Symptoms
-
Messages from senders that use different IP addresses (e.g. Office365 email accounts) are deferred by greylisting handler with the following messages in
/var/log/maillog
:/usr/lib64/plesk-9.0/psa-pc-remote[956]: DEFER during call 'grey' handler
/usr/lib64/plesk-9.0/psa-pc-remote[956]: Message aborted.
postfix/smtpd[2028]: 61AF6E27BAB4: milter-reject: DATA from mail-*.outbound.protection.outlook.com[10.10.10.10]: 451 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<*.outbound.protection.outlook.com>
server postfix/cleanup[17368]: C860512160C: milter-reject: END-OF-MESSAGE from mail-eopbgr60135.outbound.protection.outlook.com[40.107.6.135]: 4.7.24 SPF validation error.; [email protected] [email protected] proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>
-
In some cases, email messages are delivered within 1-2 days.
-
The following message can be delivered to a sender (e.g. Office365 email account):
Final-recipient: RFC822; [email protected]
Action: failed
Status: 5.4.0
X-Supplementary-Info: < #5.4.300 smtp;550 5.4.300 Message expired -> 451 4.7.1 Service unavailable - try again later>
Cause
This is expected behavior when greylisting is enabled: The first message is rejected, and the next message sent from the same address (sender server IP address and 'From:') will be accepted after a certain length of time passes. So if an email address is the same, but IP address is different, emails from this email address will be rejected.
For example, emails from *protection.outlook.com are sent from multiple IP addresses. This causes greylisting treat every new retry as a new message, so there is a delay in message delivery until the same pair of email/IP address is logged.
Resolution
Set up a server-wide white-list for Office 365 domains - a list of hosts which emails will be accepted without greylisting check-ups:
-
Connect to the Plesk server via SSH.
-
Add the main part of a sender hostname in the command below (in this example, it is for Office365) and run it:
# /usr/local/psa/bin/grey_listing -u -domains-whitelist add:*outbound.protection.outlook.com
To learn more about greylisting configuration options, visit this KB article.
To make sure that the network allows connections from all Exchange Online Protection (EOP) IP address ranges., visit this Microsoft Docs page.