Alex:
> Hi,
>
> I'm using sqlgrey for my greylisting service and having trouble with a
> particular entry. I need to make sure email from this sender doesn't get
> blocked, so would like to confirm that I can add something to my recipient
> restrictions to bypass the SPF check for this domain.
>
> Nov 2 18:02:30 armor policyd-spf[3053263]: 550 5.7.23 Message rejected due
> to: SPF fail - not authorized. Please see
> http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=
> <UNKNOWN>
> Nov 2 18:02:30 armor postfix-113/smtpd[3053261]: NOQUEUE: reject: RCPT
> from wd1-az-mail-nat.myworkday.com[209.177.165.161]: 550 5.7.23 <
> repo...@example.com>: Recipient address rejected: Message rejected due to:
> SPF fail - not authorized. Please see
> http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=<UNKNOWN>;
> from=<workday_supp...@generalatlantic.com> to=<repo...@example.com>
> proto=ESMTP helo=<wd1-az-mail-nat.myworkday.com>
>
> This appears to indicate that generalatlantic.com is using the workday
> service to send email, but the generalatlantic.com SPF record does not
> include myworkday.com on the list of authorized senders.
>
> I've added the following to my sqlgrey FQDN whitelisting entries, but
> somehow it's still being rejected:
> *.myworkday.com
> generalatlantic.com
>
> And the IP range to the IP whitelist:
> 209.177.165.0/24
>
> Here is my smtpd_recipient_restrictions:
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unlisted_recipient,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> reject_unauth_destination,
With Postfix, between reject_unauth_destination and policy-spf,
insert:
check_sender_access inline:{{workday_supp...@generalatlantic.com = permit}}
or
cleck_client_access inline:{{myworkday.com = permit}}
to exclude such email from further restrictions.
Wietse
