1 (edited by mensmaximus 2019-02-12 16:01:57)

Topic: Redapd Greylisting IPv6

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): latest
- Deployed with iRedMail Easy or the downloadable installer? manual install
- Linux/BSD distribution name and version: centos 7.x latest
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): apache
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Shortend and anonymized log entries:
Feb 12 07:40:43 tiberius postfix/smtpd[27470]: NOQUEUE: reject: RCPT from mail-wm1-x336.google.com[2a00:1450:4864:20::336]: 451 4.7.1 <mail@example.com>: Recipient address rejected: Intentional policy rejection, please try again later;
Feb 12 07:48:57 tiberius postfix/smtpd[30130]: NOQUEUE: reject: RCPT from mail-wm1-x32c.google.com[2a00:1450:4864:20::32c]: 451 4.7.1 <mail@example.com>: Recipient address rejected: Intentional policy rejection, please try again later;
Feb 12 08:08:42 tiberius postfix/smtpd[3843]: NOQUEUE: reject: RCPT from mail-wm1-x32a.google.com[2a00:1450:4864:20::32a]: 451 4.7.1 <mail@example.com>: Recipient address rejected: Intentional policy rejection, please try again later;

I asked this already in the past for policyd, cluebringer and iredapd. After using postgrey for some time I gave iredapd a try today, again. Greylisting for ipv6 addresses still has issues. I am not a python developer at all (i develop in php and perl) but i guess the issue stems from how ipv6 addresses are compared against the database entry. While you compare only the first two octets in case of ipv4 addresses it seems ipv6 addresses are compared as a whole, which will usually not work as you can see from the log above (intentionally truncated and anonymized).

Wouldn't it be better to expand the ipv6 address (python seems to have this built in) and than compare the first 4 octets? You could even introduce two new constant for greylisting: GREYLISTING_IP4_OCTETS and GREYLISTING_IP6_OCTETS to allow iredmail admins to decide themselves how strict to handle greylisting.

As for now iredapd does not work well with ipv6 greylisting if it comes to large providers like google. I am sorry to see ip6 handling is still an issue worldwide. Considering the fact that there are countries that already run out of ip4 space this is a shame. Can you please fix the ip6 greylisting because whitelisting of google and other larger providers is not an option.

Kind regards

Michael

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Redapd Greylisting IPv6

Dear Michael,

Thanks very much for the report.
I will check this issue later today and (hopefully) come back with a fix. Stay tuned.

3

Re: Redapd Greylisting IPv6

mensmaximus wrote:

As for now iredapd does not work well with ipv6 greylisting if it comes to large providers like google. I am sorry to see ip6 handling is still an issue worldwide.

Dear Michael,

I tested with iRedAPD-2.4, and use the Gmail IPv6 address in your post, iRedAPD correctly whitelisted it.

I think there's one difference your testing machine may not have:

- Run command below BEFORE your testing:

python /opt/iredapd/tools/spf_to_greylist_whitelists.py --submit gmail.com

It queries SPF DNS record for gmail.com, and store all its ip/networks in SQL table for whitelisting.

Note: gmail.com and many more are whitelisted by iRedAPD by default, they're stored in SQL table "iredapd.greylisting_whitelist_domains". there's a cron job to run above script to whitelist all their ip/networks listed in SPF. You can also run command "python /opt/iredapd/tools/spf_to_greylist_whitelists.py" directly (without any argument) to whitelist them all manually.

- Now send a testing email from Gmail, it should be correctly whitelisted and bypassed for greylisting service.

4

Re: Redapd Greylisting IPv6

Thank you but as I wrote whitelisting is not an option. Greylisting for IPv6 should work the same as for IPv4. You simply can't check the logs every day to see whether there is an other provider you need to whitelist. Take /64 in case of IPv6 as default for greylisting (first 4 octets). As mentioned I work with postgrey and it works well. However I would like to use iredapd as it can be configured per domain and per user.

5

Re: Redapd Greylisting IPv6

I'm a little lost here. Give me some sample data for testing please, and tell me what result you expect.

Note: iRedAPD supports IPv4/IPv6 networks like 2001:db8:1234::/48, 192.168.0.0/24. Did you try it?