Milter-greylist

I'm currently checking out the functionality of milter-null and have 
arranged it in sendmail.cf that it is carried out before milter-greylist 
(InputMailFilters). However, it seems that milter-greylist gets carried 
out before milter-null. e.g. connects with <> senders from joejob bounces 
or spam with <> senders get greylisted although they should normally get 
quarantined by milter-null. That means in some cases that the mail server 
gets hammered with connection retries, especially when the originating IP 
no. has been delayed by policy longer than usual.
Is there a way to make sure that milter-null can first make a decision 
before greylisting kicks in or is that impossible?

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

On Sunday 05 August 2007 03:29:49 pm Kai Schaetzl wrote:
> I'm currently checking out the functionality of milter-null and have
> arranged it in sendmail.cf that it is carried out before milter-greylist
> (InputMailFilters). However, it seems that milter-greylist gets carried
> out before milter-null. e.g. connects with <> senders from joejob bounces
> or spam with <> senders get greylisted although they should normally get
> quarantined by milter-null. That means in some cases that the mail server
> gets hammered with connection retries, especially when the originating IP
> no. has been delayed by policy longer than usual.
> Is there a way to make sure that milter-null can first make a decision
> before greylisting kicks in or is that impossible?
>
> Kai

I ordered the InputMailFilters in sendmail.mc and it works on my system. I 
have three of them in there. Greylist, clamav, spamassasen.

INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/clamav/clmilter.socket, F=, 
T=S:4m;R:4m')dnl
dnl define(`confINPUT_MAIL_FILTERS', `clmilter')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, 
T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name}, 
{if_addr}')dnl

Note the "dnl define(`confINPUT_MAIL_FILTERS', `clmilter')" I had to take that 
out of the because it was messing up the order and other things in the 
sendmail.cf output. Let "mc" handle it.

--Techwolf

Techwolf wrote on Mon, 6 Aug 2007 00:46:55 -0500:

> I ordered the InputMailFilters in sendmail.mc and it works on my system. I
> have three of them in there. Greylist, clamav, spamassasen.

Note, that the latter two both work on content (=DATA), so they *have* to be 
carried out after milter-greylist.

> Note the "dnl define(`confINPUT_MAIL_FILTERS', `clmilter')" I had to take that
> out of the because it was messing up the order and other things in the
> sendmail.cf output.

Indeed, that is, because you did it wrong ;-) Corrected directive:

(`confINPUT_MAIL_FILTERS', `greylist,clmilter,spamassassin')


Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

At 10:29 PM 8.5.2007 +0200, you wrote: 
>>>>
    
Kai

<<<<
I am *looking* into that milter too, but have not reached the installation
use yet. Just curious, what TTL figure are you using? Also, what is your
startup command w/flags?

Sorry this is a bit OT.

Thanks,

>>>>



(^_^)
Happy trails,
Jack L. Stone

System Admin
Sage-american

Jack L. Stone wrote on Mon, 06 Aug 2007 07:25:35 -0500:

> I am *looking* into that milter too, but have not reached the installation
> use yet. Just curious, what TTL figure are you using? Also, what is your
> startup command w/flags?

TTL? Do you mean timeout for sendmail-mitler interaction? I use whatever he 
recommends in the proposed mc/m4 lines. I think timeout is not critical for 
this milter as it doesn't query external sources and the processing it does 
is not that ressource-intensive.

Startup: just the executable name. I use a milter-null.cf for configuration. 
There's not much to configure, though, I use quarantining in the testing 
phase. Unfortunately, the quarantining is not explained anywhere. Now that I 
use it I can tell that it's not "quarantining", but flagging.

(It seems you can use a "milter-name.cf" for any of the Snertsoft milters 
and add any command-line option to it as you would add it to a command-line. 
Pretty easy, but not documented apart from mentioning the filename. What's 
nifty is that you get an output of all set options - including the config 
files ones - with a "milter-null -help".)

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

On Monday 06 August 2007 04:31:17 am Kai Schaetzl wrote:
>
> Indeed, that is, because you did it wrong ;-) Corrected directive:
>
> (`confINPUT_MAIL_FILTERS', `greylist,clmilter,spamassassin')
>

But try figuring that out on your first setup. :-) Lots of furpulling trying 
to figure out why greylist and spam wasn't working. I think clamav fixed 
there docs and removed that line due  to .mc handling it correctly.

My logs show that clamav is run after grey and before spam. Have you tried the 
mc file yet? If so, you may just want to try letting .mc do most of the work, 
you never know till you try it.

Note that I have set this up on my server years ago and therefore docs may 
have changed sense then.

--Techwolf

Techwolf wrote on Mon, 6 Aug 2007 12:02:58 -0500:

> My logs show that clamav is run after grey and before spam.

Of course! As I said: the clamav and sa milters *have* to be used after the 
greylisting milter because they are for the DATA phase. If you do not add any 
ordering then they *will* be carried out later as otherwise it doesn't make 
sense. This is different for milter-null and milter-greylist, both are used 
during the connect/header stage. So, your experience can simply not be applied to 
this situation.

Have you tried the 
> mc file yet? If so, you may just want to try letting .mc do most of the work, 
> you never know till you try it.

I'm not sure what you mean by this. What else should I use than .mc and .m4 
files?

The point is that INPUT_MAIL_FILTERS is specifically meant for ordering milters 
according to the sendmail documentation. However, as it doesn't seem to work for 
milter-null/milter-greylist I suspect that there is something in the way the 
milters or sendmail works that prohibits milter-null kicking in first. I'm quite 
convinced that it works for other milters. I wanted to have a 
confirmation/explanation/whatever in case somebody knows more about this.


Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

as an addendum, I figured the problem of undesired ordering might be the 
quarantining, so I changed that to reject. But still the messages would be 
greylisted. So, I'm now using this:

racl blacklist list "dynamic" from /<>/
racl greylist list "dynamic" delay 1d

same for "badcountries" by GeoIP

This will reject legitimate DSNs or whatever else that may come from <> as 
well, of course, but the false positive rate is scarce.

You can grep for these with "Go away" in the logs, unless you changed the 
msg.

Of course, makes milter-null mostly obsolete.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Oh, found it.
#### README.libmilter

Which filters are invoked and their sequencing is handled by the
InputMailFilters option. Note: if InputMailFilters is not defined no filters
will be used.

O InputMailFilters=filter1, filter2, filter3

This is is set automatically according to the order of the
INPUT_MAIL_FILTER commands in your .mc file. Alternatively, you can
reset its value by setting confINPUT_MAIL_FILTERS in your .mc file.
This options causes the three filters to be called in the same order
they were specified. It allows for possible future filtering on output
(although this is not intended for this release).

Also note that a filter can be defined without adding it to the input
filter list by using MAIL_FILTER() instead of INPUT_MAIL_FILTER() in your
..mc file.

Does that help or did you find that info allready?

-- 
Techwolf
Techwolf@...
http://www.techwolf.net/index.html
PGP public keys on web site.

<html>
<style>*{position:relative}</style>
<table><input></table>
<form>
<input type signature>
</form>
</html>

While looking about about a different problem I had, I came across this.
----------------
Ah yes, the separator is a comma in confINPUT_MAIL_FILTERS in 8.12.x but it's
a semicolon in the InputMailFilters= part of DAEMON_PORT_OPTIONS in 8.13.x.
Watch out for this when you upgrade to FC3... if you use a comma you'll just
be running the first of your milters and the rest will be ignored, something I
fell over a few months ago.

Paul.
-----------------------

-- 
Techwolf
Techwolf@...
http://www.techwolf.net/index.html
PGP public keys on web site.

<html>
<style>*{position:relative}</style>
<table><input></table>
<form>
<input type signature>
</form>
</html>