==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  0.9.7
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:  CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Today, I learned that Greylisting doesn't quite do what I thought.  Today, we had a remote host hammer us on supposedly returned-mail to 4 of our users:

[root@voyageur ~]# egrep 188.213.140.179 /var/log/maillog | head
Feb  4 14:43:33 voyageur postfix/postscreen[12014]: CONNECT from [188.213.140.179]:60726 to [64.111.99.245]:25
Feb  4 14:43:33 voyageur postfix/postscreen[12014]: CONNECT from [188.213.140.179]:40664 to [64.111.99.245]:25
Feb  4 14:43:39 voyageur postfix/postscreen[12014]: PASS OLD [188.213.140.179]:60726
Feb  4 14:43:39 voyageur postfix/postscreen[12014]: PASS OLD [188.213.140.179]:40664
Feb  4 14:43:39 voyageur postfix/smtpd[24199]: connect from o21.royalpalace.club[188.213.140.179]
Feb  4 14:43:39 voyageur postfix/smtpd[24199]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER1@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<greglusk@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>
Feb  4 14:43:40 voyageur postfix/smtpd[24199]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER2@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<alewis@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>
Feb  4 14:43:40 voyageur postfix/smtpd[5826]: connect from o21.royalpalace.club[188.213.140.179]
Feb  4 14:43:40 voyageur postfix/smtpd[24199]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER3@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<rfalci@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>
Feb  4 14:43:40 voyageur postfix/smtpd[24199]: disconnect from o21.royalpalace.club[188.213.140.179]
Feb  4 14:43:40 voyageur postfix/smtpd[5826]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER4@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<artwebb@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>

Normal right?  Well, what I didn't expect is that this host would continue to beat up my server until the 15 minute period expired:

Feb  4 14:58:41 voyageur amavis[1927]: (01927-14) Passed CLEAN {RelayedInbound}, [188.213.140.179]:56787 [188.213.140.179] <> -> <USER4@mailbag.com>, Queue-ID: 04C289BC6, Message-ID: <167561732655753455460.oqiflqsdsrjevymzbzuhjmo4tw77i99@5923224nb.myself.com>, mail_id: mKQaj46pokmk, Hits: 4.515, size: 6874, queued_as: 922818438, 488 ms, Tests: [BASE64_LENGTH_79_INF=1.502,BAYES_00=-1.9,FROM_LOCAL_NOVOWEL=0.5,HTML_FONT_SIZE_HUGE=0.001,HTML_MESSAGE=0.001,MPART_ALT_DIFF=0.79,MPART_ALT_DIFF_COUNT=1.112,TO_NO_BRKTS_PCNT=2.499,T_HTML_TAG_BALANCE_CENTER=0.01]
Feb  4 15:03:59 voyageur postfix/anvil[19203]: statistics: max connection rate 60/60s for (smtpd:188.213.140.179) at Feb  4 14:57:43
Feb  4 15:03:59 voyageur postfix/anvil[19203]: statistics: max connection count 2 for (smtpd:188.213.140.179) at Feb  4 14:54:41

[root@voyageur ~]# egrep 188.213.140.179 /var/log/maillog | grep reject: | wc -l
1752

1752 submission rejections between 14:43 and 14:58.  Should the greylisting timer reset with every submission attempt within the 15 minute interval?  Thinking about it, I could see this as problematic if a site were to have a 10 minute queue run interval they may never have their email accepted but certainly 1700 attempts should trigger some inverse reaction on the email score - on top of everything else, it wasn't even marked as SPAM despite the empty from:<>.

After poking around in the iredapd database, here's the record for that IP:

MariaDB [iredapd]> select * from greylisting_tracking where client_address='188.213.140.179';
+---------+--------+----------------------+-----------------+---------------+-------------+------------+---------------+----------------+---------------+--------+
| id      | sender | recipient            | client_address  | sender_domain | rcpt_domain | init_time  | block_expired | record_expired | blocked_count | passed |
+---------+--------+----------------------+-----------------+---------------+-------------+------------+---------------+----------------+---------------+--------+
| 1381799 |        | USER1@mailbag.com | 188.213.140.179 |               | mailbag.com | 1549313019 |    1549313919 |     1551905921 |           441 |      1 |
+---------+--------+----------------------+-----------------+---------------+-------------+------------+---------------+----------------+---------------+--------+

Shouldn't there have been 4 records, one for each user being emailed?

So I guess to summarize, this behavior in my opinion should not be rewarded.  But what do you suppose would help?

Is this worthy of setting up another fail2ban jail - after say X "Intentional policy rejections" from the same IP, block them for Y hours. where X is say 10-20 and Y is > 1 hour since we are dealing with a legitimate mail server who has proved it can queue messages.

Is there a spamassassin rule I should tweak to get this email marked as spam?

Is there anything else which should be considered?

Note:  I  *really* love the 0.9.8 pregreet jail - it made a huge performance improvement to block anyone who speaks before the SMTP banner is sent.

-James