Page 1 of 4 123 ... LastLast
Results 1 to 20 of 74

Thread: Exim + Greylist + Mrtg

  1. #1
    Join Date
    Dec 2007
    Posts
    102

    Exim + Greylist + Mrtg

    Hello to all.

    I want to share how i reduce spam in my box.

    Maybe not perfect solution but for work
    Always make backup and use it at your own risk !

    Tested on CentOS 5

    Install Greylist:
    Code:
    # rpm -Uvh http://dl.atrpms.net/el5-i386/atrpms/stable/greylistd-0.8.3.2-8.0.el5.noarch.rpm
    Now you need to change permissions:
    chown -R mail.mail /etc/greylistd/
    chown -R mail.mail /var/run/greylistd/
    chown -R mail.mail /var/lib/greylistd/
    chown -R mail.mail /usr/sbin/greylist*

    start greylistd:
    # /usr/bin/su mail -c /usr/sbin/greylistd &


    I use original SpamBlocker2 (Jeff, thank you !)
    Code:
    ######################################################################
    #                 SpamBlocker.exim.conf.2.1.1-release                #
    #                             05-Jun-2007                            #
    #   Runtime configuration file for DirectAdmin/Exim 4.24 and above   #
    #          Requires exim.pl dated 20-Apr-2007 17:09 or later         #
    Edit /etc/exim.conf
    -------------------

    Add
    acl_smtp_connect = acl_connect
    acl_smtp_helo = check_helo

    just before:
    acl_smtp_rcpt = check_recipient
    acl_smtp_data = check_message

    Find
    Code:
    ######################################################################
    #                               ACLs                                 #
    ######################################################################
    begin acl
    add after:
    Code:
    ###############################
    #   ACL connect
    ###############################
    acl_connect:
        accept hosts = +whitelist_hosts_ip : +relay_hosts 
    
        drop	message = Your IP Blacklisted - see http://www.domain.com/
            hosts	 = +bad_sender_hosts_ip
    
        # We do not receive mails from orange, hinet... etc 
        drop	message   = Sender Blacklisted - http://www.domain.com/blocked.html?$sender_host_name
            condition = ${if match{$sender_host_name} \
                        {hinet-ip|hinet|orange|asianet.co.th} \
                        {yes}{no}}
    
        # Delay. (Spammers doesn't like to wait while connecting
        # Better do not use on high load servers because it will hold too many open connection
        # 587 port accept connection without delay
        accept condition = ${if eq {$interface_port}{587}{yes}{no}}
    
        accept  
            logwrite = Delay 10s for $sender_host_address ($sender_host_name)
            delay    = 10s
    
    ###############################
    #    ACL HELO/EHLO
    ###############################
    
    check_helo:
    
        accept  condition = ${if eq {$interface_port}{587}{yes}{no}}
        accept hosts = +whitelist_hosts: +whitelist_hosts_ip : +relay_hosts 
        
        # for some reason this rule may need to comment
        deny message  = rejected due to forged HELO name - $sender_helo_name
            condition     = ${if match {$sender_helo_name} \
                    	{\N^[^.].*\.[^.]+$\N} \
                            {no}{yes}}
            !hosts	= +whitelist_hosts: +whitelist_hosts_ip : +relay_hosts 
                                                                                        
        drop message  = HELO/EHLO cannot be numbers only
    	condition = ${if match{$sender_helo_name}{\N^\d+$\N}{yes}{no}}
    
        # If remote host greets with an IP address, reject connection:
        drop message  = IP address not allowed in HELO/EHLO
    	condition = ${if isip {$sender_helo_name}{true}{false}}
    	
        drop message  = This is my IP. Go away
    	condition = ${if eq{$sender_helo_name}{$interface_address} \
                              {yes}{no}}
    
        deny message  = HELO/EHLO required by SMTP RFC.
    	condition = ${if eq{$sender_helo_name}{}{yes}{no}}
    
        accept
    Find:
    Code:
     #require verify = sender
    Add after:
    Code:
         drop  message = Use your provider SMTP. Email blocked
    	condition = ${if match{$sender_host_name} \
                              {adsl|dialup|pool|peer|dhcp|dsl|broadband|ppp|dynamic|cable} \
                              {yes}{no}}
    	hosts 	= !+relay_hosts
    	domains = +use_rbl_domains
    	!authenticated 	= *
    find:
    Code:
    # accept if address is in a local domain as long as recipient can be verified
      accept  domains = +local_domains
              endpass
    	message = "Unknown User"
    Add before:
    Code:
    # Perform greylisting.
    
        defer message 	= $sender_host_address is greylisted. Please try again later.
    	log_message 	= greylisted.
    	domains 	= +relay_domains : +local_domains
    	!senders 	= : postmaster@*
    	!hosts          = : +relay_hosts : \
    			    ${if exists {/etc/greylistd/whitelist-hosts}\
                    	    {/etc/greylistd/whitelist-hosts}{}} : \
    			    ${if exists {/etc/virtual/whitelist-hosts}\
                    	    {/etc/virtual/whitelist-hosts}{}}
                    	    
    	verify         	= recipient/callout=5s,use_sender,defer_ok
    	condition      	= ${readsocket{/var/run/greylistd/socket}\
    	                   {--grey $sender_host_address $sender_address $local_part@$domain}{5s}{}{false}}
    Save exim.conf and restart exim:
    # service exim restart

    That's All.
    Now you can check maillog and see something like below :
    Code:
    2008-03-17 09:20:03 H=(pentium) [84.21.226.22] rejected EHLO or HELO pentium: rejected due to forged HELO name - pentium
    
    2008-03-17 12:22:28 Delay 10s for 59.93.211.220 ()
    
    2008-03-17 12:22:35 H=(59.94.122.15) [59.94.122.15] rejected EHLO or HELO 59.94.122.15: IP address not allowed in HELO/EHLO
    
    2008-03-17 12:22:52 H=cpc1-neww3-0-0-cust845.cdif.cable.ntl.com (home-ad73427dc5) [82.11.227.78] F=<sale@menswork.ru> rejected RCPT <bulbul@fs-host.net>: Use your provider SMTP. Email blocked 
    
    2008-03-17 12:28:23 H=n4a.bullet.mail.ac4.yahoo.com [76.13.13.67] rejected connection in "connect" ACL: Sender Blacklisted - http://www.fs-host.net/blocked.html?n4a.bullet.mail.ac4.yahoo.com
    
    2008-03-17 13:05:17 H=horse.iptelecom.net.ua [212.9.224.8] F=<ingress@hosting01.iptelecom.net.ua> temporarily rejected RCPT <er@mydomains.com>: greylisted.
    
    2008-03-17 13:09:48 H=ppp85-140-116-38.pppoe.mtu-net.ru (mtu-net.ru) [85.140.116.38] F=<sgxbd@mtu-net.ru> rejected RCPT <mail@intdsfdsferm.com>: Use your provider SMTP. Email blocked
    Also you can check greylisting stats:

    # greylist stats
    Statistics since Sun Mar 16 23:18:21 2008 (14 hours and 53 minutes ago)
    -----------------------------------------------------------------------
    146 items, matching 171 requests, are currently whitelisted
    0 items, matching 0 requests, are currently blacklisted
    155 items, matching 156 requests, are currently greylisted

    Of 146 items that were initially greylisted:
    - 146 (100.0&#37 became whitelisted
    - 0 ( 0.0%) expired from the greylist


    -----------------------------------------------------------------------

    If you use MRTG:

    in mrtg/core/system
    add:
    Code:
    if [ "$TYPE" = "greylist" ]; then
        INDATA=`cat /var/log/exim/mainlog | grep ": greylisted." | wc -l`
        TODAY=`date '+%Y-%m-%d'`
        OUTDATA=`cat /var/log/exim/mainlog | grep $TODAY | grep ": greylisted." | wc -l `
    fi
    in mrtg.cfg find:
    Code:
    <br><a href="memory.html">- Memory Usage</a>
    and add:
    Code:
    <br><a href="greylist.html">- Email Greylisted</a>
    at end of file add this:
    Code:
    #----------------------------
    # Email Greylisted
    #----------------------------
    Target[greylist]: `/var/www/html/mrtg/core/system greylist`
    Title[greylist]: Spam Greylisted
    PageTop[greylist]: <h3>Email greylisted</h3>
    Options[greylist]: nopercent,growright,noinfo,pngdate,gauge
    
    YLegend[greylist]: Email greylisted
    LegendO[greylist]: Daily Email greylisted
    LegendI[greylist]: Weekly Email greylisted &nbsp;
    
    ShortLegend[greylist]: &nbsp;E-mails
    Legend1[greylist]: Weekly greylisted
    Legend2[greylist]: Daily greylisted

    Feel free to post any suggestions please.
    Last edited by snk; 04-04-2008 at 12:28 AM.

  2. #2
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    {.yahoo.com|hinet-ip|hinet|orange|asianet.co.th|.pacbell.net} \
    Why are you blocking email from my ISP, pacbell.net?

    I'd like to try this, and hopefully be able to add it as an option to the next official SpamBlocker release, but if I can't contact you I'm not sure I want to risk it.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  3. #3
    Join Date
    Jul 2005
    Posts
    2,008
    This is ridiculous too


    drop message = Use your provider SMTP. Email blocked
    condition = ${if match{$sender_host_name} \
    {adsl|dialup|pool|peer|dhcp|dsl|broadband|ppp|dynamic|cable} \
    {yes}{no}}
    hosts = !+relay_hosts
    domains = +use_rbl_domains
    !authenticated = *

  4. #4
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Perhaps not for many of us, chatwizrd. I wouldn't block all of them, and certainly not in SpamBlocker, but some of them make sense.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Dec 2007
    Posts
    102
    Why are you blocking email from my ISP, pacbell.net?
    before, i received about 3k-5k spam emails from pacbell.net
    Jeff, sorry for blocking your ISP
    i have changed it

    chatwizrd, why you think so ?
    This is ridiculous too
    I didnt seen any SMTP server that use dynamic IP address, ISP use static ip with ptr.
    But spammers use dynamic ip alot.
    i don't think that hosts below are legal smtp server
    Code:
    H=189-68-59-223.dsl.telesp.net.br (eyfro.telesp.net.br) [189.68.59.223]
    H=(149.76.205.221.adsl-pool.sx.cn) [221.205.76.149]
    H=adsl-75-36-78-185.dsl.irvnca.sbcglobal.net [75.36.78.185]
    H=iac250.internetdsl.tpnet.pl [79.189.2.250]
    My customers using 587 port for sending emails from my server

    yes, maybe it's not so smart but it's work for me and it's block about 80&#37; of spam.
    Last edited by snk; 03-28-2008 at 12:37 AM.

  6. #6
    Join Date
    Jul 2005
    Posts
    2,008
    Quote Originally Posted by jlasman View Post
    Perhaps not for many of us, chatwizrd. I wouldn't block all of them, and certainly not in SpamBlocker, but some of them make sense.

    Jeff
    I do not sell services so people cannot even use them cause the way its setup.

  7. #7
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    So your post makes no sense for the majority of us who use DirectAdmin in a shared hosting environment?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  8. #8
    Join Date
    Jun 2006
    Posts
    70
    THANKS! I followed your instructions and it seems to be working wonderfully!

    One area that got me a little confused was where you instruct adding the code section to exim.conf beginning with:
    Code:
    ###############################
    #   ACL connect
    ###############################
    acl_connect:
    . . .
    Perhaps you can be a little more specific where to add this? Through trial-and-error I added the code below the line that reads "begin acl". This seems to work, but I'm still not 100% I have it placed correctly.

  9. #9
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Looking here you'll see that the connect acl (acl_connect) is the first ACL, so that's the right place to put it.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  10. #10
    Join Date
    Jun 2006
    Posts
    70
    Is it necessary to manually invoke greylistd?
    start greylistd:
    # /usr/bin/su mail -c /usr/sbin/greylistd &
    I'm new to this, so therefore pretty easily confused, but currently greylistd doesn't appear in my list of active processes, yet incoming mail is being delayed as expected. Sorry for my new-b-ness.

  11. #11
    Join Date
    Dec 2007
    Posts
    102
    jlpeifer, yes you need to run greylist daemon manually from your shell root account

  12. #12
    Join Date
    Apr 2007
    Posts
    12

    Lightbulb problem

    snk

    I make operations how it written in instruction, but greylist not workin

    greylist stats
    Statistics since Thu Apr 3 14:21:14 2008 (1 hour and 10 minutes ago)
    ---------------------------------------------------------------------
    0 items, matching 0 requests, are currently whitelisted
    0 items, matching 0 requests, are currently blacklisted
    0 items, matching 0 requests, are currently greylisted

  13. #13
    Join Date
    Dec 2007
    Posts
    102
    alexey.world, please check that greylistd is run and also check your exim log for errors.
    And don't forget to restart exim after edit exim.conf

  14. #14
    Join Date
    Apr 2007
    Posts
    12
    Quote Originally Posted by snk View Post
    alexey.world, please check that greylistd is run and also check your exim log for errors.
    And don't forget to restart exim after edit exim.conf
    Greylist - enabled
    Exim - rerun
    Exim logs not contain errors. Word greylisted not contain in exim logs

  15. #15
    Join Date
    Dec 2007
    Posts
    102
    problem of alexey.world solved.

    if you see that all done correctly but greylist doesn't work, please check that this condition:
    Code:
    # Perform greylisting.
        defer message 	= $sender_host_address is greylisted. Please try again later.
    	log_message 	= greylisted.
    	domains 	= +relay_domains : +local_domains
    	!senders 	= : postmaster@*
    	!hosts          = : +relay_hosts : \
    			    ${if exists {/etc/greylistd/whitelist-hosts}\
                    	    {/etc/greylistd/whitelist-hosts}{}} : \
    			    ${if exists {/etc/virtual/whitelist-hosts}\
                    	    {/etc/virtual/whitelist-hosts}{}}
                    	    
    	verify         	= recipient/callout=5s,use_sender,defer_ok
    	condition      	= ${readsocket{/var/run/greylistd/socket}\
    	                   {--grey $sender_host_address $sender_address $local_part@$domain}{5s}{}{false}}
    come before this:
    Code:
    # accept if address is in a local domain as long as recipient can be verified
      accept  domains = +local_domains
              endpass
    	message = "Unknown User"
    Last edited by snk; 04-07-2008 at 10:22 AM.

  16. #16
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Has anyone gotten this to work with SpamBlocker3.1-beta?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  17. #17
    Join Date
    May 2007
    Posts
    19
    Would one want to run beta software on a production server?

  18. #18
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    That would be your decision. Perhaps I should have marked it as final release candidate, or even released it.

    But I didn't. However, it does work and many of us use it.

    Simply the fact that it's beta simply means that DirectAdmin doesn't include it by default.

    I want to release it but I haven't had the time to finalize it. I will as soon as I can.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  19. #19
    Join Date
    Sep 2007
    Posts
    62
    Code:
    drop message = Use your provider SMTP. Email blocked
    condition = ${if match{$sender_host_name} \
    {adsl|dialup|pool|peer|dhcp|dsl|broadband|ppp|dynamic|cable} \
    {yes}{no}}
    hosts = !+relay_hosts
    domains = +use_rbl_domains
    !authenticated = *
    How were I to only use this part? (with indeed some names left out)

    This comes in quite handy to just block on isp's who have a no port block policy.

    (I had the greylisting partialy working on spamblocker3)
    Partialy as in, all mail that got sent to server got greylisted, but when sending a second time it still remained greylisted...)

    some code from my messagelog:

    Code:
    [root@server1 ~]# cat /var/log/exim/mainlog.2 |grep greylisted
    2008-05-08 15:16:52 1Ju5zM-00078p-8e SMTP error from remote mail server after RCPT TO:<xpihbxprns@bmrconsulting.com>: host mx1.netbenefit.co.uk [212.53.64.41]: 451 84.243.215.252 - You have been greylisted, please try later
    2008-05-08 15:16:53 1Ju5zM-00078p-8e == xpihbxprns@bmrconsulting.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<xpihbxprns@bmrconsulting.com>: host mx2.netbenefit.co.uk [212.53.64.42]: 451 84.243.215.252 - You have been greylisted, please try later
    2008-05-09 19:29:50 1JuWPm-0000xe-Cl SMTP error from remote mail server after RCPT TO:<toekomstnn@future.nl>: host mail.servernation.nl [212.203.9.120]: 450 4.2.0 <toekomstnn@future.nl>: Recipient address rejected: http://mailstore1.pool1.interlab.nl/greylisted/
    2008-05-09 19:29:51 1JuWPm-0000xe-Cl == toekomstnn@future.nl R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<toekomstnn@future.nl>: host mailfallback1.pool1.interlab.nl [85.17.152.163]: 450 4.2.0 <toekomstnn@future.nl>: Recipient address rejected: http://mailstore1.pool1.interlab.nl/greylisted/
    2008-05-09 19:47:54 1JuWPm-0000xe-Cl SMTP error from remote mail server after RCPT TO:<toekomstnn@future.nl>: host mail.servernation.nl [212.203.9.120]: 450 4.2.0 <toekomstnn@future.nl>: Recipient address rejected: http://mailstore1.pool1.interlab.nl/greylisted/
    Last edited by RaZer0r; 05-21-2008 at 01:27 PM.

  20. #20
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Try it and let us know if it helps .

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

Page 1 of 4 123 ... LastLast

Similar Threads

  1. Greylist and gmail
    By SeLLeRoNe in forum E-Mail
    Replies: 23
    Last Post: 11-28-2013, 12:04 AM
  2. Greylist + Spam Assassin
    By dwilko in forum E-Mail
    Replies: 4
    Last Post: 08-01-2010, 10:43 AM
  3. Mrtg - How fix
    By Mihalich in forum How-To Guides
    Replies: 2
    Last Post: 03-11-2009, 11:14 AM
  4. Replies: 0
    Last Post: 08-27-2007, 03:38 PM
  5. Greylist any good?
    By pluk in forum E-Mail
    Replies: 14
    Last Post: 05-21-2007, 02:59 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •