Conditional Greylisting
Is it possible to configure Postfix so that greylisting only happens under specific conditions? I'd like to have DKIM/SPF setup and if an e-mail passed those I want to to completely bypass greylisting. However, if it soft-fails those checks then I want it to greylist next. I have all of the above things working already - just not the conditional greylisting. I'd love some help accomplishing this! Thank you very much!
Re: Conditional Greylisting
I have (well had, technically) all of these running under the smtpd_recipient_restrictions with check_policy_service statements. On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote: > I think he is out after doing a temporary fail after the DATA stage, thus > avoiding the chicken and egg problem. > > -Ursprungligt meddelande- > From: Wietse Venema > Sent: Friday, September 18, 2015 7:50 PM > To: Postfix users > Subject: Re: Conditional Greylisting > > Bruce Marriner: > > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to > > to completely bypass greylisting. However, if it soft-fails those > > checks then I want it to greylist next. > > You have a chicken and egg problem. DKIM signature verification > requires that Postfix receives the email message. Greylisting > happens BEFORE Postfix receives the email message. > > Wietse >
Re: Conditional Greylisting
Thanks, I'll read about that tool. I'm pretty new to DKIM/SPF and am just now trying to set it up. I've been using postgrey for awhile and it does work great but it creates a lot of lag and causes problems (lost e-mail) with a lot of email senders. So I want to be able to set up Postfix so, if it passes DKIM or other checks that give me a high confidence then just skip the postgrey stuff entirely. But, if it's a "Not sure" e-mail, then go ahead and postgrey it. I'll read about mtpolicyd and see if I can understand what my options with that would be. On Fri, 2015-09-18 at 20:20 +0200, Benning, Markus wrote: > I'm also using a policy daemon to build a score based on Whitelists, > SPF, RBLs, GeoIP, etc. > And then apply greylisting, rejects based on the score. > (as in mtpolicyd example configuration: > https://github.com/benningm/mtpolicyd/blob/master/etc/mtpolicyd.conf) > > But you can't do content checks in a recipient_restriction. > DKIM is based on message content. > > > Markus > > Am 2015-09-18 20:09, schrieb Bruce Marriner: > > I have (well had, technically) all of these running under the > > smtpd_recipient_restrictions with check_policy_service statements. > > > > On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote: > >> I think he is out after doing a temporary fail after the DATA stage, > >> thus > >> avoiding the chicken and egg problem. > >> > >> -Ursprungligt meddelande- > >> From: Wietse Venema > >> Sent: Friday, September 18, 2015 7:50 PM > >> To: Postfix users > >> Subject: Re: Conditional Greylisting > >> > >> Bruce Marriner: > >> > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to > >> > to completely bypass greylisting. However, if it soft-fails those > >> > checks then I want it to greylist next. > >> > >> You have a chicken and egg problem. DKIM signature verification > >> requires that Postfix receives the email message. Greylisting > >> happens BEFORE Postfix receives the email message. > >> > >> Wietse > >> >
Re: Conditional Greylisting
On Friday, September 18, 2015 01:41 PM CDT, wie...@porcupine.org (Wietse Venema) wrote: > Since DKIM requires content inspection and you want decisions before > Postfix replies to end-of-data, another option is to use the > smtpd_proxy_filter or smtpd_milters feature (both as before-queue > content filters) and to let the filter tempfail the message depending > on DKIM/greylist results. > > http://www.postfix.org/SMTPD_PROXY_README.html > http://www.postfix.org/MILTER_README.html > > Wietse Oh, thanks I'll read about those more too. The guide I followed to setup opendkim actually did have me set it up using the smtpd_milters setting. I'll have to read up on how to.. tempfail :)
Re: Conditional Greylisting
On Friday, September 18, 2015 04:59 PM CDT, "Bill Cole" wrote: > On 18 Sep 2015, at 14:29, Bruce Marriner wrote: > > > So I want to be able to set up Postfix so, if it passes DKIM or other > > checks that give me a high confidence then just skip the postgrey > > stuff > > entirely. > > In what exactly does a valid DKIM signature give you high confidence? I > suspect that this is misplaced... > > All a DKIM signature validation tells you is that a message was in fact > signed at the mail system where it claimed to have been signed by an > entity in control of the DNS for the domain identified the signature and > that none of the message fields specified in the DKIM header have been > changed in transit. Looking at the spam that has made it through my > filters this year, I see that 27% of those messages had a valid DKIM > signature, because in fact any spammer who can open a Yahoo account or > register a domain can send mail with a valid DKIM signature. Ah, well. I think you might be right about misplaced. I've been reading about this all day learning it and I've started to realize the same thing. I would like Now, why can't all the spammers just add a ThisIsSpam header. Sure would make my life easier :) I'd still like to reduce my dependency on postgrey. So, if has valid SPF, valid DKIM, has a low SpamAssassin score, then I could skip it without raising spam too much, or at all :). Postgrey just works so well :) I mean, if I have that on I get almost no spam. But sometimes somethings that should come though don't and many things are delayed. When I turn it off, I get tons of spam. So, I need to start adding more stuff into the mix like SpanAssassin, SPF, DKIM, whatever so I can reduce my Postgrey dependency a little. My first few google searches were covered in the DKIM/SPF stuff so I guess that's where I've started first.