Loading ...
Sorry, an error occurred while loading the content.

Re: Greylisting and Postfix

Expand Messages
  • Lance Dryden
    ... SQLgrey is in use on my end-station MTA (~4 accounts). It seems to do quite a good job for now. Might change when people s workstations have 128GB of
    Message 1 of 18 , May 31 11:09 AM
    • 0 Attachment
      Marco Bertorello wrote:
      >
      > No problems. I've installed postgrey and (like documentation say) I've
      > added something like this, in main.cf:
      >
      > smtpd_recipient_restrictions =
      > permit_mynetworks
      > ...
      > reject_unauth_destination
      > check_policy_service inet:127.0.0.1:60000
      >
      > All works fine out-of-the-box :-)
      >
      > I'm very courious about SQLgrey (http://sqlgrey.sourceforge.net/), a
      > fork of postgrey... Someone already use this tool?

      SQLgrey is in use on my end-station MTA (~4 accounts). It seems to do
      quite a good job for now.

      Might change when people's workstations have 128GB of memory for storing
      transmission attempts, but for now it's all I use for UCE filtering.

      Yours, &c
      Lance Dryden
    • Covington, Chris
      ... I have been using policyd.sourceforge.net for 1 year now and it has worked flawlessly throughout. It s mysql-based, and always has been. ... Chris
      Message 2 of 18 , May 31 11:16 AM
      • 0 Attachment
        On Wed, May 31, 2006 at 11:49:40AM -0500, Esquivel, Vicente wrote:
        > Hello all,
        >
        > Is anyone using greylisting and how successful has it been for you? How
        > difficult was it to implement on an existing postfix mail gateway
        > server?

        I have been using policyd.sourceforge.net for 1 year now and it has
        worked flawlessly throughout. It's mysql-based, and always has
        been.

        ---
        Chris Covington
        IT
        Plus One Health Management
        75 Maiden Lane Suite 801
        NY, NY 10038
        646-312-6269
        http://www.plusoneactive.com
      • Lars Ringh
        ... I ve only used it (cami s policyd) for about two weeks, and I can t really say I m seeing any difference in the amount of spam reaching through to our
        Message 3 of 18 , May 31 11:22 AM
        • 0 Attachment
          Esquivel, Vicente wrote:

          > Is anyone using greylisting and how successful has it been for you? How
          > difficult was it to implement on an existing postfix mail gateway
          > server?

          I've only used it (cami's policyd) for about two weeks, and I can't
          really say I'm seeing any difference in the amount of spam reaching
          through to our spamfilters at all.

          I've set it up on the servers serving our private home customers but not
          on those servicing our corporate customers, and the difference in the
          amount of spam coming through to our spam-filter differs about as much
          as it did before greylisting.

          Implementing it, however, went really smooth. Not much you have to do
          and exellent instructions easily found.

          //maccall
        • Esquivel, Vicente
          ... Thanks all for you replies they have helped greatly! I have another question though and that is: I am thinking about running it on the same server that we
          Message 4 of 18 , May 31 11:44 AM
          • 0 Attachment
            > -----Original Message-----
            > From: owner-postfix-users@...
            > [mailto:owner-postfix-users@...] On Behalf Of Marco Bertorello
            > Sent: Wednesday, May 31, 2006 12:04 PM
            > To: postfix-users@...
            > Subject: Re: Greylisting and Postfix
            >
            > On Wed, 31 May 2006 11:49:40 -0500
            > "Esquivel, Vicente" <Esquivelv@...> wrote:
            >
            > > Hello all,
            >
            > Hi,
            >
            > > Is anyone using greylisting and how successful has it been for you?
            >
            > I've implemented greylisting successfully in a mailserver
            > based on debian and postifx with postgrey tool. The quantity
            > of spam is reduced by ~80%.
            >
            > > How difficult was it to implement on an existing postfix
            > mail gateway
            > > server?
            >
            > No problems. I've installed postgrey and (like documentation
            > say) I've added something like this, in main.cf:
            >
            > smtpd_recipient_restrictions =
            > permit_mynetworks
            > ...
            > reject_unauth_destination
            > check_policy_service inet:127.0.0.1:60000
            >
            > All works fine out-of-the-box :-)
            >
            > I'm very courious about SQLgrey
            > (http://sqlgrey.sourceforge.net/), a fork of postgrey...
            > Someone already use this tool?
            >
            > cheers,
            >
            > P.S. Sorry for my orrible english :)
            >
            > --
            > Marco Bertorello
            > System Administrator
            > http://bertorello.ns0.it/
            >

            Thanks all for you replies they have helped greatly!

            I have another question though and that is:

            I am thinking about running it on the same server that we run our third
            party spam filtering application(puremessage) that uses postfix.

            Is everyone running greylist on their main postfix gateway server or is
            everyone running greylisting on a separate individual server? What
            would be the pros and cons?



            Thanks
            Vince
          • Brian Collins
            ... I run it on my mail gateway. That same server runs antivirus & antispam (via amavisd-new). Actually I run that setup on 3 separate Postfix mail gateways
            Message 5 of 18 , May 31 11:58 AM
            • 0 Attachment
              > I have another question though and that is:
              >
              > I am thinking about running it on the same server that we run our third
              > party spam filtering application(puremessage) that uses postfix.
              >
              > Is everyone running greylist on their main postfix gateway server or is
              > everyone running greylisting on a separate individual server? What
              > would be the pros and cons?

              I run it on my mail gateway. That same server runs antivirus & antispam
              (via amavisd-new). Actually I run that setup on 3 separate Postfix mail
              gateways (2 run postgrey and one runs sqlgrey). No problems.

              --Brian
            • Andrew Diederich
              ... I ve run sqlgrey with a postgres 8.0 backend which works pretty well. I have seen a memory leak between sqlgrey and the postgresql postmaster. Restarting
              Message 6 of 18 , May 31 1:14 PM
              • 0 Attachment
                On 5/31/06, Brian Collins <listbc@...> wrote:
                > I run it on my mail gateway. That same server runs antivirus & antispam
                > (via amavisd-new). Actually I run that setup on 3 separate Postfix mail
                > gateways (2 run postgrey and one runs sqlgrey). No problems.

                I've run sqlgrey with a postgres 8.0 backend which works pretty well.
                I have seen a memory leak between sqlgrey and the postgresql
                postmaster. Restarting sqlgrey daily works for me to avoid badness
                for the memory leak. Note: when sqlgrey is down then incoming mail
                will be rejected.

                --
                Andrew Diederich
              • Alex Satrapa
                ... The only machines that it makes sense to run greylisting on are those listed as MX servers for your domain (ie: where third parties will be sending mail
                Message 7 of 18 , May 31 8:39 PM
                • 0 Attachment
                  On 1 Jun 2006, at 04:44, Esquivel, Vicente wrote:

                  > Is everyone running greylist on their main postfix gateway server
                  > or is
                  > everyone running greylisting on a separate individual server? What
                  > would be the pros and cons?

                  The only machines that it makes sense to run greylisting on are those
                  listed as MX servers for your domain (ie: where third parties will be
                  sending mail destined for your domain). Otherwise, the greylisting
                  will only be affecting transmission inside your network.

                  I implemented greylisting for our mail service, but spam slowed down.
                  The machines sending us spam just try again later (90% of the spam I
                  get comes from Microsoft Outlook, which is a "proper" mail sender).

                  Alex
                • Michael J Wise
                  ... You ve been misled. It may LOOK like it came from Outlook, but it didn t. It came from a piece of software trying desperately to look like it is Outlook.
                  Message 8 of 18 , May 31 11:13 PM
                  • 0 Attachment
                    On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:

                    > (90% of the spam I get comes from Microsoft Outlook, which is a
                    > "proper" mail sender).

                    You've been misled.
                    It may LOOK like it came from Outlook, but it didn't.
                    It came from a piece of software trying desperately to look like it is
                    Outlook.

                    Aloha mai Nai`a!
                    --
                    "Please have your Internet License http://kapu.net/~mjwise/
                    and Usenet Registration handy..."
                  • Alex Satrapa
                    ... Walks like a duck, quacks like a duck, therefore it is a duck. ... versus ... How do I distinguish the spam from the ham? The spam is the first one, the
                    Message 9 of 18 , Jun 1, 2006
                    • 0 Attachment
                      On 1 Jun 2006, at 16:13, Michael J Wise wrote:

                      > On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:
                      >
                      >> (90% of the spam I get comes from Microsoft Outlook, which is a
                      >> "proper" mail sender).
                      >
                      > You've been misled.
                      > It may LOOK like it came from Outlook, but it didn't.
                      > It came from a piece of software trying desperately to look like it
                      > is Outlook.

                      Walks like a duck, quacks like a duck, therefore it is a duck.

                      Compare these two sets of headers:

                      > Received: from sjq ([203.160.26.197]) by localhost (8.13.4/8.13.4)
                      > with SMTP id k4V8wIth066131; Wed, 31 May 2006 01:58:18 -0700
                      > X-Greylist: delayed 302 seconds by postgrey-1.21 at franklin; Tue,
                      > 30 May 2006 18:56:51 EST
                      > Message-Id: <001701c6848f$fc5a8c18$c51aa0cb@sjq>
                      > Mime-Version: 1.0
                      > Content-Type: multipart/related; type="multipart/alternative";
                      > boundary="----=_NextPart_000_0013_01C684CA.A8B963B8"
                      > X-Priority: 3
                      > X-Msmail-Priority: Normal
                      > X-Mailer: Microsoft Outlook Express 6.00.2800.1106
                      > X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106

                      versus

                      > Received: from DNA05 (unknown [192.168.2.205]) by smtp.apf.edu.au
                      > (Postfix) with ESMTP id AEBBC8A80A3 for <alex@apf>; Tue, 9 May
                      > 2006 16:52:32 +1000 (EST)
                      > Message-Id: <003701c67334$e5774390$cd02a8c0@DNA05>
                      > Mime-Version: 1.0
                      > Content-Type: text/plain; charset="us-ascii"
                      > Content-Transfer-Encoding: 7bit
                      > X-Mailer: Microsoft Office Outlook 11
                      > X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.2869

                      How do I distinguish the spam from the ham? The spam is the first
                      one, the ham is the second. The machine sending the spam tried again
                      5 minutes later. From the perspective of the MTA, the spam was sent
                      by something claiming to be "Microsoft Outlook Express" and behaving
                      very much like "Microsoft Outlook Express" would be expected to
                      behave - does it really matter what software was actually responsible
                      for sending the message? That is only a philosophical discussion at
                      best.

                      But back to the original topic - as you can see, the spam still gets
                      through with greylisting, because the software sending the spam is
                      intelligent enough to respond appropriately to my server faking a
                      temporary failure.

                      When I raise the greylist delay to half an hour (enough time for the
                      ISP to start getting complaints of spam originating from their
                      clients, and shut the client out), I start receiving complaints from
                      people whose mail servers send them messages saying, "I couldn't
                      deliver this message after half an hour, I'm still trying though."

                      Alex
                    • Michael J Wise
                      ... You are completely missing the point. It isn t a case of Looks Like , it s a case of what is on the other end of the wire. ... External address. No
                      Message 10 of 18 , Jun 1, 2006
                      • 0 Attachment
                        On May 31, 2006, at 9:19 PM, Alex Satrapa wrote:
                        > On 1 Jun 2006, at 16:13, Michael J Wise wrote:
                        >> On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:
                        >>
                        >>> (90% of the spam I get comes from Microsoft Outlook, which is a
                        >>> "proper" mail sender).
                        >>
                        >> You've been misled.
                        >> It may LOOK like it came from Outlook, but it didn't.
                        >> It came from a piece of software trying desperately to look like it
                        >> is Outlook.
                        >
                        > Walks like a duck, quacks like a duck, therefore it is a duck.
                        >
                        > Compare these two sets of headers:

                        You are completely missing the point.
                        It isn't a case of "Looks Like", it's a case of what is on the other
                        end of the wire.

                        >> Received: from sjq ([203.160.26.197])

                        External address.
                        No reverse DNS.
                        Currently no DNSBLs of any consequence.

                        >> X-Greylist: delayed 302 seconds by postgrey-1.21 at franklin; Tue,
                        >> 30 May 2006 18:56:51 EST

                        You might want to greylist it for a bit longer....
                        Bottom line is, mail servers and local addresses shouldn't be
                        greylisted.
                        But *unknown* connects should be for quite some time.
                        302 seconds doesn't cut it.
                        86400 seconds might.
                        This is, of course, only MHO.

                        > versus
                        >
                        >> Received: from DNA05 (unknown [192.168.2.205])

                        Local address.

                        > How do I distinguish the spam from the ham?

                        That's your problem, Sir.
                        And this isn't the list for it.

                        > does it really matter what software was actually responsible for
                        > sending the message?

                        Yes.

                        > That is only a philosophical discussion at best.

                        Oh no, it's quite practical.
                        You see... sometimes, they make misteaks.
                        And those misteaks become a sign.

                        Aloha mai Nai`a!
                        --
                        "Please have your Internet License http://kapu.net/~mjwise/
                        and Usenet Registration handy..."
                      • Alex Satrapa
                        ... This was from a phishing attempt (trying to get me to enter my paypal account details into their website). Note that they reconnected after a couple of
                        Message 11 of 18 , Jun 1, 2006
                        • 0 Attachment
                          On 1 Jun 2006, at 17:19, Alex Satrapa wrote:

                          > When I raise the greylist delay to half an hour (enough time for
                          > the ISP to start getting complaints of spam originating from their
                          > clients, and shut the client out), I start receiving complaints
                          > from people whose mail servers send them messages saying, "I
                          > couldn't deliver this message after half an hour, I'm still trying
                          > though."

                          And here's why greylisting doesn't work:

                          > Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
                          > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No
                          > client certificate requested) by smtp.apf.edu.au (Postfix) with
                          > ESMTP id 88F6D8A80A3 for <alex.satrapa@...>; Thu, 1 Jun
                          > 2006 19:54:31 +1000 (EST)
                          > Received: from optkmv.ru (localhost [127.0.0.1] (may be forged))
                          > by optkmv.ru (8.13.5/8.13.5) with ESMTP id k517X9rF003136 for
                          > <alex.satrapa@...>; Thu, 1 Jun 2006 11:33:09 +0400
                          > Received: (from diana@localhost) by optkmv.ru (8.13.5/8.13.5/
                          > Submit) id k517X7sY003130; Thu, 1 Jun 2006 11:33:07 +0400
                          > X-Sieve: CMU Sieve 2.2
                          > X-Greylist: delayed 8422 seconds by postgrey-1.21 at franklin;
                          > Thu, 01 Jun 2006 19:54:32 EST
                          > Message-Id: <200606010733.k517X7sY003130@...>
                          > Content-Type: text/html

                          This was from a phishing attempt (trying to get me to enter my paypal
                          account details into their website).

                          Note that they reconnected after a couple of hours, and used TLS
                          encryption. Their hostname is valid, and doing a resolution on the
                          name derived from a reverse lookup on the IP address results in the
                          IP address.

                          Is there anything else here that could have indicated to my mail
                          server that this was not legitimate mail?
                        • Michael J Wise
                          ... % query-dnsbl 217.13.208.17 SPAMCOP opttorg.cust.kmv.ru Greylisting should never be one s only line of defense. Greylisting buys one time for a
                          Message 12 of 18 , Jun 1, 2006
                          • 0 Attachment
                            On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:

                            > And here's why greylisting doesn't work:
                            >
                            >> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])

                            % query-dnsbl 217.13.208.17
                            SPAMCOP opttorg.cust.kmv.ru

                            Greylisting should never be one's only line of defense.
                            Greylisting buys one time for a given IP address to make a fool of
                            itself elsewhere before it gets to dump crap into your system.
                            Or at least, that is my understanding of its purpose.

                            > Note that they reconnected after a couple of hours, ...

                            Not surprised at all.
                            It's almost certainly a compromised machine ... in Mother Russia!
                            Listening on port 22, btw.
                            Probably user 'diana' had a trivial password ('password' or 'diana',
                            for example), and ... poof, in they went.

                            > Is there anything else here that could have indicated to my mail
                            > server that this was not legitimate mail?

                            Um, how about the fact that the server was in Russia?

                            :)

                            Aloha mai Nai`a!
                            --
                            "Please have your Internet License http://kapu.net/~mjwise/
                            and Usenet Registration handy..."
                          • mouss
                            ... so what? spamcop isn t designed for smtp level rejection. it should ony be used in score based system. ... use a spam filter. There are many to choose
                            Message 13 of 18 , Jun 4, 2006
                            • 0 Attachment
                              Michael J Wise wrote:
                              > On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:
                              >
                              >> And here's why greylisting doesn't work:
                              >>
                              >>> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
                              >
                              > % query-dnsbl 217.13.208.17
                              > SPAMCOP opttorg.cust.kmv.ru
                              so what? spamcop isn't designed for smtp level rejection. it should ony
                              be used in score based system.
                              >
                              > Greylisting should never be one's only line of defense.
                              > Greylisting buys one time for a given IP address to make a fool of
                              > itself elsewhere before it gets to dump crap into your system.
                              > Or at least, that is my understanding of its purpose.
                              >
                              >> Note that they reconnected after a couple of hours, ...
                              >
                              > Not surprised at all.
                              > It's almost certainly a compromised machine ... in Mother Russia!
                              > Listening on port 22, btw.
                              > Probably user 'diana' had a trivial password ('password' or 'diana',
                              > for example), and ... poof, in they went.
                              >
                              >> Is there anything else here that could have indicated to my mail
                              >> server that this was not legitimate mail?
                              use a spam filter. There are many to choose from. if you don't like
                              choosing, try spamassassin...
                              >
                              > Um, how about the fact that the server was in Russia?
                              There may be more spam servers in the US than in Russia. Again, you can
                              use such arguments in a score based filter, not in
                              smtpd_recipient_restrictions...
                            Your message has been successfully submitted and would be delivered to recipients shortly.