Has anyone tried this greylisting implementation:
http://wiki.exim.org/DbLessGreyListingRun
Seems very simple to implement.
http://wiki.exim.org/DbLessGreyListingRun
Seems very simple to implement.
Simple Greylisting
- Thread starter hci
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Looks interesting. Be sure to use the one that doesn't require recompiling exim as that takes a while and makes it impossible for you to update exim through DirectAdmin or use DirectAdmin's exim releases.
Once you get it running let us know if it's successful; if it is, I'll get it implemented in DirectAdmin's mail system.
Jeff
Once you get it running let us know if it's successful; if it is, I'll get it implemented in DirectAdmin's mail system.
Jeff
tillo
Verified User
This may be dangerous for high load MTAs, because it stores the IP addresses in the file system (as files).
It's not DBless, it's based on flat files, and worst of all a different file for every IP. I had something like that on a high load FreeBSD server and f*cked up my file system because there were no more free inodes.
With a journalized file system (like ext3/4 or ReiserFS) you may avoid losing data but as soon as you reach the inode limit (or directory's inode limit) all messages will bounce.
It's not DBless, it's based on flat files, and worst of all a different file for every IP. I had something like that on a high load FreeBSD server and f*cked up my file system because there were no more free inodes.
With a journalized file system (like ext3/4 or ReiserFS) you may avoid losing data but as soon as you reach the inode limit (or directory's inode limit) all messages will bounce.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Sounds like a good reason to not implement it.
Thanks!
Jeff
Thanks!
Jeff
I am cleaning out items older then 12 hours in my greylist folder and have about 100k entries there. On my 500Gb SATA drive my inode use is at 1 percent. This is CentOS 4.x 32bit. This email server has a couple thousand email accounts and lots of traffic. One measure of caution I did was when I clean out the folder I sudo as mail. Have been running it for a couple months now.
tillo
Verified User
This may work for you, but the question here is... will it work for everyone? No.
I'm not saying it's not feasible: I'm saying it's a limited implementation
For example in my greylisting implementation hosts that get in the whitelist remain there for 30 days after their last access. This will allow instantaneous delivery for any mailing list after the first message.
And, of course, there may be someone out there with thousand of domains, each one with hundreds of addresses. That would make a huge DB even if you keep the IP addresses only for 12 hours.
I'm not saying it's not feasible: I'm saying it's a limited implementation
For example in my greylisting implementation hosts that get in the whitelist remain there for 30 days after their last access. This will allow instantaneous delivery for any mailing list after the first message.
And, of course, there may be someone out there with thousand of domains, each one with hundreds of addresses. That would make a huge DB even if you keep the IP addresses only for 12 hours.
This may work for you, but the question here is... will it work for everyone? No.
I'm not saying it's not feasible: I'm saying it's a limited implementation
For example in my greylisting implementation hosts that get in the whitelist remain there for 30 days after their last access. This will allow instantaneous delivery for any mailing list after the first message.
I solve that in a different way. I scan with Spamassassin as well. Every five minutes I look at the all messages that arrived in the last five minutes with a perl script. If they scored less then 1 by Spamassassin I add the sending MTA IP to a whitelist for 28 days. If that IP comes back and scores over 5 later I remove it from the list. There are about 8k IP's in this trusted list. I also use dnswl.org to whitelist from greylisting. I see virtually no delays and I do not have to lift a finger to whitelist any IP's manually. Its done automatically.
There is also big advantage here. Sending MTA such as online ordering place sends one of your email addresses good message its whitelisted for all addresses and will not be delayed.
Last edited:
tillo
Verified User
That's very nice, but I stand on my principle
Your system is quite interesting, in fact I'm going to try what's suggested on dnswl.org: to avoid greylisting and blacklisting for all of their dnswl records and to avoid spam check for their medium and high dnswl records.
Since you seem to be more skilled than me about that, can you help me out?
I've been able to do the first thing (following http://www.dnswl.org/tech#exim), but I can't figure out where to put "! dnslists = list.dnswl.org&0.0.0.2" in the SpamBlocker 3.1 exim config for the second thing.
Is it the spamcheck_director router or the spamcheck transport?
Your system is quite interesting, in fact I'm going to try what's suggested on dnswl.org: to avoid greylisting and blacklisting for all of their dnswl records and to avoid spam check for their medium and high dnswl records.
Since you seem to be more skilled than me about that, can you help me out?
I've been able to do the first thing (following http://www.dnswl.org/tech#exim), but I can't figure out where to put "! dnslists = list.dnswl.org&0.0.0.2" in the SpamBlocker 3.1 exim config for the second thing.
Is it the spamcheck_director router or the spamcheck transport?
This is what I have:
warn set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\
${sg{$sender_host_address}{\N\.\d+$\N}{}},\
${tr{$sender_address,$local_part@$domain}{/\040}{;} }}
defer log_message = greylisted
!hosts = +relay_hosts
!hosts = net-lsearch;/etc/virtual/trusted_ips
!dnslists = list.dnswl.org&0.0.0.2
domains = +relay_domains
verify=recipient
#condition = ${if eq{$local_part@$domain}{[email protected]}}
condition = ${if exists{$acl_m_greyfile}\
{${if >{${eval:$tod_epoch-\
${extract{mtime}{${stat:$acl_m_greyfile}} }}\
}{180}{0}{1}}\
}{${if eq{${run{/bin/touch $acl_m_greyfile} }}{}{1}{1} }} }
message = Deferred: Temporary error, please try again later
warn set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\
${sg{$sender_host_address}{\N\.\d+$\N}{}},\
${tr{$sender_address,$local_part@$domain}{/\040}{;} }}
defer log_message = greylisted
!hosts = +relay_hosts
!hosts = net-lsearch;/etc/virtual/trusted_ips
!dnslists = list.dnswl.org&0.0.0.2
domains = +relay_domains
verify=recipient
#condition = ${if eq{$local_part@$domain}{[email protected]}}
condition = ${if exists{$acl_m_greyfile}\
{${if >{${eval:$tod_epoch-\
${extract{mtime}{${stat:$acl_m_greyfile}} }}\
}{180}{0}{1}}\
}{${if eq{${run{/bin/touch $acl_m_greyfile} }}{}{1}{1} }} }
message = Deferred: Temporary error, please try again later
tillo
Verified User
Thank you, in fact I already did it for blacklisting and greylisting but now I need it to skip spamassassin. Do you know how to?
Guess:
{!dnslists = list.dnswl.org&0.0.0.2} \ #or something...
Although, I don't think I would skip Spamassassin based on this. Being in dnswl list in my mind does not mean its not spam. Just that if you greylist it most likely its coming from a real server and not a spambot and will make another attempt.
{!dnslists = list.dnswl.org&0.0.0.2} \ #or something...
Although, I don't think I would skip Spamassassin based on this. Being in dnswl list in my mind does not mean its not spam. Just that if you greylist it most likely its coming from a real server and not a spambot and will make another attempt.
tillo
Verified User
Well, you are right. Doesn't matter much anyway, I'm just going to see how that works out to avoid dnsbl/greylisting. Thank you for you help.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
tillo,
If you'd be willing to share your exim.conf file once you're done and satisfied, it will hellp me bring out the next version. I can add your name to the contributors if you'd like.
Thanks for the consideration.
Jeff
If you'd be willing to share your exim.conf file once you're done and satisfied, it will hellp me bring out the next version. I can add your name to the contributors if you'd like.
Thanks for the consideration.
Jeff
tillo
Verified User
Of course! I will share it as soon as I find [or finally be able to make] an autoconf tarball of greylistd (the python greylisting implementation from Debian).
Do you have any information about that? Or are you able to find a FreeBSD port of it (RPM and DEB packages are already available)?
My conf is based on SpamBlocker 3.1beta, I do an upstream update every now and then to keep it synchronized.
About that, recently I noticed a modification in the routers section that I think it's wrong:
I guess the past configuration was the correct one.
Do you have any information about that? Or are you able to find a FreeBSD port of it (RPM and DEB packages are already available)?
My conf is based on SpamBlocker 3.1beta, I do an upstream update every now and then to keep it synchronized.
About that, recently I noticed a modification in the routers section that I think it's wrong:
Code:
@@ -881,12 +888,11 @@
domain_filter:
driver = redirect
allow_filter
no_check_local_user
condition = "${if exists{/etc/virtual/${domain}/filter}{yes}{no}}"
- user = "${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}"
- group = "mail"
+ user = "mail"
file = /etc/virtual/${domain}/filter
directory_transport = address_file
pipe_transport = virtual_address_pipe
retry_use_local_part
no_verifynobaloney
NoBaloney Internet Svcs - In Memoriam †
We don't work on FreeBSD at all. We leave that to others 
.
I've never gotten greylisting to work; I abandoned it some time ago and used nolisting instead; that works fine for me.
That's why I'm asking you for help.
I'll look at your code example when I'm back from lunch, and reply to this thread.
Thanks!
Jeff
.I've never gotten greylisting to work; I abandoned it some time ago and used nolisting instead; that works fine for me.
That's why I'm asking you for help
.I'll look at your code example when I'm back from lunch, and reply to this thread.
Thanks!
Jeff
tillo
Verified User
Well, this is my current patch to the exim.conf.3.1-beta: http://www.tillo.ch/temp/exim.conf.3.1-beta.tillo.patch.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Since your exim.conf.3.1-beta is not the same as what I use, would you consider sending me the entire file so I can diff it against mine?
If you don't want to post it here, I can get it in an email, either as a tarball or a zipfile.
Thanks!
Jeff
If you don't want to post it here, I can get it in an email, either as a tarball or a zipfile.
Thanks!
Jeff
tillo
Verified User
Don't worry, I've a "public" version ready to be customized.
Here is my entire config: http://www.tillo.ch/temp/exim.conf
Here is my entire config: http://www.tillo.ch/temp/exim.conf
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Got it, but I probably won't have time to look at it today.
I'll look at it as soon as possible.
Thanks!
Jeff
I'll look at it as soon as possible.
Thanks!
Jeff