1

Topic: Greylisting observations

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  0.9.7
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:  CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Today, I learned that Greylisting doesn't quite do what I thought.  Today, we had a remote host hammer us on supposedly returned-mail to 4 of our users:

[root@voyageur ~]# egrep 188.213.140.179 /var/log/maillog | head
Feb  4 14:43:33 voyageur postfix/postscreen[12014]: CONNECT from [188.213.140.179]:60726 to [64.111.99.245]:25
Feb  4 14:43:33 voyageur postfix/postscreen[12014]: CONNECT from [188.213.140.179]:40664 to [64.111.99.245]:25
Feb  4 14:43:39 voyageur postfix/postscreen[12014]: PASS OLD [188.213.140.179]:60726
Feb  4 14:43:39 voyageur postfix/postscreen[12014]: PASS OLD [188.213.140.179]:40664
Feb  4 14:43:39 voyageur postfix/smtpd[24199]: connect from o21.royalpalace.club[188.213.140.179]
Feb  4 14:43:39 voyageur postfix/smtpd[24199]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER1@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<greglusk@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>
Feb  4 14:43:40 voyageur postfix/smtpd[24199]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER2@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<alewis@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>
Feb  4 14:43:40 voyageur postfix/smtpd[5826]: connect from o21.royalpalace.club[188.213.140.179]
Feb  4 14:43:40 voyageur postfix/smtpd[24199]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER3@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<rfalci@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>
Feb  4 14:43:40 voyageur postfix/smtpd[24199]: disconnect from o21.royalpalace.club[188.213.140.179]
Feb  4 14:43:40 voyageur postfix/smtpd[5826]: NOQUEUE: reject: RCPT from o21.royalpalace.club[188.213.140.179]: 451 4.7.1 <USER4@mailbag.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<> to=<artwebb@mailbag.com> proto=ESMTP helo=<o21.royalpalace.club>

Normal right?  Well, what I didn't expect is that this host would continue to beat up my server until the 15 minute period expired:

Feb  4 14:58:41 voyageur amavis[1927]: (01927-14) Passed CLEAN {RelayedInbound}, [188.213.140.179]:56787 [188.213.140.179] <> -> <USER4@mailbag.com>, Queue-ID: 04C289BC6, Message-ID: <167561732655753455460.oqiflqsdsrjevymzbzuhjmo4tw77i99@5923224nb.myself.com>, mail_id: mKQaj46pokmk, Hits: 4.515, size: 6874, queued_as: 922818438, 488 ms, Tests: [BASE64_LENGTH_79_INF=1.502,BAYES_00=-1.9,FROM_LOCAL_NOVOWEL=0.5,HTML_FONT_SIZE_HUGE=0.001,HTML_MESSAGE=0.001,MPART_ALT_DIFF=0.79,MPART_ALT_DIFF_COUNT=1.112,TO_NO_BRKTS_PCNT=2.499,T_HTML_TAG_BALANCE_CENTER=0.01]
Feb  4 15:03:59 voyageur postfix/anvil[19203]: statistics: max connection rate 60/60s for (smtpd:188.213.140.179) at Feb  4 14:57:43
Feb  4 15:03:59 voyageur postfix/anvil[19203]: statistics: max connection count 2 for (smtpd:188.213.140.179) at Feb  4 14:54:41

[root@voyageur ~]# egrep 188.213.140.179 /var/log/maillog | grep reject: | wc -l
1752

1752 submission rejections between 14:43 and 14:58.  Should the greylisting timer reset with every submission attempt within the 15 minute interval?  Thinking about it, I could see this as problematic if a site were to have a 10 minute queue run interval they may never have their email accepted but certainly 1700 attempts should trigger some inverse reaction on the email score - on top of everything else, it wasn't even marked as SPAM despite the empty from:<>.


After poking around in the iredapd database, here's the record for that IP:

MariaDB [iredapd]> select * from greylisting_tracking where client_address='188.213.140.179';
+---------+--------+----------------------+-----------------+---------------+-------------+------------+---------------+----------------+---------------+--------+
| id      | sender | recipient            | client_address  | sender_domain | rcpt_domain | init_time  | block_expired | record_expired | blocked_count | passed |
+---------+--------+----------------------+-----------------+---------------+-------------+------------+---------------+----------------+---------------+--------+
| 1381799 |        | USER1@mailbag.com | 188.213.140.179 |               | mailbag.com | 1549313019 |    1549313919 |     1551905921 |           441 |      1 |
+---------+--------+----------------------+-----------------+---------------+-------------+------------+---------------+----------------+---------------+--------+


Shouldn't there have been 4 records, one for each user being emailed?

So I guess to summarize, this behavior in my opinion should not be rewarded.  But what do you suppose would help?

Is this worthy of setting up another fail2ban jail - after say X "Intentional policy rejections" from the same IP, block them for Y hours. where X is say 10-20 and Y is > 1 hour since we are dealing with a legitimate mail server who has proved it can queue messages.

Is there a spamassassin rule I should tweak to get this email marked as spam?

Is there anything else which should be considered?

Note:  I  *really* love the 0.9.8 pregreet jail - it made a huge performance improvement to block anyone who speaks before the SMTP banner is sent.


-James

2

Re: Greylisting observations

Please upgrade iRedAPD to the latest version (2.4) first and see whether it fixes your greylisting issue.

stahr wrote:

Shouldn't there have been 4 records, one for each user being emailed?

Greylisting targets the sender server, not sender. If the MTA running on sender server always retries, it doesn't make sense to create triplets for different senders.

stahr wrote:

Is this worthy of setting up another fail2ban jail - after say X "Intentional policy rejections" from the same IP, block them for Y hours. where X is say 10-20 and Y is > 1 hour since we are dealing with a legitimate mail server who has proved it can queue messages.

This is not right.
Let's say the interval is 15 minutes, if there're X (which exceeds your fail2ban 'maxretry' value) retries IN 15 minutes, according to greylisting service, this is still ok, and after 15 minutes, it will be whitelisted (for few days). So it's not right to block it.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee