Exim + Greylist + Mrtg

One issue I've just ran into.... is EDIT#35

False positives from dnslists list.dnswl.org, and I've got SPAM from IP whitelisted there:

Code: 
129.170.16.123 whitelisted in list.dnswl.org

so I've commented it,

Code: 
#EDIT#35:
#  accept domains = +local_domains
#         dnslists = list.dnswl.org
#         logwrite = $sender_host_address whitelisted in list.dnswl.org

I understand that it has little in common with greylisting, as false positives can be found without using greylists.
 
Do you have any issues with SB 4.1 ? Or you are just on your way to give it a try ?
 
I'm just worried about possibly too long delay on delivering the first message from a IP/email. So I'm trying it on not very critically sensitive for email delivery delay server.
 
I was starting the edits but actually im finding some problem on exim edits, cause im using also DKIM implementation and acl_smtp_connect and acl_smtp_helo already does exist.

The acl_connect statement is easy enough to get changed, but not the check helo...

mine actually is:

Code: 
#EDIT#25:
acl_check_helo:
  # accept mail originating on this server unconditionally
  accept  hosts = @[] : @
  # deny if the HELO pretends to be this host
    deny message = Bad HELO - Host impersonating hostname [$sender_helo_name]
      condition = ${if or { \
                            {match{$sender_helo_name}{$smtp_active_hostname}} \
                            {eq{$sender_helo_name}{[$interface_address]}} \
                          } {true}{false} }
  # deny if the HELO is an IP address
    deny message = HELO is an IP address (See RFC2821 4.1.3)
         condition   = ${if isip{$sender_helo_name}}
  # deny if the HELO pretends to be one of the domains hosted on the server
    deny message = Bad HELO - Host impersonating domain name [$sender_helo_name]
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
        hosts = ! +relay_hosts
  accept

And im wondering how i should edit this to match the greylist one without lose anything, or, if i can add a second one or just add at the end...

Could you please help me with this?

Thanks
 
Ok maybe i did it... but i found a funny bug :)

My server is called Orange01.domain.tld

and apparently match this rule:

Code: 
  drop  message   = Sender Blacklisted - http://www.domain.com/blocked.html?$sender_host_name
      condition = ${if match{$sender_host_name} \
                  {hinet-ip|hinet|orange|asianet.co.th} \
                  {yes}{no}}

Code: 
2012-09-19 11:38:37 H=orange01.mydomain.tld [0.0.0.0] rejected connection in "connect" ACL: Sender Blacklisted - http://www.domain.com/blocked.html?orange01.crazynetwork.it

Why there is "orange"? And why check the full hostname instead of single domain? What sense this should have O_O

Regards
 
Ok, removed that condition that i dont think is actually that important for me everything seems to be working fine.

I've just a question, after how many seconds/minute (or how many tries) greylistd expect a connection for move grelisted to whitelisted? Eventually this can be changed?

Regards
 
Writing by memory, there should be well documented config in /etc/greylist/ or /etc/greylistd/
You should read it and update it to meet your needs. Default minimal time is set to 10 minutes.
 
yes thanks, i didnt notice that.

Now im facing a strange issue (actually 2).

1. in logs appear an error sometime:

2012-09-20 11:41:35 1TEdGJ-0003aW-FP H=***.203.****.it [***.**.203.***] Warning: ACL "warn" statement skipped: condition test deferred: invalid "condition" value "}"

2. greylist seems is not working.

>greylist stats
Statistics since Thu Sep 20 10:47:00 2012 (57 minutes and 13 seconds ago)
-------------------------------------------------------------------------
0 items, matching 0 requests, are currently whitelisted
0 items, matching 0 requests, are currently blacklisted
0 items, matching 0 requests, are currently greylisted


On test server it is working, on production apparently not.. but mail's are arriving (except the error up there).

Any hint/suggestion'

Thanks
 
Last edited:
Problem "2" solved, i did totally forget to add the "perform greylisting" section on exim conf :)

Regarding the "1" problem, i did notice i have some of this lines from days to days... so.. there should be something totally wrong, or.. is totally normal... but honestly i dont know where to check...

Regards
 
Ok, i did implement in production.

As you did, i did skip the check_helo edit cause i wanna check everything and no-skip for whitelisted aswell.

But, on acl_connect i did add the request things this way:

Code: 
#EDIT#24:
acl_connect:
  #accept hosts = *
  accept hosts = +whitelist_hosts_ip : +relay_hosts

  drop message = Your IP Blacklisted - see http://www.domain.com/
      hosts      = +bad_sender_hosts_ip

  # Delay. (Spammers doesn't like to wait while connecting
  # Better do not use on high load servers because it will hold too many open connection
  # 587 port accept connection without delay
  accept condition = ${if eq {$interface_port}{587}{yes}{no}}

  accept
      logwrite = Delay 7s for $sender_host_address ($sender_host_name)
      delay    = 7s

So i did set a delay on 7s for connection (that sounds good to me to skip who cannot wait 7 sec excluding who use secure connection on port 587, like, customers).
And i'll implement (when i'll have time) the link for blacklisted IP's (that i suppose that are blacklisted by greylist) for "how to get removed from blacklist" instead of accept everything at start as it was.

The only thing i didnt get is, when an IP go to blacklist using greylist?

Current status on production (since less than 24hrs)

Statistics since Thu Sep 20 10:47:00 2012 (1 day and 2 hours ago)
-----------------------------------------------------------------
778 items, matching 979 requests, are currently whitelisted
0 items, matching 0 requests, are currently blacklisted
183 items, matching 230 requests, are currently greylisted

Of 1193 items that were initially greylisted:
- 778 ( 65.2%) became whitelisted
- 415 ( 34.8%) expired from the greylist


Hope this come useful to someone.

Regards
 
Implemented greylistd on CentOS 6.3 64bit, Spamblocker 4.1 using this guide. Reduced spam by 95%. Needed some manual whitelisting of IP's to achieve smooth operation of greylsting.

To make it work had to make following change,

nano /etc/init.d/greylistd

start() {
# Start daemons.
echo -n $"Starting greylistd: "
# daemon --user greylistd /usr/sbin/greylistd
initlog $INITLOG_ARGS -c "su -s /bin/bash - greylistd -c \"/usr/sbin/greylistd > /dev/null 2>&1 &\""
sleep 2

to

start() {
# Start daemons.
echo -n $"Starting greylistd: "
# daemon --user greylistd /usr/sbin/greylistd
# initlog $INITLOG_ARGS -c "su -s /bin/bash - greylistd -c \"/usr/sbin/greylistd > /dev/null 2>&1 &\""
su -s /bin/bash - mail -c /usr/sbin/greylistd > /dev/null 2>&1 &
sleep 2

Used only # Perform greylisting. in /etc/exim.conf helo checks are fine in spamblocker 4.1

Initially faced problem with Email providers using large pool of SMTP IP's Like Gmail, Messaging.Microsoft.com, Messagelabs.com and few others, mails were getting delayed by 3-4 hours since they use a different IP for each mail delivery attempt so all attempts will get grey listed repeatedly. The solutions is to go to http://www.senderbase.org find IP range google.com > export > add to /etc/virtual/whitelist_hosts_ip

Check couple of times a day for few days to see big spammers trying to sent mails to multiple domains on your server.
greylist list --grey

Check Senderbase.org spammer IP, export spammer IP ranges
Add big spammer IP's to /etc/virtual/bad_sender_hosts_ip couple of thousand spammer IP will block lots of spam.
Add spammer e-mail ID's like [email protected] to /etc/virtual/blacklist_senders

Change spamblocker 4.1 /etc/exim.conf
hostlist bad_sender_hosts = lsearch;/etc/virtual/bad_sender_hosts
to
hostlist bad_sender_hosts = wildlsearch;/etc/virtual/bad_sender_hosts

Add spammer hosts like

*.bigspammerhost.com

To catch and blacklist more spammers install http://www.vanheusden.com/multitail/ RPM's are here http://pkgs.org/download/multitail

# Make it colorful
nano /etc/multitail.conf

add
# exim
colorscheme:exim
cs_re:cyan::
cs_re:blue|blue,,bold:^....-..-.. ..:..:..
cs_re:magenta,,bold:<=
cs_re:green,,bold:=>
cs_re:green,,bold:=> *[^ ]*
cs_re:magenta,,bold:<= *[^ ]*
cs_re:green,,bold:=> *[^ ]* <[^>]*>
cs_re:magenta,,bold:<= *[^ ]* <[^>]*>
cs_re:yellow:H=[^ ]*
cs_re:cyan:\[[0-9\.:]*\]
cs_re:red:Email blocked by.*
cs_re:red:verify failed for SMTP recipient.*
cs_re:red: *[^ ]* \[[0-9\.:]*\]: Connection refused
cs_re:red:SMTP.*timeout.*

# Now watch and catch spammers in real time
multitail /var/log/exim/mainlog /var/log/exim/rejectlog

Cheers ! enjoy hunting spammers ;-)
 
You must log in or register to reply here.
Back
Top