03-30-2018 08:39 AM - edited 03-08-2019 07:35 PM
Hi,
I have a vendor that is sending us a good amount of email. I usually use HAT to apply diff. throttling policy however in the case of this vendor when I look at logs they are sending from a lot of diff IPs and DSN hostnames (looks like they are using outlook.com prob for email filtering). Their Envelope sender domain doesn't match their DNS hostname.
What would be the best way for me to whitelist them
Solved! Go to Solution.
04-01-2018 05:23 PM
03-30-2018 08:46 AM
03-30-2018 08:58 AM
So if I have "rejected by receiving control" wouldn't that not make it to incoming mail policies to get processed?
03-31-2018 10:33 PM
Hey Toolshed,
Rejected by receiving controls would mean they won't make it to the mail policies - correct.
The limits are being applied at the HAT overview already at this stage.
As you shared this sender comes from a variety of IPs/DNS hostname and you cannot add them to your whitelisting at the HAT level; it would require the mail policy level if their domain name remains constant to whitelist them.
With regards to allowing them to meet the incoming mail policy level - you would either need to generate and track the list of IPs they use and create a separate sendergroup for them; or risk changing your overall rate limits to be more accommodating.
(if there is a common part of their hostname that is unique to them, then you can always add the hostname wildcard for sendergroup matching. For example .domain.com if the senders are always from n.domain.com where the n can be anything.)
Regards,
matthew
04-01-2018 07:55 AM - edited 04-01-2018 07:56 AM
Matthew,
Issue is that its coming from outlook.com or amazon.com as their rDNS. I don't mind changing # of messages allowed per hour I just don't also want to open it up to the spam coming from outlook.com
I just need to allow based on their send envelope address
04-01-2018 08:03 AM
04-01-2018 05:17 PM
They are diff.
envelope sender is our vendors domain. user@vendor.com it's also from address in outlook.
However its not what ESA sees as where emails are coming from. It sees it coming from outlook.com
04-01-2018 05:21 PM
04-01-2018 04:40 PM
04-01-2018 05:20 PM - edited 04-01-2018 05:26 PM
so my steps would be
1. to create another sender group in HAT and add *.outlook.com there.
2. Create a policy that will be assigned to that senders group that has low mps
3. create addresses book
4. select that addreeses book in policy under envelope sender options that says ignore
I already tracked header. That's what I do in almost all the cases. Typically vendors and other sender host their own email servers so I look at headers and add that and/or IPs to our policies. Usually its 2 or 3 IPs so not a huge deal. Issue i'm running into is when they use office 365 or some other service and I don't want to use policy with high mps for outlook.com, because I a lot of cases we get phishing emails from there as well
04-01-2018 05:23 PM
04-01-2018 05:28 PM - edited 04-01-2018 05:32 PM
just to clarify by senders you mean outlook.com what I see in the first line of the message in the logs and not user@vendor.com which is envelope domain.
So essentially I still have to track all IPs and/or host of rDNS and just add it to senders group as I see new ones appearing.?
in rDNS I see variousinfo.outlook.com so adding *.outlook.com wont be enough?
04-01-2018 05:31 PM
Let' get back to the beginning... are these emails you want to whitelist from someone using the free email service? Aka Mail is from JohnDoe@outlook.com?
Or is mail from a someone using Office365? Aka mail is from JohnDoe@company.com, IPs resolve back to *.outlook.com
Either way, don't bother with the HAT (that "Whitelist"name is poorly chosen).
Create an Incoming MaIL Policy. For the first option you'l have to enter each xxx@outlook.com address as from addreset that the policy applies to.
For the second option, you can just use @company.com for the from addresses.
04-01-2018 05:43 PM - edited 04-01-2018 05:46 PM
Ken,
Its the second option.
in outlook and in ESA envelope sender its from user@vendor.com we get reports that emails are being delayed. When I look at logs on ESA its because they are hitting message allowed limit per hour (rejected by receiving control). Typically I would assign their ip or rDNS from the logs to higher mps policy, but in this case they are using office 365 so technically everything is coming from xxxxxxx.outlook.com.
I did add @vendor.com to incoming mail policy and I see it on the log that it matches however if they send a ton of email per hour they are still getting "rejected by receiving control" on the logs
The only way I was able to work around that if I add IPs to HAT that uses higher mph policy, however I don't want to do that with outlook.com IPs
04-01-2018 06:05 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide