RE: outbound.protection.outlook.com
Hi, not sure if this helps but, these are the networks that my postfix server is setup to send email to O365 so users get their mail delivered # Microsoft Networks 23.103.132.0/22 23.103.136.0/21 23.103.144.0/20 23.103.198.0/23 23.103.200.0/22 23.103.212.0/22 40.92.0.0/14 40.107.0.0/17 40.107.128.0/18 52.100.0.0/14 65.55.88.0/24 65.55.169.0/24 94.245.120.64/26 104.47.0.0/17 157.55.234.0/24 157.56.110.0/23 157.56.112.0/24 207.46.100.0/24 207.46.163.0/24 213.199.154.0/24 213.199.180.128/26 216.32.180.0/23 You may need to lock things down more than me but this is the list that works for me. -ANGELO FAZZINA ang...@uconn.edu University of Connecticut, ITS, SSG, Server Systems 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org On Behalf Of Stuart Henderson Sent: Wednesday, October 2, 2019 11:04 AM To: postfix-users@postfix.org Subject: Re: outbound.protection.outlook.com On 2019/10/02 16:13, Henrik K wrote: > On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote: > > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > > > > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > > > > > > > I got rid of it, since of too many false positives related to outlook, > > > > gmail > > > > etc. > > > > > > Why would you greylist something that's easily skipped using DNSWL etc? > > > > Thank you! I'll look for that stuff. > > Just use permit_dnswl_client before your postgrey > > permit_dnswl_client list.dnswl.org > check_policy_service inet:127.0.0.1:12345 > > These should be pretty much last lines in your checks, remember that is > accepts the message at that stage when listed. > > Of course you can also create manual whitelist lookup tables. > dnswl doesn't have a good list of Microsoft servers, less than half of their deliveries to me today came from servers listed on dnswl. I make my own list from their SPF records to exempt them from greylist-type checks. Examples of some currently used that aren't on dnswl: 104.47.0.33 104.47.4.33 104.47.9.33 104.47.9.36 104.47.12.33 104.47.13.33 104.47.46.33 104.47.58.33 104.47.125.33 104.47.126.33
Re: outbound.protection.outlook.com
On 2019/10/02 16:13, Henrik K wrote: > On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote: > > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > > > > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > > > > > > > I got rid of it, since of too many false positives related to outlook, > > > > gmail > > > > etc. > > > > > > Why would you greylist something that's easily skipped using DNSWL etc? > > > > Thank you! I'll look for that stuff. > > Just use permit_dnswl_client before your postgrey > > permit_dnswl_client list.dnswl.org > check_policy_service inet:127.0.0.1:12345 > > These should be pretty much last lines in your checks, remember that is > accepts the message at that stage when listed. > > Of course you can also create manual whitelist lookup tables. > dnswl doesn't have a good list of Microsoft servers, less than half of their deliveries to me today came from servers listed on dnswl. I make my own list from their SPF records to exempt them from greylist-type checks. Examples of some currently used that aren't on dnswl: 104.47.0.33 104.47.4.33 104.47.9.33 104.47.9.36 104.47.12.33 104.47.13.33 104.47.46.33 104.47.58.33 104.47.125.33 104.47.126.33
Re: outbound.protection.outlook.com
Dnia 2.10.2019 o godz. 11:05:31 ratatouille pisze: > > Do I really have to whitelist all the IPs of outbound.protection.outlook.com > in postgrey? I just put the domain name outbound.protection.outlook.com into /etc/postgrey/whitelist_clients.local and it works for me. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: outbound.protection.outlook.com
* ratatouille : > Hello! > > Do I really have to whitelist all the IPs of outbound.protection.outlook.com > in postgrey? Yes. There's a script for that: # Postwhite - Automatic Postcreen Whitelist / Blacklist Generator # # https://github.com/stevejenkins/postwhite # # By Steve Jenkins (https://www.stevejenkins.com/)# -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: outbound.protection.outlook.com
On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote: > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > > > > > I got rid of it, since of too many false positives related to outlook, > > > gmail > > > etc. > > > > Why would you greylist something that's easily skipped using DNSWL etc? > > Thank you! I'll look for that stuff. Just use permit_dnswl_client before your postgrey permit_dnswl_client list.dnswl.org check_policy_service inet:127.0.0.1:12345 These should be pretty much last lines in your checks, remember that is accepts the message at that stage when listed. Of course you can also create manual whitelist lookup tables.
Re: outbound.protection.outlook.com
Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > > > I got rid of it, since of too many false positives related to outlook, gmail > > etc. > > Why would you greylist something that's easily skipped using DNSWL etc? Thank you! I'll look for that stuff. Andreas
Re: outbound.protection.outlook.com
On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > I got rid of it, since of too many false positives related to outlook, gmail > etc. Why would you greylist something that's easily skipped using DNSWL etc?
Re: outbound.protection.outlook.com
On 2019-10-02 ratatouille wrote: > Do I really have to whitelist all the IPs of > outbound.protection.outlook.com in postgrey? Ansgar Wiechers schrieb am 02.10.19 um 11:56:56 Uhr: No. You could simply stop graylisting and instead use spam protection measures without its side effects (e.g. postscreen). On 02.10.19 14:12, ratatouille wrote: I use both, postscreen and postgrey. with postscreen, postgrey is in fact obsolete. I got rid of it, since of too many false positives related to outlook, gmail etc. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Re: outbound.protection.outlook.com
Ansgar Wiechers schrieb am 02.10.19 um 11:56:56 Uhr: > On 2019-10-02 ratatouille wrote: > > Do I really have to whitelist all the IPs of > > outbound.protection.outlook.com in postgrey? > > No. You could simply stop graylisting and instead use spam protection > measures without its side effects (e.g. postscreen). I use both, postscreen and postgrey. Andreas
Re: outbound.protection.outlook.com
On 2019-10-02 ratatouille wrote: > Do I really have to whitelist all the IPs of > outbound.protection.outlook.com in postgrey? No. You could simply stop graylisting and instead use spam protection measures without its side effects (e.g. postscreen). Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky