:159.45.132.160/27 ip4:159.45.13.96/27 ip4:159.45.78.192/27 ip4:159.45.16.64/26 ip4:159.45.87.64/26 ip4:159.45.132.160/27 -all
The list of IP addresses is:
151.151.26.128/26
151.151.65.96/27
151.151.5.32/27
159.45.132.160/27
159.45.13.96/27
159.45.78.192/27
159.45.16.64/26
159.45.87.64/26
159.45.132.160/27
167.138.239.64/26
They connected from 159.45.132.171, which is in the 159.45.132.160/27 range, so they *did* connect from an authorised IP address. Here is the maillog from the initial SMTP transaction:
May 26 16:44:09 server postfix/smtpd[8940]: connect from mxdfbi03.wellsfargo.com[159.45.132.171]
May 26 16:44:09 server postfix/smtpd[8940]: Anonymous TLS connection established from mxdfbi03.wellsfargo.com[159.45.132.171]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 26 16:44:09 server postfix/smtpd[8940]: NOQUEUE: reject: RCPT from mxdfbi03.wellsfargo.com[159.45.132.171]: 451 4.7.1 <RECIPIENT>: Recipient address rejected: Intentional policy rejection, please try again later; from=<email@myaccounts.wellsfargo.com> to=<RECIPIENT> proto=ESMTP helo=<mxdfbi03.wellsfargo.com>
May 26 16:44:10 server postfix/smtpd[8940]: disconnect from mxdfbi03.wellsfargo.com[159.45.132.171]
The same IP tried again nine hours later and the message was accepted:
May 27 01:43:03 server postfix/smtpd[10748]: connect from mxdfbi03.wellsfargo.com[159.45.132.171]
May 27 01:43:03 server postfix/smtpd[10748]: Anonymous TLS connection established from mxdfbi03.wellsfargo.com[159.45.132.171]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 27 01:43:04 server postfix/smtpd[10748]: 09398C58570: client=mxdfbi03.wellsfargo.com[159.45.132.171]
May 27 01:43:04 server postfix/cleanup[10751]: 09398C58570: message-id=<EDSRUM02204503520517myaccounts_wf_2m_N6SBVq112-N6SBWb_14@wellsfargo.com>
May 27 01:43:04 server postfix/qmgr[1660]: 09398C58570: from=<email@myaccounts.wellsfargo.com>, size=5559, nrcpt=1 (queue active)
May 27 01:43:08 server postfix/cleanup[10751]: 861B2C58572: message-id=<EDSRUM02204503520517myaccounts_wf_2m_N6SBVq112-N6SBWb_14@wellsfargo.com>
May 27 01:43:08 server postfix/qmgr[1660]: 861B2C58572: from=<email@myaccounts.wellsfargo.com>, size=6424, nrcpt=1 (queue active)
May 27 01:43:08 server amavis[29238]: (29238-18) Passed CLEAN {RelayedInbound}, [159.45.132.171]:23198 [22.45.35.205] <email@myaccounts.wellsfargo.com> -> <RECIPIENT>, Queue-ID: 09398C58570, Message-ID: <EDSRUM02204503520517myaccounts_wf_2m_N6SBVq112-N6SBWb_14@wellsfargo.com>, mail_id: yNsggURsW6lu, Hits: -14.797, size: 5552, queued_as: 861B2C58572, 4328 ms, Tests: [BAD_ENC_HEADER=0.001,BAYES_00=-1.9,ENV_AND_HDR_SPF_MATCH=-0.5,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,RCVD_IN_DNSWL_HI=-5,SPF_HELO_NONE=0.001,SPF_PASS=-0.001,URIBL_BLOCKED=0.001,USER_IN_DEF_SPF_WL=-7.5]
May 27 01:43:08 server amavis[29238]: (29238-18) Passed CLEAN, <email@myaccounts.wellsfargo.com> -> <RECIPIENT>, Hits: -14.797, tag=-100, tag2=3.5, kill=3.5, queued_as: 861B2C58572, L/Y/0/0
May 27 01:44:51 server postfix/smtpd[10908]: connect from mxdfbi03.wellsfargo.com[159.45.132.171]
May 27 01:44:52 server postfix/smtpd[10908]: Anonymous TLS connection established from mxdfbi03.wellsfargo.com[159.45.132.171]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 27 01:44:52 server postfix/smtpd[10908]: 84C42C58570: client=mxdfbi03.wellsfargo.com[159.45.132.171]
May 27 01:44:52 server postfix/cleanup[10928]: 84C42C58570: message-id=<EDSRUM02204503520517myaccounts_wf_2m_N6SBhFC11-N6SBhz_12@wellsfargo.com>
May 27 01:44:52 server postfix/qmgr[1660]: 84C42C58570: from=<email@myaccounts.wellsfargo.com>, size=6606, nrcpt=1 (queue active)
May 27 01:44:56 server postfix/cleanup[10928]: 5C44EC58572: message-id=<EDSRUM02204503520517myaccounts_wf_2m_N6SBhFC11-N6SBhz_12@wellsfargo.com>
May 27 01:44:56 server postfix/qmgr[1660]: 5C44EC58572: from=<email@myaccounts.wellsfargo.com>, size=7471, nrcpt=1 (queue active)
May 27 01:44:56 server amavis[5643]: (05643-08) Passed CLEAN {RelayedInbound}, [159.45.132.171]:23262 [22.45.35.205] <email@myaccounts.wellsfargo.com> -> <RECIPIENT>, Queue-ID: 84C42C58570, Message-ID: <EDSRUM02204503520517myaccounts_wf_2m_N6SBhFC11-N6SBhz_12@wellsfargo.com>, mail_id: pcXN4Q4RDDds, Hits: -14.797, size: 6598, queued_as: 5C44EC58572, 3651 ms, Tests: [BAD_ENC_HEADER=0.001,BAYES_00=-1.9,ENV_AND_HDR_SPF_MATCH=-0.5,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,RCVD_IN_DNSWL_HI=-5,SPF_HELO_NONE=0.001,SPF_PASS=-0.001,URIBL_BLOCKED=0.001,USER_IN_DEF_SPF_WL=-7.5]
May 27 01:44:56 server amavis[5643]: (05643-08) Passed CLEAN, <email@myaccounts.wellsfargo.com> -> <RECIPIENT>, Hits: -14.797, tag=-100, tag2=3.5, kill=3.5, queued_as: 5C44EC58572, L/Y/0/0
May 27 01:48:04 server postfix/smtpd[10748]: timeout after END-OF-MESSAGE from mxdfbi03.wellsfargo.com[159.45.132.171]
May 27 01:49:22 server postfix/smtpd[10748]: disconnect from mxdfbi03.wellsfargo.com[159.45.132.171]
May 27 01:49:52 server postfix/smtpd[10908]: timeout after END-OF-MESSAGE from mxdfbi03.wellsfargo.com[159.45.132.171]
May 27 01:51:10 server postfix/smtpd[10908]: disconnect from mxdfbi03.wellsfargo.com[159.45.132.171]
My question is though, if wellsfargo.com and all sub-domains are whitelisted in the greylisting system, why did the greylisting system greylist email from this domain? Any idea?
Craig
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.