1

Topic: Cannot receive emails coming from amazonses.com

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue: iredapd.log
====

Hi,

I'm noticing that I don't receive emails coming from amazonses.com

It appears that amazonses.com tries to resend greylisted emails with different IP adresses, so it keeps being greylisted forever.

I suppose I could whitelist amazonses.com but would there be a more optimal solution other than opening wide open the door to spam from amazonses.com?


Log from /var/log/iredapd/iredapd.log

2017-03-16 12:46:06 INFO [54.240.3.13] Client has not been seen before, greylisted.
2017-03-16 12:46:06 INFO 54.240.3.13 RCPT, 0102015ad80312ca-aa564e9a-0a8d-413a-9e35-f999c2f06097-000000@eu-west-1.amazonses.com -> jpbaril@somedomain.net, 451 4.7.1 Intentional policy rejection, please try again later [0.0156s]
2017-03-16 12:53:21 INFO [54.240.3.13] Client retries too soon, greylisted again.
2017-03-16 12:53:22 INFO 54.240.3.13 RCPT, 0102015ad80312ca-aa564e9a-0a8d-413a-9e35-f999c2f06097-000000@eu-west-1.amazonses.com -> jpbaril@somedomain.net, 451 4.7.1 Intentional policy rejection, please try again later [0.5868s]
2017-03-16 13:07:51 INFO [54.240.3.9] Client has not been seen before, greylisted.
2017-03-16 13:07:51 INFO 54.240.3.9 RCPT, 0102015ad80312ca-aa564e9a-0a8d-413a-9e35-f999c2f06097-000000@eu-west-1.amazonses.com -> jpbaril@somedomain.net, 451 4.7.1 Intentional policy rejection, please try again later [0.0196s]

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by Wraptor 2017-03-17 02:42:30)

Re: Cannot receive emails coming from amazonses.com

OPTION ONE:
Whitelist the domain .amazonses.com

Commands:

cd /opt/iredapd/tools/
python wblist_admin.py --account .amazonses.com --list --whitelist

// the domain must be .amazonses.com and not just amazonses.com as that only whitelists the domain name and no subdomains.

iRedAdmin-Pro has a nice ui to do this: http://www.iredmail.org/docs/amavisd.wb … dadmin-pro

OPTION TWO:

You can whitelist the amazonses.com ip range.
Finding the range is easy using this command:

dig TXT amazonses.com +short| grep 'v=spf1'

Source: https://aws.amazon.com/blogs/ses/amazon … addresses/

Result (at this time):

"v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 -all"

You can whitelist the ip ranges: 199.255.192.0/22, 199.127.232.0/22 and 54.240.0.0/18 using the following article at iRedMail documents: http://www.iredmail.org/docs/amavisd.wb … l-commands

Example with SQL:

cd /opt/iredapd/tools/
python wblist_admin.py --add --whitelist 54.240.0.0/18 @.amazonses.com

Steps for iRedAdmin-Pro:
http://www.iredmail.org/docs/amavisd.wb … dadmin-pro

Both solutions should result in the ip's getting through.
You can also disable the greylisting, but I that wouldn't be required and does give you some anti spam.


EDIT: Forgot to mention this: You must have the amavisd_wblist plugin enabled in the /opt/iredapd/settings.py file (Should be enabled by default though).

3 (edited by jpbaril 2017-03-17 03:10:43)

Re: Cannot receive emails coming from amazonses.com

Well, I find strange that I need to whitelist domains which can use many IPs to deliver a single email because it's something more and more frequent nowadays.

I first tried this command:

sudo python /opt/iredapd/tools/greylisting_admin.py --whitelist-domain --from '@.amazonses.com'

I don't now if it worked (did not try to get a new email from amazon) but

sudo python /opt/iredapd/tools/greylisting_admin.py --list-whitelists

did not show anything new.

Then I tried

sudo python /opt/iredapd/tools/spf_to_greylist_whitelists.py --submit amazonses.com

and the previous command then showed new lines for amazonses.com such as

199.127.232.0/22 -> @., "AUTO-UPDATE: amazonses.com"

It now works but how many more servers should I whitelist to be sure to receive all emails coming through? From my point of view manually whitelisting every multiple-ip servers is not sustainable. There must be another more efficient solution.

Thanks

4

Re: Cannot receive emails coming from amazonses.com

My guess is that Amazon is using different IPs if the email fails for lets say that the ip was blocked by some anti spam so that the mail would still be delivered. Amazon not only used 1 multi ip mailserver, they use houndres if not thousands of servers with all having a different ip each and they create a main mail queue from which the fastest server/the first one available will deliver it.

Whitelisting them is the best option. You could also disable greylisting if it is a to big of a deal to you. It'll just be a maner of time before the spammers catch up and make systems resend the spam as normal mailservers do.

5 (edited by jpbaril 2017-03-17 05:58:41)

Re: Cannot receive emails coming from amazonses.com

That may not be on iRedMail's end, but in my view Greylist analysis should consider IP addresses present in SPF records as equivalent and only delay receiving the email once.

6

Re: Cannot receive emails coming from amazonses.com

jpbaril wrote:

It now works but how many more servers should I whitelist to be sure to receive all emails coming through? From my point of view manually whitelisting every multiple-ip servers is not sustainable. There must be another more efficient solution.

Dear jpbaril,

You should import SQL file /opt/iredapd/SQL/greylisting_*.sql to iredapd SQL db. it contains some big ISPs.After imported, run 'spf_to_greylist_whitelists.py' script without any argument again.