Knowledge Base

Greylisting defers emails from senders that use multiple IP addresses

Symptoms

Messages from senders that use different IP addresses (e.g. Office365 email accounts) are deferred by greylisting handler with the following messages in /var/log/maillog:

/usr/lib64/plesk-9.0/psa-pc-remote[956]: DEFER during call 'grey' handler
/usr/lib64/plesk-9.0/psa-pc-remote[956]: Message aborted.
postfix/smtpd[2028]: 61AF6E27BAB4: milter-reject: DATA from mail-*.outbound.protection.outlook.com[10.10.10.10]: 451 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<*.outbound.protection.outlook.com>

server postfix/cleanup[17368]: C860512160C: milter-reject: END-OF-MESSAGE from mail-eopbgr60135.outbound.protection.outlook.com[40.107.6.135]: 4.7.24 SPF validation error.; [email protected] [email protected] proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>
In some cases, email messages are delivered within 1-2 days.
The following message can be delivered to a sender (e.g. Office365 email account):

Final-recipient: RFC822; [email protected]
Action: failed
Status: 5.4.0
X-Supplementary-Info: < #5.4.300 smtp;550 5.4.300 Message expired -> 451 4.7.1 Service unavailable - try again later>

Cause

This is expected behavior when greylisting is enabled: The first message is rejected, and the next message sent from the same address (sender server IP address and 'From:') will be accepted after a certain length of time passes. So if an email address is the same, but IP address is different, emails from this email address will be rejected.

For example, emails from *protection.outlook.com are sent from multiple IP addresses. This causes greylisting treat every new retry as a new message, so there is a delay in message delivery until the same pair of email/IP address is logged.

Resolution

Set up a server-wide white-list for Office 365 domains - a list of hosts which emails will be accepted without greylisting check-ups:

Connect to the Plesk server via SSH.
Add the main part of a sender hostname in the command below (in this example, it is for Office365) and run it:

# /usr/local/psa/bin/grey_listing -u -domains-whitelist add:*outbound.protection.outlook.com

To learn more about greylisting configuration options, visit this KB article.

To make sure that the network allows connections from all Exchange Online Protection (EOP) IP address ranges., visit this Microsoft Docs page.

Email header analysis reports SPF failed for localhost IP on mail sent from Plesk hosted mailbox: SPF Authentication : SPF Failed for IP – 127.0.0.1

Unable to send mail from Plesk server: deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)

Websites on Plesk server are slow or show error 500 or PHP mail cannot be sent: ap_pass_brigade failed

Mail delivery does not work: do not list domain in BOTH mydestination and virtual_mailbox_domains

Hosting Wiki