Exim + Greylist + Mrtg

snk

Verified User
Joined
Dec 19, 2007
Messages
102
Hello to all.

I want to share how i reduce spam in my box.

Maybe not perfect solution but for work :)
Always make backup and use it at your own risk !

Tested on CentOS 5

Install Greylist:
Code:
# rpm -Uvh http://dl.atrpms.net/el5-i386/atrpms/stable/greylistd-0.8.3.2-8.0.el5.noarch.rpm

Now you need to change permissions:
chown -R mail.mail /etc/greylistd/
chown -R mail.mail /var/run/greylistd/
chown -R mail.mail /var/lib/greylistd/
chown -R mail.mail /usr/sbin/greylist*

start greylistd:
# /usr/bin/su mail -c /usr/sbin/greylistd &


I use original SpamBlocker2 (Jeff, thank you !)
Code:
######################################################################
#                 SpamBlocker.exim.conf.2.1.1-release                #
#                             05-Jun-2007                            #
#   Runtime configuration file for DirectAdmin/Exim 4.24 and above   #
#          Requires exim.pl dated 20-Apr-2007 17:09 or later         #

Edit /etc/exim.conf
-------------------

Add
acl_smtp_connect = acl_connect
acl_smtp_helo = check_helo

just before:
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

Find
Code:
######################################################################
#                               ACLs                                 #
######################################################################
begin acl

add after:
Code:
###############################
#   ACL connect
###############################
acl_connect:
    accept hosts = +whitelist_hosts_ip : +relay_hosts 

    drop	message = Your IP Blacklisted - see http://www.domain.com/
        hosts	 = +bad_sender_hosts_ip

    # We do not receive mails from orange, hinet... etc 
    drop	message   = Sender Blacklisted - http://www.domain.com/blocked.html?$sender_host_name
        condition = ${if match{$sender_host_name} \
                    {hinet-ip|hinet|orange|asianet.co.th} \
                    {yes}{no}}

    # Delay. (Spammers doesn't like to wait while connecting
    # Better do not use on high load servers because it will hold too many open connection
    # 587 port accept connection without delay
    accept condition = ${if eq {$interface_port}{587}{yes}{no}}

    accept  
        logwrite = Delay 10s for $sender_host_address ($sender_host_name)
        delay    = 10s

###############################
#    ACL HELO/EHLO
###############################

check_helo:

    accept  condition = ${if eq {$interface_port}{587}{yes}{no}}
    accept hosts = +whitelist_hosts: +whitelist_hosts_ip : +relay_hosts 
    
    # for some reason this rule may need to comment
    deny message  = rejected due to forged HELO name - $sender_helo_name
        condition     = ${if match {$sender_helo_name} \
                	{\N^[^.].*\.[^.]+$\N} \
                        {no}{yes}}
        !hosts	= +whitelist_hosts: +whitelist_hosts_ip : +relay_hosts 
                                                                                    
    drop message  = HELO/EHLO cannot be numbers only
	condition = ${if match{$sender_helo_name}{\N^\d+$\N}{yes}{no}}

    # If remote host greets with an IP address, reject connection:
    drop message  = IP address not allowed in HELO/EHLO
	condition = ${if isip {$sender_helo_name}{true}{false}}
	
    drop message  = This is my IP. Go away
	condition = ${if eq{$sender_helo_name}{$interface_address} \
                          {yes}{no}}

    deny message  = HELO/EHLO required by SMTP RFC.
	condition = ${if eq{$sender_helo_name}{}{yes}{no}}

    accept

Find:
Code:
 #require verify = sender

Add after:
Code:
     drop  message = Use your provider SMTP. Email blocked
	condition = ${if match{$sender_host_name} \
                          {adsl|dialup|pool|peer|dhcp|dsl|broadband|ppp|dynamic|cable} \
                          {yes}{no}}
	hosts 	= !+relay_hosts
	domains = +use_rbl_domains
	!authenticated 	= *

find:
Code:
# accept if address is in a local domain as long as recipient can be verified
  accept  domains = +local_domains
          endpass
	message = "Unknown User"
Add before:
Code:
# Perform greylisting.

    defer message 	= $sender_host_address is greylisted. Please try again later.
	log_message 	= greylisted.
	domains 	= +relay_domains : +local_domains
	!senders 	= : postmaster@*
	!hosts          = : +relay_hosts : \
			    ${if exists {/etc/greylistd/whitelist-hosts}\
                	    {/etc/greylistd/whitelist-hosts}{}} : \
			    ${if exists {/etc/virtual/whitelist-hosts}\
                	    {/etc/virtual/whitelist-hosts}{}}
                	    
	verify         	= recipient/callout=5s,use_sender,defer_ok
	condition      	= ${readsocket{/var/run/greylistd/socket}\
	                   {--grey $sender_host_address $sender_address $local_part@$domain}{5s}{}{false}}

Save exim.conf and restart exim:
# service exim restart

That's All.
Now you can check maillog and see something like below :
Code:
2008-03-17 09:20:03 H=(pentium) [84.21.226.22] rejected EHLO or HELO pentium: rejected due to forged HELO name - pentium

2008-03-17 12:22:28 Delay 10s for 59.93.211.220 ()

2008-03-17 12:22:35 H=(59.94.122.15) [59.94.122.15] rejected EHLO or HELO 59.94.122.15: IP address not allowed in HELO/EHLO

2008-03-17 12:22:52 H=cpc1-neww3-0-0-cust845.cdif.cable.ntl.com (home-ad73427dc5) [82.11.227.78] F=<[email protected]> rejected RCPT <[email protected]>: Use your provider SMTP. Email blocked 

2008-03-17 12:28:23 H=n4a.bullet.mail.ac4.yahoo.com [76.13.13.67] rejected connection in "connect" ACL: Sender Blacklisted - http://www.fs-host.net/blocked.html?n4a.bullet.mail.ac4.yahoo.com

2008-03-17 13:05:17 H=horse.iptelecom.net.ua [212.9.224.8] F=<[email protected]> temporarily rejected RCPT <[email protected]>: greylisted.

2008-03-17 13:09:48 H=ppp85-140-116-38.pppoe.mtu-net.ru (mtu-net.ru) [85.140.116.38] F=<[email protected]> rejected RCPT <[email protected]>: Use your provider SMTP. Email blocked

Also you can check greylisting stats:

# greylist stats
Statistics since Sun Mar 16 23:18:21 2008 (14 hours and 53 minutes ago)
-----------------------------------------------------------------------
146 items, matching 171 requests, are currently whitelisted
0 items, matching 0 requests, are currently blacklisted
155 items, matching 156 requests, are currently greylisted

Of 146 items that were initially greylisted:
- 146 (100.0%) became whitelisted
- 0 ( 0.0%) expired from the greylist


-----------------------------------------------------------------------

If you use MRTG:

in mrtg/core/system
add:
Code:
if [ "$TYPE" = "greylist" ]; then
    INDATA=`cat /var/log/exim/mainlog | grep ": greylisted." | wc -l`
    TODAY=`date '+%Y-%m-%d'`
    OUTDATA=`cat /var/log/exim/mainlog | grep $TODAY | grep ": greylisted." | wc -l `
fi

in mrtg.cfg find:
Code:
<br><a href="memory.html">- Memory Usage</a>
and add:
Code:
<br><a href="greylist.html">- Email Greylisted</a>

at end of file add this:
Code:
#----------------------------
# Email Greylisted
#----------------------------
Target[greylist]: `/var/www/html/mrtg/core/system greylist`
Title[greylist]: Spam Greylisted
PageTop[greylist]: <h3>Email greylisted</h3>
Options[greylist]: nopercent,growright,noinfo,pngdate,gauge

YLegend[greylist]: Email greylisted
LegendO[greylist]: Daily Email greylisted
LegendI[greylist]: Weekly Email greylisted  

ShortLegend[greylist]:  E-mails
Legend1[greylist]: Weekly greylisted
Legend2[greylist]: Daily greylisted


Feel free to post any suggestions please.
 
Last edited:
{.yahoo.com|hinet-ip|hinet|orange|asianet.co.th|.pacbell.net} \
Why are you blocking email from my ISP, pacbell.net?

I'd like to try this, and hopefully be able to add it as an option to the next official SpamBlocker release, but if I can't contact you I'm not sure I want to risk it.

Jeff
 
This is ridiculous too

drop message = Use your provider SMTP. Email blocked
condition = ${if match{$sender_host_name} \
{adsl|dialup|pool|peer|dhcp|dsl|broadband|ppp|dynamic|cable} \
{yes}{no}}
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
 
Perhaps not for many of us, chatwizrd. I wouldn't block all of them, and certainly not in SpamBlocker, but some of them make sense.

Jeff
 
Why are you blocking email from my ISP, pacbell.net?
before, i received about 3k-5k spam emails from pacbell.net
Jeff, sorry for blocking your ISP :)
i have changed it

chatwizrd, why you think so ?
This is ridiculous too
I didnt seen any SMTP server that use dynamic IP address, ISP use static ip with ptr.
But spammers use dynamic ip alot.
i don't think that hosts below are legal smtp server
Code:
H=189-68-59-223.dsl.telesp.net.br (eyfro.telesp.net.br) [189.68.59.223]
H=(149.76.205.221.adsl-pool.sx.cn) [221.205.76.149]
H=adsl-75-36-78-185.dsl.irvnca.sbcglobal.net [75.36.78.185]
H=iac250.internetdsl.tpnet.pl [79.189.2.250]

My customers using 587 port for sending emails from my server

yes, maybe it's not so smart but it's work for me and it's block about 80% of spam.
 
Last edited:
Perhaps not for many of us, chatwizrd. I wouldn't block all of them, and certainly not in SpamBlocker, but some of them make sense.

Jeff

I do not sell services so people cannot even use them cause the way its setup.
 
So your post makes no sense for the majority of us who use DirectAdmin in a shared hosting environment?

Jeff
 
THANKS! I followed your instructions and it seems to be working wonderfully!

One area that got me a little confused was where you instruct adding the code section to exim.conf beginning with:
Code:
###############################
#   ACL connect
###############################
acl_connect:
. . .
Perhaps you can be a little more specific where to add this? Through trial-and-error I added the code below the line that reads "begin acl". This seems to work, but I'm still not 100% I have it placed correctly.
 
Looking here you'll see that the connect acl (acl_connect) is the first ACL, so that's the right place to put it.

Jeff
 
Is it necessary to manually invoke greylistd?
start greylistd:
# /usr/bin/su mail -c /usr/sbin/greylistd &
I'm new to this, so therefore pretty easily confused, but currently greylistd doesn't appear in my list of active processes, yet incoming mail is being delayed as expected. Sorry for my new-b-ness.
 
jlpeifer, yes you need to run greylist daemon manually from your shell root account
 
problem

snk

I make operations how it written in instruction, but greylist not workin

greylist stats
Statistics since Thu Apr 3 14:21:14 2008 (1 hour and 10 minutes ago)
---------------------------------------------------------------------
0 items, matching 0 requests, are currently whitelisted
0 items, matching 0 requests, are currently blacklisted
0 items, matching 0 requests, are currently greylisted
 
alexey.world, please check that greylistd is run and also check your exim log for errors.
And don't forget to restart exim after edit exim.conf
 
alexey.world, please check that greylistd is run and also check your exim log for errors.
And don't forget to restart exim after edit exim.conf

Greylist - enabled
Exim - rerun
Exim logs not contain errors. Word greylisted not contain in exim logs
 
problem of alexey.world solved.

if you see that all done correctly but greylist doesn't work, please check that this condition:
Code:
# Perform greylisting.
    defer message 	= $sender_host_address is greylisted. Please try again later.
	log_message 	= greylisted.
	domains 	= +relay_domains : +local_domains
	!senders 	= : postmaster@*
	!hosts          = : +relay_hosts : \
			    ${if exists {/etc/greylistd/whitelist-hosts}\
                	    {/etc/greylistd/whitelist-hosts}{}} : \
			    ${if exists {/etc/virtual/whitelist-hosts}\
                	    {/etc/virtual/whitelist-hosts}{}}
                	    
	verify         	= recipient/callout=5s,use_sender,defer_ok
	condition      	= ${readsocket{/var/run/greylistd/socket}\
	                   {--grey $sender_host_address $sender_address $local_part@$domain}{5s}{}{false}}
come before this:
Code:
# accept if address is in a local domain as long as recipient can be verified
  accept  domains = +local_domains
          endpass
	message = "Unknown User"
 
Last edited:
That would be your decision. Perhaps I should have marked it as final release candidate, or even released it.

But I didn't. However, it does work and many of us use it.

Simply the fact that it's beta simply means that DirectAdmin doesn't include it by default.

I want to release it but I haven't had the time to finalize it. I will as soon as I can.

Jeff
 
Code:
drop message = Use your provider SMTP. Email blocked
condition = ${if match{$sender_host_name} \
{adsl|dialup|pool|peer|dhcp|dsl|broadband|ppp|dynamic|cable} \
{yes}{no}}
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *

How were I to only use this part? (with indeed some names left out)

This comes in quite handy to just block on isp's who have a no port block policy.

(I had the greylisting partialy working on spamblocker3)
Partialy as in, all mail that got sent to server got greylisted, but when sending a second time it still remained greylisted...)

some code from my messagelog:

Code:
[root@server1 ~]# cat /var/log/exim/mainlog.2 |grep greylisted
2008-05-08 15:16:52 1Ju5zM-00078p-8e SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx1.netbenefit.co.uk [212.53.64.41]: 451 84.243.215.252 - You have been greylisted, please try later
2008-05-08 15:16:53 1Ju5zM-00078p-8e == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx2.netbenefit.co.uk [212.53.64.42]: 451 84.243.215.252 - You have been greylisted, please try later
2008-05-09 19:29:50 1JuWPm-0000xe-Cl SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.servernation.nl [212.203.9.120]: 450 4.2.0 <[email protected]>: Recipient address rejected: http://mailstore1.pool1.interlab.nl/greylisted/
2008-05-09 19:29:51 1JuWPm-0000xe-Cl == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mailfallback1.pool1.interlab.nl [85.17.152.163]: 450 4.2.0 <[email protected]>: Recipient address rejected: http://mailstore1.pool1.interlab.nl/greylisted/
2008-05-09 19:47:54 1JuWPm-0000xe-Cl SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.servernation.nl [212.203.9.120]: 450 4.2.0 <[email protected]>: Recipient address rejected: http://mailstore1.pool1.interlab.nl/greylisted/
 
Last edited:
Back
Top