On 2/18/2011 6:36 AM, Johann Klasek wrote:
>
> >
> > > Sendmail is very quick at rejecting local addresses that are not in
> > > the aliases or virtuser tables so that is normally not a problem, but
> > > when milter-greylist is active it wants to greylist even the
> > > undeliverable addresses.
>
> What does this look like in maillog?
If I have 'acl greylist default ...." set, I get entries like:
Feb 18 09:57:43 mailmx milter-greylist: p1IFvfPf026150: addr
[118.96.199.46][118.96.199.46] from <rosfoewi00leobla@...> to
<pikepikephiru@...> delayed for :02:00 (ACL 119)
Feb 18 09:57:43 mailmx sendmail[26150]: p1IFvfPf026150: Milter:
to=<pikepikephiru@...>, reject=451 4.7.1 Greylisting in action,
please come back later
for every received message, even though the users don't exist. I'd
rather not do the extra processing.
> > milter-greylist runs before sendmail checks the address is valid. I do
> > not think you can change that.
>
> As far as I understand sendmail internal processing including milter
> callbacks this is not true at least in my sendmail environment.
>
> In general: in state envelope recipient processing sendmail runs already
> rule 0 on this address to see if this address is valid. This result is
> later used to route the mail to the recpient (don't know actually
> whether rule 0 is called again or the result is recalled from the call
> before). If an address is not routeable (invalid) sendmail responds
> immediatly with an error. If this check shows that this address could be
> valid the recipient address is passed to all active milters call back
> hooks (probably in order the milters are defined in sendmail.cf).
The target domains are considered local in sendmail. I need the lookups
in virtusertable and aliases.
> A mail for 3 recipients @MYDOMAIN arrives. One of this recipients is an
> existing address (checked via an equivalent mechanism to virtuser
> table). The others are invalid. Miltergreylist adds only the entry for
> joachim.fabini@MYDOMAIN (the valid address), the other address are
> rejected.
What about aliases?
> > > For the moment I am working around it by
> > > tracking the 'real' users, including them in the milter-greylist
> config,
> > > and restricting greylisting to the specified addresses. However, it
> > > would be nicer if this could be handled automatically by letting
> > > sendmail reject addresses it can't deliver first. Is there any way to
> > > do that?
> >
> > I solve this problem by having milter-greylist performing LDAP queries
> > for the recipient address. If there is no match, the mail is rejected.
>
> Any other milter (look ahead milters) which determines a invalid address
> should able to terminate a recipient. Maybe it the order of milters is
> substantial.
Sendmail seems to be very fast at checking virtusertable and aliases.
I'd rather not have to duplicate that elsewhere. Or to have to
maintain the same set of acceptable addresses separately in the greylist
config file. It doesn't seem to matter whether MimeDefang or
milter-greylist is first in sendmail.mc - it still wants to process all
local-looking targets. Are there any options as to when it runs?
> > > Also, the extra log line about 'skipping greylist because this is the
> > > default action' for the unprocessed addresses is filling my disks up to
> > > the point that I had to change the log rotation. Is there any way to
> > > turn that off? When it doesn't do anything, I don't need to know
> about it.
> >
> > Patch the sources?
>
> Or ...
> Insert a filter statement/script for logrotate (removing the all
> lines "skipping greylist because this is the default action").
> Alternatively (in case you have syslog-ng) you may set up a filter rule
> removing this kind of messages on entrance ;)
For the moment I just reduced the number of old files that logrotate
keeps around, but maybe when Centos 6 is out I'll get a better syslog
version.
--
Les Mikesell
lesmikesell@...Message
Re: [milter-greylist] Can milter-greylist run after sendmail checks users?
2011-02-18 by Les Mikesell