Rocco Scappatura wrote:
And spammer are becoming more faster as the time goes on.. Is it
convenient to use gray listing
newer bots retry, so GL is only effective is the time
interval is large enough, but that's not a neutral thing so
should be restricted to suspicious mail. That's what I use GL
for anyway.
What do I need to set up GL? Only the command below or there is
something other parameter that I could set up (eg: the time spent before
a message is accepted and so on)?
of course, you need to install a policy server! Cami's policyd is a good
choice (it also has other features such throttling, blacklisting, ...
etc). for postfix config see below.
the spam you showed has:
Received: from [125.128.59.158] (unknown [125.128.59.158])
which means the client is "unknown" and it helo'ed with a
literal IP (it's from Korea too but let's ignore this). My
postfix has a check_helo_acces with a pcre:
/^[/ reject_unknown_client, policy_greylist
This rejects mail if the client is unknown and helo's with a
literal IP.
It's very interesting.. In what restriction do I have to put the rulese
above?
see below.
I've not seen literal IPs in ham on an MX. Note that this
test must not be applied on an MSA: MUAs like Thunderbird do
helo with a literal IP.
Infact..
Indeed I'm not using MSA.. So this complicates the things.. :-(
Not really, because when using port 25, submitted mail is whitelisted
via permit_mynetworks, permit_sasl_authenticated.
Here is a restrictions example.
smtpd_recipient_restrictions =
# allow submission via port 25
permit_mynetworks
permit_sasl_authenticated
# no relay from here
reject_unauth_destination
# non fqdn addresses are not valid
reject_non_fqdn_sender
reject_non_fqdn_recipient
# recipient BL and WL, traps, spamlovers ...
check_recipient_access ${pcre_prefix}/recipient_acl
check_recipient_access ${hash_prefix}/recipient_acl
# sender BL
check_sender_access ${pcre_prefix}/sender_acl
# address validation
reject_unlisted_recipient
reject_unlisted_sender
# "site" client WL and BL
check_client_access ${cidr_prefix}/client_acl
check_client_access ${hash_prefix}/client_acl
# DNSWL
check_client_access ${cidr_prefix}/dnswl/postfix-dnswl-permit
reject_invalid_helo_hostname
# this may catch misconfigured MTAs:
reject_non_fqdn_helo_hostname
# obvious helo forgery (our domain, our IP, ...)
check_helo_access ${hash_prefix}/helo_acl
# helo discrepancies
check_helo_access ${pcre_prefix}/helo_acl
# if we can't reach them, reject them
reject_unknown_sender_domain
# block bogus MX, tld wildcard MX, ...
check_sender_mx_access ${cidr_prefix}/sender_mx_acl
# DNSBL checks
reject_rbl_client ...
smtpd_restriction_class =
policy_greylist
...
policy_greylist =
check_policy_service inet:127.0.0.1:10031
the variables like cidr_prefix are defined like this:
cidr_prefix = cidr:/etc/postfix/maps/cidr
...
If you want to avoid further checks when greylisting, you need to
configure the policy service to return DEFER instead of DEFER_IF_PERMIT.
The test is run before DNSBL checks, so it saves some cycles
and reduces the load on DNSBL sites. these days, the test
catches about 15% of mail rejected at MTA time.
Note that reject_unknown_client returns a temp error, but
unlike GL, you'll need to whitelist the client if you want to
accept his mail). if this is a real issue, just remove the
reject_unknown_client part and leave the greylisting check. but
So you are saying that I have to WL the client that present himself to
my server with an IP rather than a hostname?
I don't understand. you only need to whitelist a client if you want to
accept his mail _and_ he triggers one of your checks. if you have a
doubt, use this for some time:
/^\[/ warn_if_reject reject_unknown_client, policy_greylist
and check your logs during some period to see if you get legitimate
clients using a literal IP and triggering reject_unknown_client.
And how I could withelist that client?
see above (the .../client_acl lines). but if you find yourself
whitelisting many clients, then it's time to remove the check instead.
manual whitelisting is only good if it is rare.
Aren't we getting OT?
