1

Topic: iredapd greylist - whitelist IP/CIDR not checked

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.5-1
- Linux/BSD distribution name and version: CentOS 6.8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? yes, v2.4.0 (MySQL)
- Related log if you're reporting an issue:
====

Hello,
after adding some whitelist CIDR under system -> antispam -> greylisting -> "Do not apply greylisting on listed senders" , they never get evaluated by IredAPD .

I've already checked debug information on iredapd.log and there's no query that checking that, only sender and sender domain or triplet to match greylist.

Here are the query that occour when iredapd check for incoming mail:

---
SELECT id, sender, COMMENT
               FROM greylisting_whitelists
              WHERE account IN ('RECIPIENT@MYDOMAIN.TLD', '@MYDOMAIN.TLD', '@.');
             
SELECT id, account, sender, sender_priority, active
               FROM greylisting
              WHERE account IN ('RECIPIENT@MYDOMAIN.TLD', '@MYDOMAIN.TLD', '@.');
              ORDER BY priority DESC, sender_priority DESC;

SELECT init_time, blocked_count, block_expired, record_expired
               FROM greylisting_tracking
              WHERE     sender='SENDER@SENDERDOMAIN.TLD'
                    AND recipient='RECIPIENT@MYDOMAIN.TLD'
                    AND client_address='SENDER.IP.ADDRE.SS'
              LIMIT 1;
---

Our problem is mainly with outlook/google smtp servers that work very bad with greylist.

For now we've bypassed the problem with a CIDR lookup table before "check_policy_service inet:127.0.0.1:7777," in smtpd_recipient_restrictions (postfix's main.cf) :

---
check_client_access cidr:/etc/postfix/bypass_rbl.cidr,
check_policy_service inet:127.0.0.1:7777,
---

But is difficult to manage if you're not a sysadmin .

Thanks Mattia

Post's attachments

iredapd.log_greylist_cidr_20160711.txt 1.69 kb, 1 downloads since 2016-07-11 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iredapd greylist - whitelist IP/CIDR not checked

mattia.bitservice wrote:

SELECT id, sender, COMMENT
               FROM greylisting_whitelists
              WHERE account IN ('RECIPIENT@MYDOMAIN.TLD', '@MYDOMAIN.TLD', '@.');

This SQL command will query the CIDR you submitted. (it matches `account='@.'`)

Also, Outlook, Gmail, Hotmail should be bypassed with default iRedAPD whitelists, they're also listed in "Do not apply greylisting on emails sent from domains listed below" (System -> Anti Spam -> Greylisting).

3

Re: iredapd greylist - whitelist IP/CIDR not checked

I mean domains that use gmail/outlook server, like office365, not @gmail.com or @outlook.com domains, they work.

So, iredapd daemon read all CIDR value from that query and try to match every element, right?
But I've listed a /13 class from microsoft/outlook but in iredapd is never evaluated, but with the bypass method from cidr map is evaluated correctly.

As i remember before last upgrade (before 1.9.X) the greylist was working correctly, because my customer never sent me a note about that.

Suggestion: Why not match directly with a sql query using a binary format for network and netmask?
Like that: http://stackoverflow.com/questions/5957 … lect-query

Mattia

4

Re: iredapd greylist - whitelist IP/CIDR not checked

mattia.bitservice wrote:

I mean domains that use gmail/outlook server, like office365, not @gmail.com or @outlook.com domains, they work.

iRedAPD compares sender address with the IP/CIDR, so if other domains send email from Gmail/Outlook, they will bypass greylisting service directly.

mattia.bitservice wrote:

So, iredapd daemon read all CIDR value from that query and try to match every element, right?

Yes.

mattia.bitservice wrote:

But I've listed a /13 class from microsoft/outlook but in iredapd is never evaluated, but with the bypass method from cidr map is evaluated correctly.

How about enable debug mode in iRedAPD to get more log to figure it out?
FYI: http://www.iredmail.org/docs/debug.iredapd.html

mattia.bitservice wrote:

Suggestion: Why not match directly with a sql query using a binary format for network and netmask?

the `greylisting_whitelists` table stores domain name or sender email address too, so we must separate them if we go this way. Will try to improve this in the future, but no promise here.