Hi, I'm using sqlgrey for my greylisting service and having trouble with a particular entry. I need to make sure email from this sender doesn't get blocked, so would like to confirm that I can add something to my recipient restrictions to bypass the SPF check for this domain.
Nov 2 18:02:30 armor policyd-spf[3053263]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r= <UNKNOWN> Nov 2 18:02:30 armor postfix-113/smtpd[3053261]: NOQUEUE: reject: RCPT from wd1-az-mail-nat.myworkday.com[209.177.165.161]: 550 5.7.23 < repo...@example.com>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=<UNKNOWN>; from=<workday_supp...@generalatlantic.com> to=<repo...@example.com> proto=ESMTP helo=<wd1-az-mail-nat.myworkday.com> This appears to indicate that generalatlantic.com is using the workday service to send email, but the generalatlantic.com SPF record does not include myworkday.com on the list of authorized senders. I've added the following to my sqlgrey FQDN whitelisting entries, but somehow it's still being rejected: *.myworkday.com generalatlantic.com And the IP range to the IP whitelist: 209.177.165.0/24 Here is my smtpd_recipient_restrictions: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, check_sender_access ${indexed}check_backscatterer, check_helo_access pcre:$config_directory/helo_checks.pcre, check_helo_access ${indexed}helo_checks, check_helo_access ${pcre}non-fqdn-helo.pcre #reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:$config_directory/recipient_checks, reject If I add a check_sender_access entry above the policy-spf policy service check, and add generalatlantic.com to it, will it bypass that SPF check altogether so it doesn't continue to reject this mail? How can I otherwise permit the 209.177.165.0/24 network? Thanks, Alex
