Milter-greylist

hello,

i just installed milter-greylist 1.5.5 on a linux machine
with sendmail 8.12.11

i have try sending mails from yahoo and hotmail, everything
works fine with yahoo, greylisting and when yahoo retries
the tuples get auto-whitelisted. however, emails from
hotmail just seem to be rejected, sendmail sends the same
message on my maillog file: "[...] reject=451 4.7.1 Greylisting
in action, please come back in 00:10:00"

however, i get a "Delivery to the following recipients failed"
message almost instantly in my hotmail account.

any of you has experienced the same problem? any idea of
how to solve it?

javier

It seems to work fine for me. The email gets delayed and retried and
passes. My retry is set to 3 minutes.

-Johnny

> -----Original Message-----
> From: Javier [mailto:axioma@...] 
> Sent: Monday, August 09, 2004 11:20 AM
> To: milter-greylist@yahoogroups.com
> Subject: [milter-greylist] hotmail fails to retry?
> 
> hello,
> 
> i just installed milter-greylist 1.5.5 on a linux machine 
> with sendmail 8.12.11
> 
> i have try sending mails from yahoo and hotmail, everything 
> works fine with yahoo, greylisting and when yahoo retries the 
> tuples get auto-whitelisted. however, emails from hotmail 
> just seem to be rejected, sendmail sends the same message on 
> my maillog file: "[...] reject=451 4.7.1 Greylisting in 
> action, please come back in 00:10:00"
> 
> however, i get a "Delivery to the following recipients failed"
> message almost instantly in my hotmail account.
> 
> any of you has experienced the same problem? any idea of how 
> to solve it?
> 
> javier

are you using the same version of milter-greylist i am using
(1.5.5)?

this is my sendmail configuration:

INPUT_MAIL_FILTER(`greylist',
`S=local:/var/milter-greylist/milter-greylist.sock')dnl
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl

you think there's something wrong there? i just tried again (first
erasing my .db file), and i got the same result, no problem with
yahoo but instant failure message with hotmail.

javier

Javier <axioma@...> wrote:

> any of you has experienced the same problem? any idea of
> how to solve it?

Whitelist the whole mailfarm. There is no point into greylisting
messages that come from a legitimate MTA: whether they are spam or not,
they will pass through. 

The question is: should hotmail's mailfarm be added to the default
config file labelled as "broken MTA"? Anyone experienced the same
problem?

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@...

At 09:27 PM 8.9.2004 +0200, manu@... wrote:
>Javier <axioma@...> wrote:
>
>> any of you has experienced the same problem? any idea of
>> how to solve it?
>
>Whitelist the whole mailfarm. There is no point into greylisting
>messages that come from a legitimate MTA: whether they are spam or not,
>they will pass through. 
>
>The question is: should hotmail's mailfarm be added to the default
>config file labelled as "broken MTA"? Anyone experienced the same
>problem?
>

We have hundreds of tech magazine subscribers that use hotmail -- no
problem here.

Best regards,
Jack L. Stone,
Administrator

Sage American
http://www.sage-american.com
jacks@...

Jack L. Stone <jacks@...> wrote:

> We have hundreds of tech magazine subscribers that use hotmail -- no
> problem here.

And you haven't whitelisted hotmail.com?

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@...

hello,

i am sorry, it was my mistake, it turns out that we have
misconfigured seconday MX severs that uses rockliffe mailsite
(windows). i didn't notice this misconfiguration before 
because we never actually needed the secondary MX.

now it works fine, but i have to whitelist my secondary
MX (addr), so hotmail messages always pass thru.

however, i still wonder why hotmail always tried the secondary
MX server and yahoo didn't.

if i do not whitelist my secondary MX server will milter-greylist
recognise the message is coming from hotmail rather than from
my secondary MX?

javier

Javier <axioma@...> wrote:

> if i do not whitelist my secondary MX server will milter-greylist
> recognise the message is coming from hotmail rather than from
> my secondary MX?

No, it won't. You need to whitelist your secondary MX. All the mail that
gets in the secondary will always go to the primary, that's just a
matter of time.
 
But milter-greylist will be of little benefit if you have a secondary MX
without greylisting: the spam will still be accepted on the secondary
MX, and it will be propagated to the primary, there is nothing we can do
against that (except dumping the secondary MX)

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@...

> But milter-greylist will be of little benefit if you have a
> secondary MX without greylisting

i am planning on changing my secondary MX server
to a linux platform.

in the README file it says something about using peer in
the config file so that MX server sync using port 5252.

do this server authenticate each other in anyway?
or they just ask for a MX record (doing some dns query,
i suppose) to recognise they are primary and secondary
server of the same domain?

javier

Am Montag, 9. August 2004 22:26 schrieb Javier:

> however, i still wonder why hotmail always tried the secondary
> MX server and yahoo didn't.

yeah, I also noticed, that hotmail always chooses the second MX. Funny...

>
> if i do not whitelist my secondary MX server will milter-greylist
> recognise the message is coming from hotmail rather than from
> my secondary MX?

nope. It just takes the last (i.e. first ;-) Received-line. So it will put the 
address of your MX into its database...

Juergen

>
> javier
>
>
>
>
>
> Yahoo! Groups Links
>
>
>

"Javier" <axioma@...> writes:

> do this server authenticate each other in anyway?

not really, peers know about others and accept updates from others
thru TCP.

> or they just ask for a MX record (doing some dns query,
> i suppose) to recognise they are primary and secondary
> server of the same domain?

for greylist sync between two milters, there is no notion of primary
or secondary. MXes shall only keep their list sync'ed.

> > do this server authenticate each other in anyway?
> 
> not really, peers know about others and accept updates from others
> thru TCP.

isn't that a bit insecure? in the sense that you are sharing
your greylist database with anyone who uses you as peer?
or you have to choose that IP as your peer as well in order
to share the db file?

juergen, so milter-greylist takes only the first Received-line,
but would it be possible for milter-greylist to take the second one
if the first one showed an IP that is included as a peer in the
config file?

javier

At 10:11 PM 8.9.2004 +0200, manu@... wrote:
>Jack L. Stone <jacks@...> wrote:
>
>> We have hundreds of tech magazine subscribers that use hotmail -- no
>> problem here.
>
>And you haven't whitelisted hotmail.com?
>
>-- 
>Emmanuel Dreyfus

No, have not whitelisted them.....

Best regards,
Jack L. Stone,
Administrator

Sage American
http://www.sage-american.com
jacks@...

Javier <axioma@...> wrote:

[No authentication for MX sync]
> isn't that a bit insecure? in the sense that you are sharing
> your greylist database with anyone who uses you as peer?
> or you have to choose that IP as your peer as well in order
> to share the db file?

it will only accept connexions from hosts you have listed as peer in
your config file. Of course this wil be defeated by someone doing IP
spoofing, but if the spammer is able to perform IP spoofing between your
MX, then he does not need to hijack the greylist database sync in order
to inject spam.

If you reached the situation where your MX authenticate to each other
before accepting mail through SMTP, then MX sync will lower your
security if you don't encapsulate it in SSL or IPsec. If you don't use
SMTP authentication between your MX, that changes nothing.  
 
> juergen, so milter-greylist takes only the first Received-line,
> but would it be possible for milter-greylist to take the second one
> if the first one showed an IP that is included as a peer in the
> config file?

milter-greylist doesn't read the Recieved lines, it just sees where the
network connexion is coming from. Received lines can be compltely
forged.

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@...

Am Montag, 9. August 2004 23:28 schrieb Javier:

> juergen, so milter-greylist takes only the first Received-line,
> but would it be possible for milter-greylist to take the second one
> if the first one showed an IP that is included as a peer in the
> config file?

won't help, because you only can tell the server from whom you get the mail, 
to retry sending it again. And that is your secondary mx in this case...

Juergen

Is a secondary MX really needed in a normal scenario where your primary
has a fairly constant link to the internet? All MTAs with respect for
themselves will queue the mail and retry sending it for you until you
get it.

The way I see it, the world is your secondary MX. 

-Johnny

> -----Original Message-----
> From: leloup [mailto:leloup@...] 
> Sent: Tuesday, August 10, 2004 12:07 AM
> To: milter-greylist@yahoogroups.com
> Subject: Re: [milter-greylist] Re: Working with multiple MX
> 
> Am Montag, 9. August 2004 23:28 schrieb Javier:
> 
> > juergen, so milter-greylist takes only the first Received-line, but 
> > would it be possible for milter-greylist to take the second 
> one if the 
> > first one showed an IP that is included as a peer in the 
> config file?
> 
> won't help, because you only can tell the server from whom 
> you get the mail, to retry sending it again. And that is your 
> secondary mx in this case...
> 
> Juergen

Johnny Sletteland <johnny@...> wrote:

> Is a secondary MX really needed in a normal scenario where your primary
> has a fairly constant link to the internet? All MTAs with respect for
> themselves will queue the mail and retry sending it for you until you
> get it.
> 
> The way I see it, the world is your secondary MX. 

In my opinion, the secondary MX is not worth it anymore. It enable the
mail to be queued longer on a single machine (which means less load when
the primary gets back online), but it's hard to deal with spam on a
secondary. For instance, you need to refuse mail to invalid recipient
addresses, which might not be possible if you don't have administrative
access to the secondary. 

I beleive in multiple primary MXs, though. That's a nice way to
distribute the load and scale better for higher mail volumes. 

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@...

Am Montag, 9. August 2004 23:46 schrieb manu@...:

> > juergen, so milter-greylist takes only the first Received-line,
> > but would it be possible for milter-greylist to take the second one
> > if the first one showed an IP that is included as a peer in the
> > config file?
>
> milter-greylist doesn't read the Recieved lines, it just sees where the
> network connexion is coming from. Received lines can be compltely
> forged.

correct, but the *last* Received is written by *your* mailserver, so this 
shouldnt be forged ;-) 

But I see the point: of course milter-greylist can't read this *last* 
Received-line, because it is just not written in the moment, milter-greylist 
does it's job. So my statement was wrong of course. But on the other hand, 
the IP in this last Received-line, that the recipient of the mail will see, 
is that IP, which milter-greylist sees where the connection is coming from.

Is this the correct statement?

Juergen

On Tue, Aug 10, 2004 at 11:55:02AM +0200, leloup wrote:
> But I see the point: of course milter-greylist can't read this *last* 
> Received-line, because it is just not written in the moment, milter-greylist 
> does it's job. So my statement was wrong of course. But on the other hand, 
> the IP in this last Received-line, that the recipient of the mail will see, 
> is that IP, which milter-greylist sees where the connection is coming from.

That sounds right. Except of course if your mX forward mail to an inner 
mailhost where the user's mailboxes are.

-- 
Emmanuel Dreyfus
manu@...