Re: policy-spf and whitelisting

Thu, 03 Nov 2022 08:01:22 -0700 

On 11/3/2022 9:00 AM, Alex wrote:

Hi,
I'm using sqlgrey for my greylisting service and having trouble with a particular entry. I need to make sure email from this sender doesn't get blocked, so would like to confirm that I can add something to my recipient restrictions to bypass the SPF check for this domain.
Nov  2 18:02:30 armor policyd-spf[3053263]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r= <http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=><UNKNOWN> 

so it's being rejected by policyd-spf, not sqlgrey.
Nov  2 18:02:30 armor postfix-113/smtpd[3053261]: NOQUEUE: reject: RCPT from wd1-az-mail-nat.myworkday.com <http://wd1-az-mail-nat.myworkday.com>[209.177.165.161]: 550 5.7.23 <repo...@example.com <mailto:repo...@example.com>>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r= <http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=><UNKNOWN>; from=<workday_supp...@generalatlantic.com <mailto:workday_supp...@generalatlantic.com>> to=<repo...@example.com <mailto:repo...@example.com>> proto=ESMTP helo=<wd1-az-mail-nat.myworkday.com <http://wd1-az-mail-nat.myworkday.com>> 


...
I've added the following to my sqlgrey FQDN whitelisting entries, but somehow it's still being rejected: 
*.myworkday.com <http://myworkday.com>
generalatlantic.com <http://generalatlantic.com>

And the IP range to the IP whitelist:
209.177.165.0/24 <http://209.177.165.0/24>
Since the reject message says policyd-spf is what is rejecting the mail, adding those entries to the policyd-spf whitelist mechanism should fix the problem. Maybe it was also greylisted earlier, adding to the confusion.
If I add a check_sender_access entry above the policy-spf policy service check, and add generalatlantic.com <http://generalatlantic.com> to it, will it bypass that SPF check altogether so it doesn't continue to reject this mail? How can I otherwise permit the 209.177.165.0/24 <http://209.177.165.0/24> network?
Yes, using either a postfix check_sender_access table with generalatlantic.com or a check_client_access cidr: table with that IP address range would bypass both policy services completely. 



  -- Noel Jones

Reply via email to