Milter-greylist

All,

I have 2 mailservers, a main server (MX 10) and a backup server (MX 100).

However, when some mailservers connect to the main server and get a tempfail, they
try immediately to connect to the secondary server (which is ok/correct).

However, I seemed to have a problem when using two greylist milters.

It seems that I get "relaying denied" errors which I do not get if
I use another greylist filter.

The problem seemed to occur at the beginning, when the secondary mailserver
checks whether the email address exists on the primary server.

EXAMPLE (this is LEGIT email, its from a mailinglist I have subscribed to):

Sep 17 00:05:18 mail2 sendmail[3671]: k8GE5DSh003671: ruleset=check_rcpt, arg1=<jobst@...>, relay=hal.sage-au.org.AU [203.27.221.52], reject=550 5.7.1 <jobst@...>... Relaying denied
Sep 17 00:05:18 mail2 sendmail[3671]: k8GE5DSh003671: from=<root@...-au.org.au>, size=4080, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=hal.sage-au.org.AU [203.27.221.52]


Why could this happen????

jobst






-- 
Microsoft message: Abort, retry, try again, try once more, confirm one more attempt, PANIC!!!!!

             __, Jobst Schmalenbach, Technical Director
   _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L      
 -(_)------(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

Jobst Schmalenbach <jobst@...> wrote:

> I have 2 mailservers, a main server (MX 10) and a backup server (MX 100).
> 
> However, when some mailservers connect to the main server and get a
> tempfail, they try immediately to connect to the secondary server (which
> is ok/correct).
> 
> However, I seemed to have a problem when using two greylist milters.
> 
> It seems that I get "relaying denied" errors which I do not get if
> I use another greylist filter.

That looks like a sendmail configuration issue. If you test your server
by doing a telnet on port 25, does enabling/disabling milter-greylist
change the behavior? 

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Sat, Sep 16, 2006 at 07:50:12PM +0200, manu@... (manu@...) wrote:
> Jobst Schmalenbach <jobst@...> wrote:
> 
> > I have 2 mailservers, a main server (MX 10) and a backup server (MX 100).
> > 
> > However, when some mailservers connect to the main server and get a
> > tempfail, they try immediately to connect to the secondary server (which
> > is ok/correct).
> > 
> > However, I seemed to have a problem when using two greylist milters.
> > 
> > It seems that I get "relaying denied" errors which I do not get if
> > I use another greylist filter.
> 
> That looks like a sendmail configuration issue. If you test your server
> by doing a telnet on port 25, does enabling/disabling milter-greylist
> change the behavior? 

I have no problem (its running now) when I use a different greylisting milter
and has been for years. I know, too, that the relaying between the two is catered
for in the access list and I have the server whitelisted in the config files.

However, your filter has a *lot* off advantages over the other one, hence why I
want to use yours.

When I start yours, instead of getting a temp fail its getting a relaying
denied and as soon as I swtich back to the older one everthing is fine.

What can I do to figure out why this is happening?


jobst



-- 
* help! I've fallen over and I can't SIGHUP!

             __, Jobst Schmalenbach, Technical Director
   _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L      
 -(_)------(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

Jobst Schmalenbach <jobst@...> wrote:

> When I start yours, instead of getting a temp fail its getting a relaying
> denied and as soon as I swtich back to the older one everthing is fine.
> 
> What can I do to figure out why this is happening?

Try to change only one item at a time. Test your server by doing a
telnet to port 25 and speaking SMTP. You get relaying denied.

Now edit sendmail.cf, remove milter-greylist by modifying the "O
InputMailFilters" line, and restart sendmail (that step shouldn't be
nescessary, but who knows). Do a telnet on port 25 and try again.

Do you get a different result?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Sun, Sep 17, 2006 at 07:03:13AM +0200, manu@... (manu@...) wrote:
> Jobst Schmalenbach <jobst@...> wrote:
> 
> > When I start yours, instead of getting a temp fail its getting a relaying
> > denied and as soon as I swtich back to the older one everthing is fine.
> > 
> > What can I do to figure out why this is happening?
> 
> Try to change only one item at a time. Test your server by doing a
> telnet to port 25 and speaking SMTP. You get relaying denied.
> 
> Now edit sendmail.cf, remove milter-greylist by modifying the "O
> InputMailFilters" line, and restart sendmail (that step shouldn't be
> nescessary, but who knows). Do a telnet on port 25 and try again.
> 
> Do you get a different result?

Have to do it on the next weekend ... I ran out of time this weekend.


jobst




-- 
The future isn't what it used to be (it never was).

             __, Jobst Schmalenbach, Technical Director
   _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L      
 -(_)------(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

On Mon, Sep 18, 2006 at 01:59:00PM +1000, Jobst Schmalenbach (jobst@...) wrote:
> On Sun, Sep 17, 2006 at 07:03:13AM +0200, manu@... (manu@...) wrote:
> > Jobst Schmalenbach <jobst@...> wrote:
> > 
> > > When I start yours, instead of getting a temp fail its getting a relaying
> > > denied and as soon as I swtich back to the older one everthing is fine.
> > > 
> > > What can I do to figure out why this is happening?
> > 
> > Try to change only one item at a time. Test your server by doing a
> > telnet to port 25 and speaking SMTP. You get relaying denied.
> > 
> > Now edit sendmail.cf, remove milter-greylist by modifying the "O
> > InputMailFilters" line, and restart sendmail (that step shouldn't be
> > nescessary, but who knows). Do a telnet on port 25 and try again.
> > 
> > Do you get a different result?
> 
> Have to do it on the next weekend ... I ran out of time this weekend.

Yes, without is (or alternatively with the other "gray"-milter) it
works, with milter-greylist-3.0a1 on the main MX server it has trouble.

Is there a limitation of the version of Fedora I need to run 
using milter-greylist-3.0a1 (if you want to know more about the setup,
i.e. sendmail version etc, I can tell you but not on the list).

The problem is getting more weird ...

If I change the greymilter and use yours on the MAIN MX server, then
the secondary goes reall strange. Putting it back sometimes doesnt
resolve it, I actually need to reboot the secondary!


How can I debug the stuff what gets send accross?


jobst









-- 
"Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man." - Mohandas K. Gandhi

             __, Jobst Schmalenbach, Technical Director
   _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L      
 -(_)------(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

Jobst Schmalenbach <jobst@...> wrote:

> How can I debug the stuff what gets send accross?

I have real trouble to understand how your problem happen. Perhaps an
odd sendmail.cf? THat's beyond my knowledge. :-/

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Mon, Sep 25, 2006 at 10:22:19PM +0200, manu@... (manu@...) wrote:
> Jobst Schmalenbach <jobst@...> wrote:
> 
> > How can I debug the stuff what gets send accross?
> 
> I have real trouble to understand how your problem happen. Perhaps an
> odd sendmail.cf? THat's beyond my knowledge. :-/

Not mine ;-)

It does have some "oddities" (greetpause, confRECEIVED_HEADER, and
other stuff to hide what smtp server it is) but for the
rest its a standard yet secure setup.

Its new too, I always keep it up to the latest version
and get rid of all the "old" stuff and listen what
sendmail complains about and RTFM.


What I like most about your greymilter is the
domain based white listing, that suits my business 
very well ...


jobst




-- 
Fortune: No such file or directory.

             __, Jobst Schmalenbach, Technical Director
   _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L      
 -(_)------(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia