What is the correct Postfix whitelist configuration for subdomains?

Hi there,

I'm a little confused about the correct way to whitelist all possible subdomains for a specific subdomain, using the ISPConfig 3.2 control panel (obviously, I can do it manually, but that will not survive a ISPConfig upgrade!)

Here is the problem I just found: SoundCloud uses several outgoing email servers. When trying to create an account or change a password with them, they will send a confirmation email with a link. The problem is that many (all?) of those email servers have broken PTR configurations, and, as such, my strict Postfix rules will reject them. I cannot say if it happens with all outgoing email servers, or just with some; also, I have no idea how many there are, and if the names will change in the future or not (who knows, they might even fix their PTR records...).

Thus, for the time being, I'd like to whitelist everything coming from *.soundcloud.com. Note that SoundCloud usually has more than one level of subdomains, e.g. o5.hello.soundcloud.com, o6.hello.soundcloud.com, sg.hello.soundcloud.com (just to mention those I've recently caught on /var/log/mail.log). There might be more possible combinations; some might even be correct!

They're not the only company using this scheme of naming outgoing email servers — Gmail notoriously does the same — but, so far, they're the first legitimate "big" company I found with an utterly broken outgoing email configuration...

Anyway, whitelisting subdomains is not specifically mentioned on the ISPConfig 3.1 manual. On page 209, it only gives the following examples:

Code:

[email protected], somedomain.com, mail.freemailer.tld, 1.2.3.4, sales@

From these one might argue that things such as user@*.example.com are not supported, nor *.example.com. Is that so?

My question is not necessarily a new one. This 5-year-old thread asks essentially the same: https://forum.howtoforge.com/thread...accept-wildcard-subdomains.78837/#post-450321 (sorry for necro-bumping that thread!)

This one is even older, from someone who migrated from 2 to 3 and is confused about the options: https://forum.howtoforge.com/thread...black-list-cant-use-domain.70676/#post-332677

I'm confused with the answers

Obviously, I could try it out on my own and see what happens; probably the control panel does allow that syntax and it does exactly what I expect it to do. But the last thing I want is to disturb my already incredibly fragile email environment, which tends to break and collapse if I sneeze...

It's better to ask first than to be sorry later!

Thanks in advance!

 

Thanks for confirming this, @till. Actually, I believe that my issue is not only restricted to Postfix, but also to Rspamd: in spite of my whitelisting on its configuration, Rspamd seems to be still rejecting messages from SoundCloud — they don't even get pass Rspamd to be delivered to Postfix (which is weird, considering that Rspamd's filtering is supposed to be merely advisory and not mandatory). I don't have (yet) sufficiently detailed logs of what's going on, but it's clear that SoundCloud's mail servers, lacking a valid PTR, will get immediately rejected, even if the rest of the configuration (SPF, DKIM, DMARC, etc...) is correct.
Oh well. Since this is just a very-low-priority issue, I'm not going to spend any more time in trying to "fix" it on my side. Sooner or later, I'm sure that someone at SoundCloud will figure out their DNS issues and fix them definitely.

 

Hi Gwyneth, did you ever find an answer for this? I'm looking in to something similar right now, and I THINK that the answer is as simple as putting a . before the domain.tld.
In other words, say you wanted to allow mail1.example.com, mail2.example.com, and just mail.example.com, rather than adding all 3, you would just add .example.com to your conf file. I haven't found a good way to trigger/test this, yet, that's why I'm still seeking some confirmation, but I think that will do it, so I wanted to share / see if you've had any luck after I found this forum post!

 

Huh. Is it that easy?...
Well, I tried to do your suggestion, and then tested it out by sending some messages to Gmail. They were delivered, but it seems that they were flagged as spam (they usually are, and the recipient of the test emails I sent is used to it — he placed all my email addresses in his whitelist). But I also got his replies, and those did not get flagged as spam by my server.
Then again, the weird issues I was having with emails received from soundcloud.com have disappeared, so I guess that whatever changes were made at either side of the connection, they seem to work, in spite of everything that might still be misconfigured at some point...

 

At least I'm glad to know I'm not the only one confused by this. Good luck out there!

 

Mailservers without PTR should not be respected at all. However the correct solution in this case would have been a rspamd prefilter that disables all checks e.g. want_spam = yes when HELO name is {MAP_OF_HOSTNAMES} or IP is {MAP_OF_IPS}. But i strongly advise against such configurations. If a mailserver is not configured properly and thus not compliant with standards you should not respect them at all.
I cannot imagine that these PTRs where missing for long tho.

 

Hi guys, I'm facing a problem like that. I use Rspamd with maps and it works well. But I have to receive an email from a specific domain. But Postfix rejects it with the line:
NOQUEUE: reject: RCPT from mail.domain.another.com.br[...]
I know that is not a problem with Rspamd and I don't know where I can whitelist this email in ISPConfig3.

 

Hi Till, I don't know where I can whitelist in Postfix. I tried on ISPConfig whitelist in email settings but it didn't work. Modifying via Postfix files seems a bit confusing. I tried to understand but I don't get it.