Loading ...
Sorry, an error occurred while loading the content.
 

SPF and greylisting conditioning

Expand Messages
  • Michal Bruncko
    Hello list I am using postfix (v 2.7.0) with sender policy framework (postfix-policyd-spf-perl-2.001) and greylisting (postgrey-1.32) with following
    Message 1 of 25 , Sep 26, 2010
      Hello list

      I am using postfix (v 2.7.0) with sender policy framework
      (postfix-policyd-spf-perl-2.001) and greylisting (postgrey-1.32) with
      following configuration:

      smtpd_recipient_restrictions =
      ...
      check_policy_service unix:private/policy
      check_policy_service unix:/var/spool/postfix/postgrey/socket
      ...

      where unix:private/policy is SPF socket and followed by greylist rule.

      It is possible in some way to configure postfix, that SPF Passed mails
      will be automatically accepted with postfix without greylisting? And
      using greylist only for mails with other SPF result codes (none,
      softfail,..)?
      Current configuration only denies mails with SPF Fail and all other
      mails where being greylisted.

      thanks

      michal
    • Stan Hoeppner
      ... If I may be blunt: this is a really dumb idea. Many, maybe all, snowshoe spammers have valid SPF records. Thus, accepting mail simply because the
      Message 2 of 25 , Sep 26, 2010
        Michal Bruncko put forth on 9/26/2010 4:24 AM:

        > It is possible in some way to configure postfix, that SPF Passed mails
        > will be automatically accepted with postfix without greylisting?

        If I may be blunt: this is a really dumb idea. Many, maybe all,
        snowshoe spammers have valid SPF records. Thus, accepting mail simply
        because the connecting IP passes SPF muster isn't a bright idea.

        --
        Stan
      • Michael Orlitzky
        ... It s probably best to leave things alone as Stan pointed out, but if you really want to do this, you d have to modify the postfix-policyd-spf-perl code. A
        Message 3 of 25 , Sep 26, 2010
          On 09/26/10 05:24, Michal Bruncko wrote:
          > Hello list
          >
          > I am using postfix (v 2.7.0) with sender policy framework
          > (postfix-policyd-spf-perl-2.001) and greylisting (postgrey-1.32) with
          > following configuration:
          >
          > smtpd_recipient_restrictions =
          > ...
          > check_policy_service unix:private/policy
          > check_policy_service unix:/var/spool/postfix/postgrey/socket
          > ...
          >
          > where unix:private/policy is SPF socket and followed by greylist rule.
          >
          > It is possible in some way to configure postfix, that SPF Passed mails
          > will be automatically accepted with postfix without greylisting? And
          > using greylist only for mails with other SPF result codes (none,
          > softfail,..)?
          > Current configuration only denies mails with SPF Fail and all other
          > mails where being greylisted.
          >
          > thanks
          >
          > michal
          >

          It's probably best to leave things alone as Stan pointed out, but if you
          really want to do this, you'd have to modify the
          postfix-policyd-spf-perl code. A policy server can return any action
          allowed in an access(5) table. So, for example, you could modify (taken
          from the latest release):

          if ($helo_result->is_code('fail')) {
          syslog(info => "%s: SPF %s: HELO/EHLO: %s",
          $attr->{queue_id}, $helo_result, $attr->{helo_name}
          );
          return "550 $helo_authority_exp";
          }

          ...

          if ($mfrom_result->is_code('fail')) {
          return "550 $mfrom_authority_exp";
          }

          to return either the greylist restriction or the name of a restriction
          class.
        • mouss
          ... some even use an indirect +all to trick filters... $ host -t txt takeprettypictures.net takeprettypictures.net descriptive text v=spf1 ip4:128.0.0.0/1
          Message 4 of 25 , Sep 26, 2010
            Le 26/09/2010 12:08, Stan Hoeppner a écrit :
            > Michal Bruncko put forth on 9/26/2010 4:24 AM:
            >
            >> It is possible in some way to configure postfix, that SPF Passed mails
            >> will be automatically accepted with postfix without greylisting?
            > If I may be blunt: this is a really dumb idea. Many, maybe all,
            > snowshoe spammers have valid SPF records. Thus, accepting mail simply
            > because the connecting IP passes SPF muster isn't a bright idea.
            >

            some even use an indirect +all to trick filters...

            $ host -t txt takeprettypictures.net
            takeprettypictures.net descriptive text "v=spf1 ip4:128.0.0.0/1
            ip4:0.0.0.0/1 -all"

            (so the first bit must be 0 or 1. since a bit is either 0 or 1...).
          • fakessh
            ... do you like sendmail machine that adresse is unauthorized for me -- gpg --keyserver pgp.mit.edu --recv-key 092164A7
            Message 5 of 25 , Sep 26, 2010
              Le dimanche 26 septembre 2010 22:38, mouss a écrit :
              > Le 26/09/2010 12:08, Stan Hoeppner a écrit :
              > > Michal Bruncko put forth on 9/26/2010 4:24 AM:
              > >> It is possible in some way to configure postfix, that SPF Passed mails
              > >> will be automatically accepted with postfix without greylisting?
              > >
              > > If I may be blunt: this is a really dumb idea. Many, maybe all,
              > > snowshoe spammers have valid SPF records. Thus, accepting mail simply
              > > because the connecting IP passes SPF muster isn't a bright idea.
              >
              > some even use an indirect +all to trick filters...
              >
              > $ host -t txt takeprettypictures.net
              > takeprettypictures.net descriptive text "v=spf1 ip4:128.0.0.0/1
              > ip4:0.0.0.0/1 -all"
              >
              > (so the first bit must be 0 or 1. since a bit is either 0 or 1...).


              do you like sendmail machine
              that adresse is unauthorized for me


              --
              gpg --keyserver pgp.mit.edu --recv-key 092164A7
            • mouss
              ... There s no address . the SPF record above specifies subnets with a /1 mask, the union of which is the whole IPv4 space.
              Message 6 of 25 , Sep 26, 2010
                Le 26/09/2010 23:28, fakessh a écrit :
                > Le dimanche 26 septembre 2010 22:38, mouss a écrit :
                >> Le 26/09/2010 12:08, Stan Hoeppner a écrit :
                >>> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                >>>> It is possible in some way to configure postfix, that SPF Passed mails
                >>>> will be automatically accepted with postfix without greylisting?
                >>> If I may be blunt: this is a really dumb idea. Many, maybe all,
                >>> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                >>> because the connecting IP passes SPF muster isn't a bright idea.
                >> some even use an indirect +all to trick filters...
                >>
                >> $ host -t txt takeprettypictures.net
                >> takeprettypictures.net descriptive text "v=spf1 ip4:128.0.0.0/1
                >> ip4:0.0.0.0/1 -all"
                >>
                >> (so the first bit must be 0 or 1. since a bit is either 0 or 1...).
                >
                > do you like sendmail machine
                > that adresse is unauthorized for me
                >

                There's no "address". the SPF record above specifies subnets with a /1
                mask, the union of which is the whole IPv4 space.
              • fakessh
                ... the evil for the spammeur the -all much have ?all -- gpg --keyserver pgp.mit.edu --recv-key 092164A7
                Message 7 of 25 , Sep 26, 2010
                  Le dimanche 26 septembre 2010 23:46, mouss a écrit :
                  > Le 26/09/2010 23:28, fakessh a écrit :
                  > > Le dimanche 26 septembre 2010 22:38, mouss a écrit :
                  > >> Le 26/09/2010 12:08, Stan Hoeppner a écrit :
                  > >>> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                  > >>>> It is possible in some way to configure postfix, that SPF Passed mails
                  > >>>> will be automatically accepted with postfix without greylisting?
                  > >>>
                  > >>> If I may be blunt: this is a really dumb idea. Many, maybe all,
                  > >>> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                  > >>> because the connecting IP passes SPF muster isn't a bright idea.
                  > >>
                  > >> some even use an indirect +all to trick filters...
                  > >>
                  > >> $ host -t txt takeprettypictures.net
                  > >> takeprettypictures.net descriptive text "v=spf1 ip4:128.0.0.0/1
                  > >> ip4:0.0.0.0/1 -all"
                  > >>
                  > >> (so the first bit must be 0 or 1. since a bit is either 0 or 1...).
                  > >
                  > > do you like sendmail machine
                  > > that adresse is unauthorized for me
                  >
                  > There's no "address". the SPF record above specifies subnets with a /1
                  > mask, the union of which is the whole IPv4 space.

                  the evil for the spammeur
                  the -all much have ?all


                  --
                  gpg --keyserver pgp.mit.edu --recv-key 092164A7
                • JunkYardMail1@Frontier.com
                  Which makes their domain an easy target for block lists. http://www.spamhaus.org/query/dbl?domain=takeprettypictures.net ... From: mouss
                  Message 8 of 25 , Sep 26, 2010
                    Which makes their domain an easy target for block lists.

                    http://www.spamhaus.org/query/dbl?domain=takeprettypictures.net

                    --------------------------------------------------
                    From: "mouss" <mouss@...>
                    Sent: Sunday, September 26, 2010 1:38 PM
                    To: <postfix-users@...>
                    Subject: Re: SPF and greylisting conditioning

                    > Le 26/09/2010 12:08, Stan Hoeppner a écrit :
                    >> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                    >>
                    >>> It is possible in some way to configure postfix, that SPF Passed mails
                    >>> will be automatically accepted with postfix without greylisting?
                    >> If I may be blunt: this is a really dumb idea. Many, maybe all,
                    >> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                    >> because the connecting IP passes SPF muster isn't a bright idea.
                    >>
                    >
                    > some even use an indirect +all to trick filters...
                    >
                    > $ host -t txt takeprettypictures.net
                    > takeprettypictures.net descriptive text "v=spf1 ip4:128.0.0.0/1
                    > ip4:0.0.0.0/1 -all"
                    >
                    > (so the first bit must be 0 or 1. since a bit is either 0 or 1...).
                    >
                    >
                  • Michal Bruncko
                    Hello Thank you for pointing me. It was just my quick idea but as you wrote, perhaps many spammers have valid spf records and thus, my spam checking will be
                    Message 9 of 25 , Sep 26, 2010
                      Hello

                      Thank you for pointing me. It was just my quick idea but as you wrote,
                      perhaps many spammers have valid spf records and thus, my spam checking
                      will be less spam resistant.

                      and Michael, thank you for your hint.



                      On 26. 9. 2010 12:08, Stan Hoeppner wrote:
                      > Michal Bruncko put forth on 9/26/2010 4:24 AM:
                      >
                      >> It is possible in some way to configure postfix, that SPF Passed mails
                      >> will be automatically accepted with postfix without greylisting?
                      >
                      > If I may be blunt: this is a really dumb idea. Many, maybe all,
                      > snowshoe spammers have valid SPF records. Thus, accepting mail simply
                      > because the connecting IP passes SPF muster isn't a bright idea.
                      >
                    • Henrik K
                      ... I have no problem not GREYLISTING things that pass, that s how the original question was laid?? Of course you can and should use blacklists etc. But why
                      Message 10 of 25 , Sep 26, 2010
                        On Mon, Sep 27, 2010 at 12:49:40AM +0200, Michal Bruncko wrote:
                        > Hello
                        >
                        > Thank you for pointing me. It was just my quick idea but as you
                        > wrote, perhaps many spammers have valid spf records and thus, my
                        > spam checking will be less spam resistant.

                        I have no problem not GREYLISTING things that pass, that's how the original
                        question was laid?? Of course you can and should use blacklists etc. But why
                        greylist retrying servers? Or maybe someone will point out that snowshoers
                        don't retry? Only thing you might win with greylisting is some 5 minutes for
                        blacklists to catch up. One could speculate that it might not matter much.
                      • Stan Hoeppner
                        ... I can t seem to locate the reason page. I see nothing that says this domain was listed due to, ahem, creative use of SPF. It s probably listed simply
                        Message 11 of 25 , Sep 26, 2010
                          JunkYardMail1@... put forth on 9/26/2010 5:30 PM:
                          > Which makes their domain an easy target for block lists.
                          >
                          > http://www.spamhaus.org/query/dbl?domain=takeprettypictures.net

                          I can't seem to locate the "reason" page. I see nothing that says this
                          domain was listed due to, ahem, creative use of SPF. It's probably
                          listed simply due to trap hits, which, TTBOMK, is what generates
                          99.999999% of Spamhaus listings. If Spamhaus is creating preemptive
                          listings due to SPF games, or any preemptive listings for that matter,
                          I'd love to have that confirmed.

                          --
                          Stan


                          > --------------------------------------------------
                          > From: "mouss" <mouss@...>
                          > Sent: Sunday, September 26, 2010 1:38 PM
                          > To: <postfix-users@...>
                          > Subject: Re: SPF and greylisting conditioning
                          >
                          >> Le 26/09/2010 12:08, Stan Hoeppner a écrit :
                          >>> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                          >>>
                          >>>> It is possible in some way to configure postfix, that SPF Passed mails
                          >>>> will be automatically accepted with postfix without greylisting?
                          >>> If I may be blunt: this is a really dumb idea. Many, maybe all,
                          >>> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                          >>> because the connecting IP passes SPF muster isn't a bright idea.
                          >>>
                          >>
                          >> some even use an indirect +all to trick filters...
                          >>
                          >> $ host -t txt takeprettypictures.net
                          >> takeprettypictures.net descriptive text "v=spf1 ip4:128.0.0.0/1
                          >> ip4:0.0.0.0/1 -all"
                          >>
                          >> (so the first bit must be 0 or 1. since a bit is either 0 or 1...).
                          >>
                          >>
                        • Mikael Bak
                          ... Snowshoe spam will most probably pass greylisting too. Better not clutter greylisting database with useless things. Have the blacklists block em instead.
                          Message 12 of 25 , Sep 27, 2010
                            Stan Hoeppner wrote:
                            > Michal Bruncko put forth on 9/26/2010 4:24 AM:
                            >
                            >> It is possible in some way to configure postfix, that SPF Passed mails
                            >> will be automatically accepted with postfix without greylisting?
                            >
                            > If I may be blunt: this is a really dumb idea. Many, maybe all,
                            > snowshoe spammers have valid SPF records. Thus, accepting mail simply
                            > because the connecting IP passes SPF muster isn't a bright idea.
                            >

                            Snowshoe spam will most probably pass greylisting too. Better not
                            clutter greylisting database with useless things. Have the blacklists
                            block'em instead.

                            So OP's request is valid IMO.

                            Mikael
                          • Stan Hoeppner
                            ... I don t follow your logic here. Yes, most snowshoe is sent from real MTAs, not bots, so greylisting won t stop it. However, dnsbls and local block lists
                            Message 13 of 25 , Sep 27, 2010
                              Mikael Bak put forth on 9/27/2010 6:18 AM:
                              > Stan Hoeppner wrote:
                              >> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                              >>
                              >>> It is possible in some way to configure postfix, that SPF Passed mails
                              >>> will be automatically accepted with postfix without greylisting?
                              >>
                              >> If I may be blunt: this is a really dumb idea. Many, maybe all,
                              >> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                              >> because the connecting IP passes SPF muster isn't a bright idea.
                              >>
                              >
                              > Snowshoe spam will most probably pass greylisting too. Better not
                              > clutter greylisting database with useless things. Have the blacklists
                              > block'em instead.

                              I don't follow your logic here. Yes, most snowshoe is sent from real
                              MTAs, not bots, so greylisting won't stop it. However, dnsbls and local
                              block lists aren't very effective against snowshoe either, although
                              Spamhaus DBL is getting much better WRT snowshoe. I have a local
                              snowshoe cidr table I've been building for 2 years and it works rather
                              well as I see maybe 1 snowshoe in the inbox every two weeks or so.
                              However, most people probably don't have such a local snowshoe blocking
                              list.

                              > So OP's request is valid IMO.

                              Shooting mail straight into the inbox based on an SPF pass is not a
                              valid strategy, but a recipe for more spam in the inbox. SPF is
                              properly used in a scoring system within a policy daemon or external
                              content filter such as SA, same as DKIM etc are.

                              --
                              Stan
                            • mouss
                              ... I doubt they were listed becase of their spf record. but anyway, that would be coming late to the race again. spammers will find inventive ways to defeat
                              Message 14 of 25 , Sep 27, 2010
                                Le 27/09/2010 00:30, JunkYardMail1@... a écrit :
                                > Which makes their domain an easy target for block lists.
                                >
                                > http://www.spamhaus.org/query/dbl?domain=takeprettypictures.net

                                I doubt they were listed becase of their spf record.
                                but anyway, that would be "coming late to the race" again. spammers will
                                find inventive ways to defeat poor defences, be that spf, dkim,
                                greylisting, SAV, ... etc. Sedan was thought to be the ultimate defence
                                before the well-known disaster.
                              • mouss
                                ... actually, spamhaus doesn t get much of it. Barracuda gets more. ... yep for both parts. ... No. spf is only useful in two corner cases: - a domain
                                Message 15 of 25 , Sep 27, 2010
                                  Le 27/09/2010 22:12, Stan Hoeppner a écrit :
                                  > Mikael Bak put forth on 9/27/2010 6:18 AM:
                                  >> Stan Hoeppner wrote:
                                  >>> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                                  >>>
                                  >>>> It is possible in some way to configure postfix, that SPF Passed mails
                                  >>>> will be automatically accepted with postfix without greylisting?
                                  >>> If I may be blunt: this is a really dumb idea. Many, maybe all,
                                  >>> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                                  >>> because the connecting IP passes SPF muster isn't a bright idea.
                                  >>>
                                  >> Snowshoe spam will most probably pass greylisting too. Better not
                                  >> clutter greylisting database with useless things. Have the blacklists
                                  >> block'em instead.
                                  > I don't follow your logic here. Yes, most snowshoe is sent from real
                                  > MTAs, not bots, so greylisting won't stop it. However, dnsbls and local
                                  > block lists aren't very effective against snowshoe either, although
                                  > Spamhaus DBL is getting much better WRT snowshoe.

                                  actually, spamhaus doesn't get much of it. Barracuda gets more.

                                  > I have a local
                                  > snowshoe cidr table I've been building for 2 years and it works rather
                                  > well as I see maybe 1 snowshoe in the inbox every two weeks or so.
                                  > However, most people probably don't have such a local snowshoe blocking
                                  > list.
                                  >

                                  yep for both parts.

                                  >> So OP's request is valid IMO.

                                  No. spf is only useful in two corner cases:
                                  - a domain specifies which IPs can send (+ a -all for the rest)
                                  - you whitelist mail from some domain and that domain says that IP can
                                  send from.

                                  whitelisting because of spf pass is like whitelisting because of correct
                                  rDNS.

                                  > Shooting mail straight into the inbox based on an SPF pass is not a
                                  > valid strategy, but a recipe for more spam in the inbox. SPF is
                                  > properly used in a scoring system within a policy daemon or external
                                  > content filter such as SA, same as DKIM etc are.

                                  experience with SA shows that SPF is useless except in some corner cases
                                  (examples above). just look at the SA scores...
                                • Henrik K
                                  ... Umm, what s YOUR logic here? Greylisting won t stop it, dnsbls won t stop it? So I guess it s ok to blindly greylist stuff in case it happens to stop it?
                                  Message 16 of 25 , Sep 27, 2010
                                    On Mon, Sep 27, 2010 at 03:12:01PM -0500, Stan Hoeppner wrote:
                                    > >
                                    > > Snowshoe spam will most probably pass greylisting too. Better not
                                    > > clutter greylisting database with useless things. Have the blacklists
                                    > > block'em instead.
                                    >
                                    > I don't follow your logic here. Yes, most snowshoe is sent from real
                                    > MTAs, not bots, so greylisting won't stop it. However, dnsbls and local
                                    > block lists aren't very effective against snowshoe either, although
                                    > Spamhaus DBL is getting much better WRT snowshoe. I have a local
                                    > snowshoe cidr table I've been building for 2 years and it works rather
                                    > well as I see maybe 1 snowshoe in the inbox every two weeks or so.
                                    > However, most people probably don't have such a local snowshoe blocking
                                    > list.

                                    Umm, what's YOUR logic here? Greylisting won't stop it, dnsbls won't stop
                                    it? So I guess it's ok to blindly greylist stuff in case it "happens" to
                                    stop it?

                                    > > So OP's request is valid IMO.
                                    >
                                    > Shooting mail straight into the inbox based on an SPF pass is not a
                                    > valid strategy, but a recipe for more spam in the inbox. SPF is
                                    > properly used in a scoring system within a policy daemon or external
                                    > content filter such as SA, same as DKIM etc are.

                                    Shooting mail straight into inbox? At some point you seemed to understand
                                    the original question, but again you seen to have missed the point? He was
                                    asking to bypass greylisting, which is fine. How does that make it STRAIGHT
                                    into inbox?
                                  • Mikael Bak
                                    ... My logic is crystal clear. Your post is full of contradictions. Your snowshoe cidr is a blacklist, isn t it? I did not specify what blacklist to use. I did
                                    Message 17 of 25 , Sep 28, 2010
                                      Stan Hoeppner wrote:
                                      > Mikael Bak put forth on 9/27/2010 6:18 AM:
                                      >> Stan Hoeppner wrote:
                                      >>> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                                      >>>
                                      >>>> It is possible in some way to configure postfix, that SPF Passed mails
                                      >>>> will be automatically accepted with postfix without greylisting?
                                      >>> If I may be blunt: this is a really dumb idea. Many, maybe all,
                                      >>> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                                      >>> because the connecting IP passes SPF muster isn't a bright idea.
                                      >>>
                                      >> Snowshoe spam will most probably pass greylisting too. Better not
                                      >> clutter greylisting database with useless things. Have the blacklists
                                      >> block'em instead.
                                      >
                                      > I don't follow your logic here. Yes, most snowshoe is sent from real
                                      > MTAs, not bots, so greylisting won't stop it. However, dnsbls and local
                                      > block lists aren't very effective against snowshoe either, although
                                      > Spamhaus DBL is getting much better WRT snowshoe. I have a local
                                      > snowshoe cidr table I've been building for 2 years and it works rather
                                      > well as I see maybe 1 snowshoe in the inbox every two weeks or so.
                                      > However, most people probably don't have such a local snowshoe blocking
                                      > list.
                                      >

                                      My logic is crystal clear. Your post is full of contradictions.

                                      Your snowshoe cidr is a blacklist, isn't it?
                                      I did not specify what blacklist to use.
                                      I did just say that graylisting is an expensive task to do if you know
                                      that it's almost worthless for those emails.

                                      But I guess for your one-person mail server at home, that does not count.


                                      >> So OP's request is valid IMO.
                                      >
                                      > Shooting mail straight into the inbox based on an SPF pass is not a
                                      > valid strategy, but a recipe for more spam in the inbox. SPF is
                                      > properly used in a scoring system within a policy daemon or external
                                      > content filter such as SA, same as DKIM etc are.
                                      >

                                      I did not say that!
                                      I said OP's request to bypass greylisting for SPF Passed email is valid.
                                      I did not say it should bypass anything else!

                                      You had a problem reading my not-so-native English?

                                      And please, Stan. Please understand that some of us here have large
                                      email infrastructure to administer. It's completely different from a
                                      hobby mail server at home.

                                      Kind regards,
                                      Mikael
                                    • Stan Hoeppner
                                      ... Of course I m not advocating folks blindly greylist. I promote super-selective greylisting, and have many times on this list. The point I was making is
                                      Message 18 of 25 , Sep 28, 2010
                                        Henrik K put forth on 9/28/2010 12:28 AM:
                                        > On Mon, Sep 27, 2010 at 03:12:01PM -0500, Stan Hoeppner wrote:
                                        >>>
                                        >>> Snowshoe spam will most probably pass greylisting too. Better not
                                        >>> clutter greylisting database with useless things. Have the blacklists
                                        >>> block'em instead.
                                        >>
                                        >> I don't follow your logic here. Yes, most snowshoe is sent from real
                                        >> MTAs, not bots, so greylisting won't stop it. However, dnsbls and local
                                        >> block lists aren't very effective against snowshoe either, although
                                        >> Spamhaus DBL is getting much better WRT snowshoe. I have a local
                                        >> snowshoe cidr table I've been building for 2 years and it works rather
                                        >> well as I see maybe 1 snowshoe in the inbox every two weeks or so.
                                        >> However, most people probably don't have such a local snowshoe blocking
                                        >> list.
                                        >
                                        > Umm, what's YOUR logic here? Greylisting won't stop it, dnsbls won't stop
                                        > it? So I guess it's ok to blindly greylist stuff in case it "happens" to
                                        > stop it?

                                        Of course I'm not advocating folks blindly greylist. I promote
                                        super-selective greylisting, and have many times on this list. The
                                        point I was making is that SPF is not a solution for making a reject/ok
                                        determination as an isolated smtpd test. It's only useful for scoring
                                        systems. Greylisting in isolation won't stop snowshoe either. Again,
                                        it is useful in blocking snowhoe if used in a scoring system such as SA.

                                        >>> So OP's request is valid IMO.
                                        >>
                                        >> Shooting mail straight into the inbox based on an SPF pass is not a
                                        >> valid strategy, but a recipe for more spam in the inbox. SPF is
                                        >> properly used in a scoring system within a policy daemon or external
                                        >> content filter such as SA, same as DKIM etc are.
                                        >
                                        > Shooting mail straight into inbox? At some point you seemed to understand
                                        > the original question, but again you seen to have missed the point? He was
                                        > asking to bypass greylisting, which is fine. How does that make it STRAIGHT
                                        > into inbox?

                                        Michal Bruncko put forth on 9/26/2010 4:24 AM:

                                        > It is possible in some way to configure postfix, that SPF Passed mails
                                        > will be automatically accepted with postfix without greylisting?

                                        Maybe I misunderstood the OP's use of the term "automatically accepted".

                                        --
                                        Stan
                                      • Stan Hoeppner
                                        ... I see not contradictions in my post. ... Of course greylisting is expensive. Where did I state otherwise? But using an SPF pass to bypass greylisting
                                        Message 19 of 25 , Sep 28, 2010
                                          Mikael Bak put forth on 9/28/2010 4:25 AM:
                                          > Stan Hoeppner wrote:
                                          >> Mikael Bak put forth on 9/27/2010 6:18 AM:
                                          >>> Stan Hoeppner wrote:
                                          >>>> Michal Bruncko put forth on 9/26/2010 4:24 AM:
                                          >>>>
                                          >>>>> It is possible in some way to configure postfix, that SPF Passed mails
                                          >>>>> will be automatically accepted with postfix without greylisting?
                                          >>>> If I may be blunt: this is a really dumb idea. Many, maybe all,
                                          >>>> snowshoe spammers have valid SPF records. Thus, accepting mail simply
                                          >>>> because the connecting IP passes SPF muster isn't a bright idea.
                                          >>>>
                                          >>> Snowshoe spam will most probably pass greylisting too. Better not
                                          >>> clutter greylisting database with useless things. Have the blacklists
                                          >>> block'em instead.
                                          >>
                                          >> I don't follow your logic here. Yes, most snowshoe is sent from real
                                          >> MTAs, not bots, so greylisting won't stop it. However, dnsbls and local
                                          >> block lists aren't very effective against snowshoe either, although
                                          >> Spamhaus DBL is getting much better WRT snowshoe. I have a local
                                          >> snowshoe cidr table I've been building for 2 years and it works rather
                                          >> well as I see maybe 1 snowshoe in the inbox every two weeks or so.
                                          >> However, most people probably don't have such a local snowshoe blocking
                                          >> list.
                                          >>
                                          >
                                          > My logic is crystal clear. Your post is full of contradictions.

                                          I see not contradictions in my post.

                                          > Your snowshoe cidr is a blacklist, isn't it?
                                          > I did not specify what blacklist to use.
                                          > I did just say that graylisting is an expensive task to do if you know
                                          > that it's almost worthless for those emails.

                                          Of course greylisting is expensive. Where did I state otherwise? But
                                          using an SPF pass to bypass greylisting isn't going to be all that
                                          useful unless you have other checks further downstream to kill snowshoe.
                                          For most, this will be a content filter such as SA. In my experience,
                                          such content filters are more expensive WRT resources than straight
                                          greylisting. Thus, what you should probably do is run a content filter
                                          in front of greylisting.

                                          > But I guess for your one-person mail server at home, that does not count.

                                          What is the reason for this statement?

                                          >> Shooting mail straight into the inbox based on an SPF pass is not a
                                          >> valid strategy, but a recipe for more spam in the inbox. SPF is
                                          >> properly used in a scoring system within a policy daemon or external
                                          >> content filter such as SA, same as DKIM etc are.

                                          > I did not say that!
                                          > I said OP's request to bypass greylisting for SPF Passed email is valid.
                                          > I did not say it should bypass anything else!

                                          Ok, not that this is "crystal" clear, you could probably write your own
                                          policy daemon to do this, if ones doesn't already exist.

                                          > You had a problem reading my not-so-native English?

                                          None at all, merely your use of "automatically accept".

                                          > And please, Stan. Please understand that some of us here have large
                                          > email infrastructure to administer. It's completely different from a
                                          > hobby mail server at home.

                                          What is your point of this statement, other than showing your lack of
                                          knowledge of me, and the systems I manage?

                                          --
                                          Stan
                                        • Michal Bruncko
                                          Hello ... I mean automatically accepted by postfix, but not automatically forwarded to mailboxes. My idea lies on principle, that if sender have valid SPF
                                          Message 20 of 25 , Sep 29, 2010
                                            Hello

                                            On 29. 9. 2010 0:05, Stan Hoeppner wrote:
                                            > Henrik K put forth on 9/28/2010 12:28 AM:
                                            >> On Mon, Sep 27, 2010 at 03:12:01PM -0500, Stan Hoeppner wrote:
                                            >>>> Snowshoe spam will most probably pass greylisting too. Better not
                                            >>>> clutter greylisting database with useless things. Have the blacklists
                                            >>>> block'em instead.
                                            >>> I don't follow your logic here. Yes, most snowshoe is sent from real
                                            >>> MTAs, not bots, so greylisting won't stop it. However, dnsbls and local
                                            >>> block lists aren't very effective against snowshoe either, although
                                            >>> Spamhaus DBL is getting much better WRT snowshoe. I have a local
                                            >>> snowshoe cidr table I've been building for 2 years and it works rather
                                            >>> well as I see maybe 1 snowshoe in the inbox every two weeks or so.
                                            >>> However, most people probably don't have such a local snowshoe blocking
                                            >>> list.
                                            >> Umm, what's YOUR logic here? Greylisting won't stop it, dnsbls won't stop
                                            >> it? So I guess it's ok to blindly greylist stuff in case it "happens" to
                                            >> stop it?
                                            > Of course I'm not advocating folks blindly greylist. I promote
                                            > super-selective greylisting, and have many times on this list. The
                                            > point I was making is that SPF is not a solution for making a reject/ok
                                            > determination as an isolated smtpd test. It's only useful for scoring
                                            > systems. Greylisting in isolation won't stop snowshoe either. Again,
                                            > it is useful in blocking snowhoe if used in a scoring system such as SA.
                                            >
                                            >>>> So OP's request is valid IMO.
                                            >>> Shooting mail straight into the inbox based on an SPF pass is not a
                                            >>> valid strategy, but a recipe for more spam in the inbox. SPF is
                                            >>> properly used in a scoring system within a policy daemon or external
                                            >>> content filter such as SA, same as DKIM etc are.
                                            >> Shooting mail straight into inbox? At some point you seemed to understand
                                            >> the original question, but again you seen to have missed the point? He was
                                            >> asking to bypass greylisting, which is fine. How does that make it STRAIGHT
                                            >> into inbox?
                                            > Michal Bruncko put forth on 9/26/2010 4:24 AM:
                                            >
                                            >> It is possible in some way to configure postfix, that SPF Passed mails
                                            >> will be automatically accepted with postfix without greylisting?
                                            > Maybe I misunderstood the OP's use of the term "automatically accepted".
                                            >
                                            I mean automatically accepted by postfix, but not automatically
                                            forwarded to mailboxes. My idea lies on principle, that if sender have
                                            valid SPF record, there is no need to greylist (and delaying mail
                                            receiving), but... SPF and greylisting are only one part of mail
                                            checking (checking directly in smtpd_recipient_restrictions in postfix).
                                            I am using amavis with SA, viruschecking and next supplementary tests
                                            (razor, ddc and so on) for scoring mails and then forwarding through
                                            MDA to mailboxes.

                                            michal
                                          • Stan Hoeppner
                                            ... milter-greylist will do exactly what you want. http://hcpnet.free.fr/milter-greylist/ SPF records Starting with version 1.1.3, milter-greylist is able to
                                            Message 21 of 25 , Sep 29, 2010
                                              Michal Bruncko put forth on 9/29/2010 4:03 AM:

                                              > I mean automatically accepted by postfix, but not automatically
                                              > forwarded to mailboxes. My idea lies on principle, that if sender have
                                              > valid SPF record, there is no need to greylist (and delaying mail
                                              > receiving), but... SPF and greylisting are only one part of mail
                                              > checking (checking directly in smtpd_recipient_restrictions in postfix).
                                              > I am using amavis with SA, viruschecking and next supplementary tests
                                              > (razor, ddc and so on) for scoring mails and then forwarding through
                                              > MDA to mailboxes.

                                              milter-greylist will do exactly what you want.

                                              http://hcpnet.free.fr/milter-greylist/

                                              "SPF records

                                              Starting with version 1.1.3, milter-greylist is able to use libspf_alt
                                              to check SPF records. SPF records are DNS objects that tell the whole
                                              Internet which server(s) can legally send e-mail from a domain.

                                              Using SPF records, milter-greylist will avoid greylisting any mail that
                                              comes from an SPF-compliant server. This feature is optionnal and
                                              requires libspf_alt

                                              Starting with 1.1.10, libspf (James Couzens's version) is also
                                              supported. libpsf2 is supported starting with version 1.7.2."


                                              --
                                              Stan
                                            • Michal Bruncko
                                              Thank you for hint. It seems that this soft is also included in my distro repository (fedora), perfect! :) michal
                                              Message 22 of 25 , Sep 29, 2010
                                                Thank you for hint. It seems that this soft is also included in my
                                                distro repository (fedora), perfect! :)

                                                michal

                                                On 29. 9. 2010 11:36, Stan Hoeppner wrote:
                                                > Michal Bruncko put forth on 9/29/2010 4:03 AM:
                                                >
                                                >> I mean automatically accepted by postfix, but not automatically
                                                >> forwarded to mailboxes. My idea lies on principle, that if sender have
                                                >> valid SPF record, there is no need to greylist (and delaying mail
                                                >> receiving), but... SPF and greylisting are only one part of mail
                                                >> checking (checking directly in smtpd_recipient_restrictions in postfix).
                                                >> I am using amavis with SA, viruschecking and next supplementary tests
                                                >> (razor, ddc and so on) for scoring mails and then forwarding through
                                                >> MDA to mailboxes.
                                                >
                                                > milter-greylist will do exactly what you want.
                                                >
                                                > http://hcpnet.free.fr/milter-greylist/
                                                >
                                                > "SPF records
                                                >
                                                > Starting with version 1.1.3, milter-greylist is able to use libspf_alt
                                                > to check SPF records. SPF records are DNS objects that tell the whole
                                                > Internet which server(s) can legally send e-mail from a domain.
                                                >
                                                > Using SPF records, milter-greylist will avoid greylisting any mail that
                                                > comes from an SPF-compliant server. This feature is optionnal and
                                                > requires libspf_alt
                                                >
                                                > Starting with 1.1.10, libspf (James Couzens's version) is also
                                                > supported. libpsf2 is supported starting with version 1.7.2."
                                                >
                                                >
                                              • Stan Hoeppner
                                                ... You re welcome. I ve never used milter-greylist, so I can t attest to its performance, reliability, ease of use, etc, but it does have the one feature you
                                                Message 23 of 25 , Sep 29, 2010
                                                  Michal Bruncko put forth on 9/29/2010 10:57 AM:
                                                  > Thank you for hint. It seems that this soft is also included in my
                                                  > distro repository (fedora), perfect! :)
                                                  >
                                                  > michal

                                                  You're welcome. I've never used milter-greylist, so I can't attest to
                                                  its performance, reliability, ease of use, etc, but it does have the one
                                                  feature you want. Let us know how it works out for you.

                                                  --
                                                  Stan



                                                  > On 29. 9. 2010 11:36, Stan Hoeppner wrote:
                                                  >> Michal Bruncko put forth on 9/29/2010 4:03 AM:
                                                  >>
                                                  >>> I mean automatically accepted by postfix, but not automatically
                                                  >>> forwarded to mailboxes. My idea lies on principle, that if sender have
                                                  >>> valid SPF record, there is no need to greylist (and delaying mail
                                                  >>> receiving), but... SPF and greylisting are only one part of mail
                                                  >>> checking (checking directly in smtpd_recipient_restrictions in postfix).
                                                  >>> I am using amavis with SA, viruschecking and next supplementary tests
                                                  >>> (razor, ddc and so on) for scoring mails and then forwarding through
                                                  >>> MDA to mailboxes.
                                                  >>
                                                  >> milter-greylist will do exactly what you want.
                                                  >>
                                                  >> http://hcpnet.free.fr/milter-greylist/
                                                  >>
                                                  >> "SPF records
                                                  >>
                                                  >> Starting with version 1.1.3, milter-greylist is able to use libspf_alt
                                                  >> to check SPF records. SPF records are DNS objects that tell the whole
                                                  >> Internet which server(s) can legally send e-mail from a domain.
                                                  >>
                                                  >> Using SPF records, milter-greylist will avoid greylisting any mail that
                                                  >> comes from an SPF-compliant server. This feature is optionnal and
                                                  >> requires libspf_alt
                                                  >>
                                                  >> Starting with 1.1.10, libspf (James Couzens's version) is also
                                                  >> supported. libpsf2 is supported starting with version 1.7.2."
                                                  >>
                                                  >>
                                                  >
                                                • Eugene V. Boontseff
                                                  ... Use the attached patch for postfix-policyd-spf-perl-2.007, and you get what you want. ... -- Eugene
                                                  Message 24 of 25 , Oct 2, 2010
                                                    On 26.09.2010 13:24, Michal Bruncko wrote:
                                                    > Hello list
                                                    >
                                                    > I am using postfix (v 2.7.0) with sender policy framework
                                                    > (postfix-policyd-spf-perl-2.001) and greylisting (postgrey-1.32) with
                                                    > following configuration:
                                                    >
                                                    > smtpd_recipient_restrictions =
                                                    > ...
                                                    > check_policy_service unix:private/policy
                                                    > check_policy_service unix:/var/spool/postfix/postgrey/socket
                                                    > ...
                                                    >
                                                    > where unix:private/policy is SPF socket and followed by greylist rule.
                                                    >
                                                    > It is possible in some way to configure postfix, that SPF Passed mails
                                                    > will be automatically accepted with postfix without greylisting? And
                                                    > using greylist only for mails with other SPF result codes (none,
                                                    > softfail,..)?
                                                    > Current configuration only denies mails with SPF Fail and all other
                                                    > mails where being greylisted.

                                                    Use the attached patch for postfix-policyd-spf-perl-2.007, and you get
                                                    what you want.

                                                    >
                                                    > thanks
                                                    >
                                                    > michal
                                                    >
                                                    --
                                                    Eugene
                                                  • Scott Kitterman
                                                    ... Speaking as the current maintainer for that package, I don t recommend patching it to return OK and I don t think that s consistent with what the OP wanted
                                                    Message 25 of 25 , Oct 2, 2010
                                                      On Saturday, October 02, 2010 08:55:49 am Eugene V. Boontseff wrote:
                                                      > On 26.09.2010 13:24, Michal Bruncko wrote:
                                                      > > Hello list
                                                      > >
                                                      > > I am using postfix (v 2.7.0) with sender policy framework
                                                      > > (postfix-policyd-spf-perl-2.001) and greylisting (postgrey-1.32) with
                                                      > > following configuration:
                                                      > >
                                                      > > smtpd_recipient_restrictions =
                                                      > >
                                                      > > ...
                                                      > > check_policy_service unix:private/policy
                                                      > > check_policy_service unix:/var/spool/postfix/postgrey/socket
                                                      > > ...
                                                      > >
                                                      > > where unix:private/policy is SPF socket and followed by greylist rule.
                                                      > >
                                                      > > It is possible in some way to configure postfix, that SPF Passed mails
                                                      > > will be automatically accepted with postfix without greylisting? And
                                                      > > using greylist only for mails with other SPF result codes (none,
                                                      > > softfail,..)?
                                                      > > Current configuration only denies mails with SPF Fail and all other
                                                      > > mails where being greylisted.
                                                      >
                                                      > Use the attached patch for postfix-policyd-spf-perl-2.007, and you get
                                                      > what you want.

                                                      Speaking as the current maintainer for that package, I don't recommend
                                                      patching it to return OK and I don't think that's consistent with what the OP
                                                      wanted (he wanted to skip greylisting, not all further checks).

                                                      A couple of other options:

                                                      tumgreyspf is an integrated SPF/Greylist solution that is designed to do what
                                                      I understand the OP has requested.

                                                      pypolicyd-spf is a more complete SPF policy server than the Perl one and has
                                                      is able to integrate with Postfix restriction classes to do different things
                                                      (one of which could be greylist or not) based on SPF result. This is covered
                                                      in the package documentation.

                                                      Scott K
                                                    Your message has been successfully submitted and would be delivered to recipients shortly.