[Wolves] Greylisting

Adam Sweet drinky76 at yahoo.com
Wed Apr 22 13:43:02 UTC 2009


----- Original Message ----

> From: Wayne Lists <waynelists at machx.co.uk>
> To: Wolverhampton Linux User Group <wolves at mailman.lug.org.uk>
> Sent: Wednesday, 22 April, 2009 0:53:40
> Subject: [Wolves] Greylisting
> 
> I see that there is a new greylisting option for Fedora - something 
> called Milter.

I believe milters are Sendmail and possibly also Postfix specific, I might be wrong and you're using Exim if I recall correctly.

> Is it any better than the original greylistd which was good but suffered 
> from a problem with senders like yahoo and aol - often the second third 
> and fourth
> times an email was tried would be from a different email server and it 
> would be rejected.

As Ron has already said, you can just whitelist them. Set your greylist retryMin option to something really low, like 10 seconds. The option is called retryMin but it actually appears to be seconds, so 10 will do it. You only need to refuse the first connection, ideally you would accept the same sender/recipient/IP immediately but the idea of the delay is to allow time for spammy senders to get blacklisted by the RBLs, but 10 seconds is fine to block the initial connection because real spam probably won't come back with the same sender/recipient/IP triplet if it doesn't come back within an hour or so.

Of course this won't solve your problem with different outgoing servers. Greylistd comes with a whitelist file which whitelists a lot of Yahoo, AOL and other servers. Greylistd doesn't call it itself, it's for use by your MTA, when it hits your greylisting it should check your whitelist file before calling greylistd.

I have a similar problem with Gmail. They have so many outgoing servers I've had a single mail constantly bouncing off my machine for around 3 days before I realised and intervened. Just try getting a list of Gmail's outgoing mail servers (actually I just looked up their SPF records in DNS, but I only just thought of that... but the problem remains for anybody who doesn't publish SPF like Yahoo it seems).

SPF records are simply a txt record in DNS, so you can look up SPF with:

dig gmail.com txt

Gmail's SPF record asks you to query __spf.google.com, so:

dig _spf.google.com txt

<snip>

;; ANSWER SECTION:
_spf.google.com.    300    IN    TXT    "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"

The ?all at the end means that this list may not include all gmail.com outoing servers (see below).

You just have to whitelist them, I don't think there's any other way around that in any greylisting solution. I decided that I would only greylist people whose SPF records weren't explicit enough (ie didn't exist, were ambiguous, faulty or incomplete) but I don't seem to be able to get SPF working in Debian's version of Exim and in the case of Gmail where list is incomplete, it wouldn't help, so it will have to go on the list of things to do. You could look into domainkeys (now DKIM), which was Yahoo's answer to the spam problem but I'm not sure who else implements it and your simple mail server starts to look a bit hairy to configure at that point.

http://www.openspf.org/
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
http://www.dkim.org/

I do believe Postfix is quite nice from the time I've spent with it but I've invested a reasonable amount of time and effort in my Exim setup that it would be quite big thing to migrate the same functionality set to Postfix.

Ad

 -- 

http://blog.adamsweet.org/


      



More information about the Wolves mailing list