Hi there, I'm a little confused about the correct way to whitelist all possible subdomains for a specific subdomain, using the ISPConfig 3.2 control panel (obviously, I can do it manually, but that will not survive a ISPConfig upgrade!) Here is the problem I just found: SoundCloud uses several outgoing email servers. When trying to create an account or change a password with them, they will send a confirmation email with a link. The problem is that many (all?) of those email servers have broken PTR configurations, and, as such, my strict Postfix rules will reject them. I cannot say if it happens with all outgoing email servers, or just with some; also, I have no idea how many there are, and if the names will change in the future or not (who knows, they might even fix their PTR records...). Thus, for the time being, I'd like to whitelist everything coming from *.soundcloud.com. Note that SoundCloud usually has more than one level of subdomains, e.g. o5.hello.soundcloud.com, o6.hello.soundcloud.com, sg.hello.soundcloud.com (just to mention those I've recently caught on /var/log/mail.log). There might be more possible combinations; some might even be correct! They're not the only company using this scheme of naming outgoing email servers — Gmail notoriously does the same — but, so far, they're the first legitimate "big" company I found with an utterly broken outgoing email configuration... Anyway, whitelisting subdomains is not specifically mentioned on the ISPConfig 3.1 manual. On page 209, it only gives the following examples: Code: [email protected], somedomain.com, mail.freemailer.tld, 1.2.3.4, sales@ From these one might argue that things such as user@*.example.com are not supported, nor *.example.com. Is that so? My question is not necessarily a new one. This 5-year-old thread asks essentially the same: https://forum.howtoforge.com/thread...accept-wildcard-subdomains.78837/#post-450321 (sorry for necro-bumping that thread!) This one is even older, from someone who migrated from 2 to 3 and is confused about the options: https://forum.howtoforge.com/thread...black-list-cant-use-domain.70676/#post-332677 I'm confused with the answers Obviously, I could try it out on my own and see what happens; probably the control panel does allow that syntax and it does exactly what I expect it to do. But the last thing I want is to disturb my already incredibly fragile email environment, which tends to break and collapse if I sneeze... It's better to ask first than to be sorry later! Thanks in advance!
You can not use * there. See the examples in ISPConfig manual on what can be used. If you look at the postfix config, then you can see that postfix reads this from mail_access table like this: Code: mysql-virtual_client.cf:query = select access from mail_access where source = '%s' and type = 'client' and active = 'y' mysql-virtual_recipient.cf:query = select access from mail_access where source = '%s' and type = 'recipient' and active = 'y' and server_id = 1 mysql-virtual_sender.cf:query = select access from mail_access where source = '%s' and type = 'sender' and active = 'y' and server_id = 1 when you then look at postfix main.cf, then you can see: Code: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf and the postfix manual says: So you can not use * but only what the ISPConfig manual mentions what you can add there. In regard to subdomains, try it to use just soundcloud.com, it might be that this is what postfix mentions as parent domain here.
Thanks for confirming this, @till. Actually, I believe that my issue is not only restricted to Postfix, but also to Rspamd: in spite of my whitelisting on its configuration, Rspamd seems to be still rejecting messages from SoundCloud — they don't even get pass Rspamd to be delivered to Postfix (which is weird, considering that Rspamd's filtering is supposed to be merely advisory and not mandatory). I don't have (yet) sufficiently detailed logs of what's going on, but it's clear that SoundCloud's mail servers, lacking a valid PTR, will get immediately rejected, even if the rest of the configuration (SPF, DKIM, DMARC, etc...) is correct. Oh well. Since this is just a very-low-priority issue, I'm not going to spend any more time in trying to "fix" it on my side. Sooner or later, I'm sure that someone at SoundCloud will figure out their DNS issues and fix them definitely.
Hi Gwyneth, did you ever find an answer for this? I'm looking in to something similar right now, and I THINK that the answer is as simple as putting a . before the domain.tld. In other words, say you wanted to allow mail1.example.com, mail2.example.com, and just mail.example.com, rather than adding all 3, you would just add .example.com to your conf file. I haven't found a good way to trigger/test this, yet, that's why I'm still seeking some confirmation, but I think that will do it, so I wanted to share / see if you've had any luck after I found this forum post!
Huh. Is it that easy?... Well, I tried to do your suggestion, and then tested it out by sending some messages to Gmail. They were delivered, but it seems that they were flagged as spam (they usually are, and the recipient of the test emails I sent is used to it — he placed all my email addresses in his whitelist). But I also got his replies, and those did not get flagged as spam by my server. Then again, the weird issues I was having with emails received from soundcloud.com have disappeared, so I guess that whatever changes were made at either side of the connection, they seem to work, in spite of everything that might still be misconfigured at some point...
Mailservers without PTR should not be respected at all. However the correct solution in this case would have been a rspamd prefilter that disables all checks e.g. want_spam = yes when HELO name is {MAP_OF_HOSTNAMES} or IP is {MAP_OF_IPS}. But i strongly advise against such configurations. If a mailserver is not configured properly and thus not compliant with standards you should not respect them at all. I cannot imagine that these PTRs where missing for long tho.
Hi guys, I'm facing a problem like that. I use Rspamd with maps and it works well. But I have to receive an email from a specific domain. But Postfix rejects it with the line: NOQUEUE: reject: RCPT from mail.domain.another.com.br[...] I know that is not a problem with Rspamd and I don't know where I can whitelist this email in ISPConfig3.
The rejection can come from many different things incl. Rspamd. If its rspamd, you must whitelist it in Rspamd. if you added the domain to the postfix blacklist, then you must use the postfix whitelist to whitelist it. if it got rejected due to a RBL, then there is no whitelist for that.
Hi Till, I don't know where I can whitelist in Postfix. I tried on ISPConfig whitelist in email settings but it didn't work. Modifying via Postfix files seems a bit confusing. I tried to understand but I don't get it.
I'm not talking about postfix files. The postfix whitelist is named postfix whitelist and its in ISPconfig > Email > Postfix whitelist, you must be logged in as admin. But as I mentioned in my post, its unlikely that that you want to use the postfix whitelist as its the counterpart of the postfix blacklist and as you do not even know where they are, its unlikely that you used the blacklist to blacklist the domain which means you can not whitelist the address there.