1

Topic: ipv6 greylisting issue

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5
- Linux/BSD distribution name and version: Centos 7.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? yes
- Related log if you're reporting an issue:
====

Because the automatic deletion of spam above a certain score is not working I thought it might give greylisting a try. Unfortunately it does not work as expected.

Sep 19 06:36:08 tiberius postfix/smtpd[2333]: NOQUEUE: reject: RCPT from mail-it0-x234.google.com[2607:f8b0:4001:c0b::234]: 451 4.7.1 <info@xxxxx.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<xxx@xxx.de> to=<info@xxxxx.com> proto=ESMTP helo=<mail-it0-x234.google.com>
Sep 19 06:41:37 tiberius postfix/smtpd[2456]: NOQUEUE: reject: RCPT from mail-it0-x229.google.com[2607:f8b0:4001:c0b::229]: 451 4.7.1 <info@xxxxx.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<xxx@xxx.de> to=<info@xxxxx.com> proto=ESMTP helo=<mail-it0-x229.google.com>

In settings.py I have defined
GREYLISTING_BLOCK_EXPIRE = 3
GREYLISTING_AUTH_TRIPLET_EXPIRE = 30
GREYLISTING_UNAUTH_TRIPLET_EXPIRE = 1

As you can see from the above log google has sent the retry after 5 minutes but did not pass the greylisting although a retry after 3 minutes should work.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: ipv6 greylisting issue

Any news?

3

Re: ipv6 greylisting issue

Please turn on debug mode in iRedAPD, try to reproduce this issue again, then paste all debug log related to your testing here, so that we can help troubleshoot.

Reference: http://www.iredmail.org/docs/debug.iredapd.html

4

Re: ipv6 greylisting issue

I did as you asked but I am not fond of pasting the debug log here in public as it contains mail addresses, ssl ciphers and cert fingerprints. If I can mail it or paste it privat I am happy to do so.

5

Re: ipv6 greylisting issue

You can replace your IP address, domain name, and sensitive info by other strings, but it must be clear enough for others to understand what the replaced strings mean.

6 (edited by mensmaximus 2016-09-24 16:14:22)

Re: ipv6 greylisting issue

Please understand I am not willing to invest hours of work to *mask* thousands of lines in a logfile. It was much faster to dig into it myself. The issue with your greylisting implementation is that although you talk about "triplets" in the comments of greylisting.py (iredapd plugin) you use the full ip-address of the connecting mailserver. You do this with IPv4 and IPv6:

2016-09-22 18:04:52 DEBUG [SQL] query greylisting tracking:
SELECT init_time, blocked_count, block_expired, record_expired
               FROM greylisting_tracking
              WHERE     sender='user@sender-domain.com'
                    AND recipient='user@recipient-domain.com'
                    AND client_address='2a00:1450:400c:c09::22d'
              LIMIT 1
2016-09-22 18:04:52 INFO [2a00:1450:400c:c09::22d] Client has not been seen before, greylisted.

SELECT init_time, blocked_count, block_expired, record_expired
               FROM greylisting_tracking
              WHERE     sender='user@sender-domain.com'
                    AND recipient='user@recipient-domain.com'
                    AND client_address='14.186.220.202'
              LIMIT 1
2016-09-22 17:24:26 INFO [14.186.220.202] Client has not been seen before, greylisted.

While smaller ISPs and companies mostly use only one or two IPv4 addresses for their mailserver large ISPs use clusters with many more addresses (Google, 1&1, Microsoft, etc.). The larger the amount of addresses the smaller the chance to see the same address again within a reasonable time frame. This is the reason why usually greylisting ist done using only a portion of the address. For IPv4 the vast majority of mailservers use a /24 mask why it is called 'triplet' (the first three octets only). For IPv6 I see /112 or /96 masks very often.

Long story short. The implementation of greylisting in iredapd as it is now will cause more issues than it will solve unless we get two new variables to define the mask for IPv4 and IPv6 addresses in settings.py.

7

Re: ipv6 greylisting issue

You can solve it this way if the sender has valid SPF record:

cd /opt/iredapd/tools/
python spf_to_greylist_whitelists.py <domain1.com> <domain2.com>

It will query SPF records of given mail domain names and whitelist them. If you want to check their SPF records regularly, run it with '--submit' option to store the domains in sql db.

8

Re: ipv6 greylisting issue

Instead of solving the root cause of the issue (using cidr instead of single ip) you suggest a solution that will only work with some domains. You can close this thread. I solve the issue myself.

9

Re: ipv6 greylisting issue

Of course you can whitelist with CIDR. The problem is we don't know which CIDR should be whitelisted by default, so there's some work for sys admin.

You can still whitelist single IP, CIDR, domain, sender email with /opt/iredapd/tools/greylisting_admin.py. we have doc here for you:
http://www.iredmail.org/docs/manage.iredapd.html