1 Topic by m.blumkowski (edited by m.blumkowski 2016-03-02 17:19:23)

  • m.blumkowski
  • Member
  • Offline
  • Registered: 2014-06-13
  • Posts: 10

Topic: Intended policy rejection. Greylisting problem.

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: FreeBSD 10.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache22
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

Mar  1 14:03:52 mx postfix/smtpd[92654]: NOQUEUE: reject: RCPT from xxx-lotus.xxx.pl[192.168.xxx.xxx]: 451 4.7.1 <kmadalinska@shipco.com>: Recipient address rejected: Intended policy rejection, please try again later; from=<K.Slupski@xxx.
pl> to=<kmadalinska@shipco.com> proto=ESMTP helo=<xxx-lotus.xxx.pl>
Mar  1 14:03:52 mx postfix/smtpd[92654]: NOQUEUE: reject: RCPT from xxx-lotus.xxx.pl[192.168.xxx.xxx]: 451 4.7.1 <M.Kazmierczak@xxx.pl>: Recipient address rejected: Intended policy rejection, please try again later; from=<K.Slupski@xxx.pl
> to=<M.Kazmierczak@xxx.pl> proto=ESMTP helo=<xxx-lotus.xxx.pl>
Mar  1 14:03:52 mx postfix/smtpd[92654]: disconnect from xxx-lotus.xxx.pl[192.168.xxx.xxx]




I've just updated from 0.8.7 to 0.9.4 step by step.
Since upgrading iRedAPD to 1.7.0 greylisting moved from cluebringer to iRedAPD and is no longer working.
Clients sending e-mails from external Lotus server are getting "recipient address rejected: Intended policy rejection.." error. Every traffic gets greylisted, in or out.. have I missed some basic greylisting configuration?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Intended policy rejection. Greylisting problem.

*) We need debug message for troubleshooting. Could you please turn on debug mode in iRedAPD and try to send several emails from the sender domain (or other mail domain), then extract related log in iRedAPD log file and paste here. Reference: http://www.iredmail.org/docs/debug.iredapd.html

*) You can also whitelist this mail domain name for greylisting service with iRedAdmin-Pro: "System -> Anti Spam -> Greylisting", then add this sender domain name in first textfield area. iRedAPD contains a cron job to whitelist mail domain names listed in this textfield.

3 Reply by m.blumkowski (edited by m.blumkowski 2016-03-02 17:18:55)

  • m.blumkowski
  • Member
  • Offline
  • Registered: 2014-06-13
  • Posts: 10

Re: Intended policy rejection. Greylisting problem.

I have turned on debug mode and greylisting plugin.
Haven't tried adding our domain name for greylisting yet. Sender domain is our domain, so is it really necessary?

2016-03-02 08:30:21 DEBUG smtp session: request=smtpd_access_policy
2016-03-02 08:30:21 DEBUG smtp session: protocol_state=RCPT
2016-03-02 08:30:21 DEBUG smtp session: protocol_name=ESMTP
2016-03-02 08:30:21 DEBUG smtp session: client_address=192.168.xxx.xxx
2016-03-02 08:30:21 DEBUG smtp session: client_name=xxx-lotus.xxx.pl
2016-03-02 08:30:21 DEBUG smtp session: reverse_client_name=xxx-lotus.xxx.pl
2016-03-02 08:30:21 DEBUG smtp session: helo_name=xxx-lotus.xxx.pl
2016-03-02 08:30:21 DEBUG smtp session: sender=M.Blumkowski@xxx.pl
2016-03-02 08:30:21 DEBUG smtp session: recipient=szfordy@wp.pl
2016-03-02 08:30:21 DEBUG smtp session: recipient_count=0
2016-03-02 08:30:21 DEBUG smtp session: queue_id=
2016-03-02 08:30:21 DEBUG smtp session: instance=10027.56d6968d.8cbad.0
2016-03-02 08:30:21 DEBUG smtp session: size=3322
2016-03-02 08:30:21 DEBUG smtp session: etrn_domain=
2016-03-02 08:30:21 DEBUG smtp session: stress=
2016-03-02 08:30:21 DEBUG smtp session: sasl_method=
2016-03-02 08:30:21 DEBUG smtp session: sasl_username=
2016-03-02 08:30:21 DEBUG smtp session: sasl_sender=
2016-03-02 08:30:21 DEBUG smtp session: ccert_subject=
2016-03-02 08:30:21 DEBUG smtp session: ccert_issuer=
2016-03-02 08:30:21 DEBUG smtp session: ccert_fingerprint=
2016-03-02 08:30:21 DEBUG smtp session: ccert_pubkey_fingerprint=
2016-03-02 08:30:21 DEBUG smtp session: encryption_protocol=
2016-03-02 08:30:21 DEBUG smtp session: encryption_cipher=
2016-03-02 08:30:21 DEBUG smtp session: encryption_keysize=0
2016-03-02 08:30:21 DEBUG --> Apply plugin: reject_null_sender
2016-03-02 08:30:21 DEBUG <-- Result: DUNNO
2016-03-02 08:30:21 DEBUG --> Apply plugin: greylisting
2016-03-02 08:30:21 DEBUG [SQL] Query greylisting whitelists:
SELECT id, sender
               FROM greylisting_whitelists
              WHERE account IN ('szfordy@wp.pl', '@wp.pl', '@.')
2016-03-02 08:30:21 DEBUG No whitelist found.
2016-03-02 08:30:21 DEBUG [SQL] query greylisting settings:
SELECT id, account, sender, sender_priority, active
               FROM greylisting
              WHERE account IN ('szfordy@wp.pl', '@wp.pl', '@.')
              ORDER BY priority DESC, sender_priority DESC
2016-03-02 08:30:21 DEBUG [SQL] query result: [(1L, '@.', '@.', 0, 1)]
2016-03-02 08:30:21 DEBUG Greylisting should be applied according to SQL record: (id=1, account='@.', sender='@.')
2016-03-02 08:30:21 DEBUG [SQL] query greylisting tracking:
SELECT init_time, blocked_count, block_expired, record_expired
               FROM greylisting_tracking
              WHERE     sender='m.blumkowski@xxx.pl'
                    AND recipient='szfordy@wp.pl'
                    AND client_address='192.168.xxx.xxx'
              LIMIT 1
2016-03-02 08:30:21 INFO Client has not been seen before, greylisted.
2016-03-02 08:30:21 DEBUG [SQL] New tracking:
INSERT INTO greylisting_tracking (sender, sender_domain,
                                                   recipient, rcpt_domain,
                                                   client_address,
                                                   init_time,
                                                   block_expired, record_expired,
                                                   blocked_count)
                      VALUES ('m.blumkowski@xxx.pl', 'xxx.pl', 'szfordy@wp.pl', 'wp.pl', '192.168.xxx.xxx', 1456903821, 1456904721, 1457076621, 1)
2016-03-02 08:30:21 DEBUG <-- Result: 451 4.7.1 Intentional policy rejection, please try again later
2016-03-02 08:30:21 DEBUG Session ended

4 Reply by m.blumkowski

  • m.blumkowski
  • Member
  • Offline
  • Registered: 2014-06-13
  • Posts: 10

Re: Intended policy rejection. Greylisting problem.

There is a problem with relaying e-mails from Lotus server.. senders from Lotus server have same domain as freebsd iredadmin server.
When I send emails from Roundcube everything works fine.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Intended policy rejection. Greylisting problem.

you need to whitelist this IP address for greylisting service, reference:
http://www.iredmail.org/docs/manage.iredapd.html

6 Reply by m.blumkowski

  • m.blumkowski
  • Member
  • Offline
  • Registered: 2014-06-13
  • Posts: 10

Re: Intended policy rejection. Greylisting problem.

ZhangHuangbin wrote:

you need to whitelist this IP address for greylisting service, reference:
http://www.iredmail.org/docs/manage.iredapd.html


IP address of Lotus server?
iredapd.greylisting_whitelists - here?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Intended policy rejection. Greylisting problem.

m.blumkowski wrote:

IP address of Lotus server?

Yes.

m.blumkowski wrote:

iredapd.greylisting_whitelists - here?

Yes. And it's recommended to use /opt/iredapd/tools/greylisting_admin.py to manage the greylisting settings.

8 Reply by m.blumkowski

  • m.blumkowski
  • Member
  • Offline
  • Registered: 2014-06-13
  • Posts: 10

Re: Intended policy rejection. Greylisting problem.

Thank You for above solution, works great.


I have an another question.
How do You specify how many seconds do You keep emails greylisted?
Its about 15-20min at the moment, I would like to make it much shorter - about 5-8minutes.

9 Reply by m.blumkowski

  • m.blumkowski
  • Member
  • Offline
  • Registered: 2014-06-13
  • Posts: 10

Re: Intended policy rejection. Greylisting problem.

I have found in default.settings.py

# Trusted IP address or networks.
# Valid formats:
#   - Single IP address: 192.168.1.1
#   - Wildcard IP range: 192.168.1.*, 192.168.*.*, 192.168.*.1
#   - IP subnet: 192.168.1.0/24
MYNETWORKS = []


Does it work the same as "iredapd.greylisting_whitelists" ?

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Intended policy rejection. Greylisting problem.

m.blumkowski wrote:

How do You specify how many seconds do You keep emails greylisted?

Search 'GREYLISTING_' in file /opt/iredapd/libs/default_settings.py, you will find some default values. If you want to modify them, please copy the setting to /opt/iredapd/settings.py and modify it. Do not touch other files, just /opt/iredapd/settings.py.

m.blumkowski wrote:

MYNETWORKS = []

Does it work the same as "iredapd.greylisting_whitelists" ?

iRedAPD "MYNETWORKS" setting is similar to Postfix "mynetworks", you can use it to add few INTERNAL or TRUSTED clients, but it's not intended to be a replacement for sql table "iredapd.greylisting_whitelists".