Milter-greylist

Over the last couple of days the amount of spam coming into our mailboxes has increased by at least 5 times. In trying to find the problem I see that every message, even spam messages, have this in the header...

X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (mail.rlknight.com [172.16.88.3]); Sun, 12 Jul 2009 10:18:11 -0700 (PDT)

It looks like everything is IP whitelisted and no messages are being delayed and that has led to a huge increase in spam. I looked in the Greylist wiki and faq but couldn't find anything that looked related to this problem. How can I get milter-greylist to start delaying messages again?

Thanks,
Rick Knight

On Sun, Jul 12, 2009 at 05:26:27PM -0000, rlkknight@... wrote:
> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (mail.rlknight.com [172.16.88.3]); Sun, 12 Jul 2009 10:18:11 -0700 (PDT)

172.16.x.x is a RFC1918 reserved address for privates networks, You get
spam relayed from a host in your internal, trusted network. You should
either cure or blacklist the spam relay.

-- 
Emmanuel Dreyfus
manu@...

Emmanuel Dreyfus wrote:
>
>
> On Sun, Jul 12, 2009 at 05:26:27PM -0000, rlkknight@... 
> <mailto:rlkknight%40sbcglobal.net> wrote:
> > X-Greylist: Sender IP whitelisted, not delayed by 
> milter-greylist-4.0.1 (mail.rlknight.com [172.16.88.3]); Sun, 12 Jul 
> 2009 10:18:11 -0700 (PDT)
>
> 172.16.x.x is a RFC1918 reserved address for privates networks, You get
> spam relayed from a host in your internal, trusted network. You should
> either cure or blacklist the spam relay.
>
> -- 
> Emmanuel Dreyfus
> manu@... <mailto:manu%40netbsd.org>
>
> 
172.16.88.3 is the internal address of my mail server.

On Sun, Jul 12, 2009 at 01:55:33PM -0700, Rick Knight wrote:
> 172.16.88.3 is the internal address of my mail server.

Um, sorry, I overlooked that one, my answer was meaningless.

Can you send your greylist.conf and the Received: headers of the message 
that passed through?

-- 
Emmanuel Dreyfus
manu@...

Emmanuel Dreyfus wrote:
>
>
> On Sun, Jul 12, 2009 at 01:55:33PM -0700, Rick Knight wrote:
> > 172.16.88.3 is the internal address of my mail server.
>
> Um, sorry, I overlooked that one, my answer was meaningless.
>
> Can you send your greylist.conf and the Received: headers of the message
> that passed through?
>
> -- 
> Emmanuel Dreyfus
> manu@... <mailto:manu%40netbsd.org>
>
> 
Here are the Received: and X-Greylist: headers from another message and 
greylist.conf is attached. As I said, just about everything is passing 
through without a delay.

Rceived: from 160-226-dialup.haptend.com (knight-fw.rlknight.com 
[172.16.88.2])    by mail.rlknight.com (8.14.2/8.14.2) with SMTP id 
n6DFxUJI017709    for <rick@...>; Mon, 13 Jul 2009 08:59:31 -0700

X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 
(mail.rlknight.com [172.16.88.3]); Mon, 13 Jul 2009 08:59:36 -0700 (PDT)

Thanks again,
Rick

Emmanuel Dreyfus wrote:
>
>
> On Sun, Jul 12, 2009 at 01:55:33PM -0700, Rick Knight wrote:
> > 172.16.88.3 is the internal address of my mail server.
>
> Um, sorry, I overlooked that one, my answer was meaningless.
>
> Can you send your greylist.conf and the Received: headers of the message
> that passed through?
>
> -- 
> Emmanuel Dreyfus
> manu@... <mailto:manu%40netbsd.org>
>
> 
Forgot to mention, 172.16.88.2 is the internal IP of my firewall, 
172.16.88.3 is the mail server.

Thanks,
Rick

---------------
|  internet   |
_______________
       ||
       ||
---------------
|  internal   |
|  firewall   |
| 172.16.88.2 |
_______________
       ||
       ||
---------------
| smtp server |
| 172.16.88.3 |
_______________
       ||
       ||
---------------
|  internal   |
|  machines   |
| 172.16.88.x |
_______________


If the firewall is between the mail server and the internet, then you  
should remove the whitelisting for the firewall but this would break  
all mail since the firewall is (probably) doing port forwarding and  
all connections will appear to be from the firewall. Hmmm...

Bill Levering
idbill@...
KFP: 6C0A 067C 7E03 58C3 C2F7  8278 6DFD 55A8 108B ED2F

On Jul 13, 2009, at 9:26 AM, Rick Knight wrote:

> Emmanuel Dreyfus wrote:
>>
>>
>> On Sun, Jul 12, 2009 at 01:55:33PM -0700, Rick Knight wrote:
>>> 172.16.88.3 is the internal address of my mail server.
>>
>> Um, sorry, I overlooked that one, my answer was meaningless.
>>
>> Can you send your greylist.conf and the Received: headers of the  
>> message
>> that passed through?
>>
>> -- 
>> Emmanuel Dreyfus
>> manu@... <mailto:manu%40netbsd.org>
>>
>>
> Forgot to mention, 172.16.88.2 is the internal IP of my firewall,
> 172.16.88.3 is the mail server.
>
> Thanks,
> Rick
>
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>

Rick Knight wrote:
 > Here are the Received: and X-Greylist: headers from another message and 
 > greylist.conf is attached. As I said, just about everything is passing 
 > through without a delay.
 > 
 > Rceived: from 160-226-dialup.haptend.com (knight-fw.rlknight.com 
 > [172.16.88.2])    by mail.rlknight.com (8.14.2/8.14.2) with SMTP id 
 > n6DFxUJI017709    for <rick@...>; Mon, 13 Jul 2009 08:59:31 -0700
 > 
 > X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 
 > (mail.rlknight.com [172.16.88.3]); Mon, 13 Jul 2009 08:59:36 -0700 (PDT)

It seems that your firewall (.2) is acting as an SMTP
gateway (as opposed to only routing the IP packets).

So your mailserver only sees the firewall as the
connecting MTA, not the real remote MTA.  Under these
circumstances greylisting doesn't work correctly,
because greylisting depends on being able to see the
remote MTA's address.

You will either have to reconfigure your firewall to
route SMTP connections through to your mailserver.
Or run greylisting on the firewall, if possible.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn-
chen, HRB 125758,  Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"I made up the term 'object-oriented', and I can tell you
I didn't have C++ in mind."
        -- Alan Kay, OOPSLA '97

It shouldn't appear connections are coming from the firewall, unless  
he is doing source masquerading on incoming connections, where he  
would of wanted to do, destation rewriting to forward those  
connections from the firewall to the email server.

The only way I see it curently working is if he is doing both, or he  
got some 3rd party port forwarder involved, then your just screwed.


Quoting Bill Levering <idbill@...>:

>
> ---------------
> |  internet   |
> _______________
>       ||
>       ||
> ---------------
> |  internal   |
> |  firewall   |
> | 172.16.88.2 |
> _______________
>       ||
>       ||
> ---------------
> | smtp server |
> | 172.16.88.3 |
> _______________
>       ||
>       ||
> ---------------
> |  internal   |
> |  machines   |
> | 172.16.88.x |
> _______________
>
>
> If the firewall is between the mail server and the internet, then you
> should remove the whitelisting for the firewall but this would break
> all mail since the firewall is (probably) doing port forwarding and
> all connections will appear to be from the firewall. Hmmm...
>
> Bill Levering
> idbill@planx.com
> KFP: 6C0A 067C 7E03 58C3 C2F7  8278 6DFD 55A8 108B ED2F
>
>
>
> On Jul 13, 2009, at 9:26 AM, Rick Knight wrote:
>
>> Emmanuel Dreyfus wrote:
>>>
>>>
>>> On Sun, Jul 12, 2009 at 01:55:33PM -0700, Rick Knight wrote:
>>>> 172.16.88.3 is the internal address of my mail server.
>>>
>>> Um, sorry, I overlooked that one, my answer was meaningless.
>>>
>>> Can you send your greylist.conf and the Received: headers of the  message
>>> that passed through?
>>>
>>> -- 
>>> Emmanuel Dreyfus
>>> manu@... <mailto:manu%40netbsd.org>
>>>
>>>
>> Forgot to mention, 172.16.88.2 is the internal IP of my firewall,
>> 172.16.88.3 is the mail server.
>>
>> Thanks,
>> Rick
>>
>>
>>
>> ------------------------------------
>>
>> Yahoo! Groups Links
>>
>>
>>

Yes, the firewall is between the mail server and the internet and does 
port forwarding. Looks just like you've illustrated.

I did change my firewall. I had been using a Slackware box with IPTables 
in the same setup, Internet -> Firewall -> SMTP Server and port 
forwarding. Milter-greylist was working fine. Now I'm using a router 
with a NAT and SPI firewall (linux OS). I didn't connect the greylist 
problem with the firewall change. I guess this could be the problem. If 
so, is there a way around it?

Thanks,
Rick

Bill Levering wrote:

>
> ---------------
> |  internet   |
> _______________
>       ||
>       ||
> ---------------
> |  internal   |
> |  firewall   |
> | 172.16.88.2 |
> _______________
>       ||
>       ||
> ---------------
> | smtp server |
> | 172.16.88.3 |
> _______________
>       ||
>       ||
> ---------------
> |  internal   |
> |  machines   |
> | 172.16.88.x |
> _______________
>
>
> If the firewall is between the mail server and the internet, then you 
> should remove the whitelisting for the firewall but this would break 
> all mail since the firewall is (probably) doing port forwarding and 
> all connections will appear to be from the firewall. Hmmm...
>
> Bill Levering
> idbill@...
> KFP: 6C0A 067C 7E03 58C3 C2F7  8278 6DFD 55A8 108B ED2F
>
>
>
> On Jul 13, 2009, at 9:26 AM, Rick Knight wrote:
>
>> Emmanuel Dreyfus wrote:
>>>
>>>
>>> On Sun, Jul 12, 2009 at 01:55:33PM -0700, Rick Knight wrote:
>>>> 172.16.88.3 is the internal address of my mail server.
>>>
>>> Um, sorry, I overlooked that one, my answer was meaningless.
>>>
>>> Can you send your greylist.conf and the Received: headers of the 
>>> message
>>> that passed through?
>>>
>>> -- 
>>> Emmanuel Dreyfus
>>> manu@... <mailto:manu%40netbsd.org>
>>>
>>>
>> Forgot to mention, 172.16.88.2 is the internal IP of my firewall,
>> 172.16.88.3 is the mail server.
>>
>> Thanks,
>> Rick
>>
>>
>>
>> ------------------------------------
>>
>> Yahoo! Groups Links
>>
>>
>>

On Mon, Jul 13, 2009 at 10:12:12AM -0700, Rick Knight wrote:
> Yes, the firewall is between the mail server and the internet and does 
> port forwarding. Looks just like you've illustrated.
> 
> I did change my firewall. I had been using a Slackware box with IPTables 
> in the same setup, Internet -> Firewall -> SMTP Server and port 
> forwarding. Milter-greylist was working fine. Now I'm using a router 
> with a NAT and SPI firewall (linux OS). I didn't connect the greylist 
> problem with the firewall change. I guess this could be the problem. If 
> so, is there a way around it?
That's definitely your problem.
You should change your firewall config to do really not and not port forwarding.
eg. it has to keep the source address and change only the destination address
of the packets passing thru the firewall to the mail server.
Currently it changes to the source address to the one of the firewall.

-- 
Ralf 'Snake' Gebhart

On Mon, Jul 13, 2009 at 07:36:55PM +0200, Ralf Gebhart wrote:
> You should change your firewall config to do really not and not port forwarding.

Sorry, s/not/NAT/ ;-)


-- 
Ralf 'Snake' Gebhart

So I need to NAT the SMTP traffic directly to the mail server, not using 
port forwarding, just NAT?

I don't see a way to do that in my router. In fact, I have very little 
control over the router's NAT functions.

Ralf Gebhart wrote:

>
>
> On Mon, Jul 13, 2009 at 07:36:55PM +0200, Ralf Gebhart wrote:
> > You should change your firewall config to do really not and not port 
> forwarding.
>
> Sorry, s/not/NAT/ ;-)
>
> -- 
> Ralf 'Snake' Gebhart
>
>

On Mon, Jul 13, 2009 at 10:58:38AM -0700, Rick Knight wrote:
> So I need to NAT the SMTP traffic directly to the mail server, not using 
> port forwarding, just NAT?
> 
> I don't see a way to do that in my router. In fact, I have very little 
> control over the router's NAT functions.

You said it stopped working: if it worked before, then you can go back
to your previous configuration.

-- 
Emmanuel Dreyfus
manu@...

Yes, I can go back to the previous configuration. I was trying to cut 
down on some equipment and save a bit on power consumption by getting 
rid of the PC that was running just the PPPoE, firewall and routing.

Can anyone recommend a cheap wireless router  that will for me?  I 
guess  I need a more configurable NAT along with port forwarding for 
other services.

Thanks,
Rick

Emmanuel Dreyfus wrote:

>
>
> On Mon, Jul 13, 2009 at 10:58:38AM -0700, Rick Knight wrote:
> > So I need to NAT the SMTP traffic directly to the mail server, not 
> using
> > port forwarding, just NAT?
> >
> > I don't see a way to do that in my router. In fact, I have very little
> > control over the router's NAT functions.
>
> You said it stopped working: if it worked before, then you can go back
> to your previous configuration.
>
> -- 
> Emmanuel Dreyfus
> manu@... <mailto:manu%40netbsd.org>
>
>

Port forwarding is what you want to use, but in your case, it's also  
has nat when using port forwarding. Sound like a config/setup issue,  
maybe update the firmware on your unit? Then portforwarding won't be  
nat'd.


Quoting Rick Knight <rick_knight@...>:

> Yes, I can go back to the previous configuration. I was trying to cut
> down on some equipment and save a bit on power consumption by getting
> rid of the PC that was running just the PPPoE, firewall and routing.
>
> Can anyone recommend a cheap wireless router  that will for me?  I
> guess  I need a more configurable NAT along with port forwarding for
> other services.
>
> Thanks,
> Rick
>
> Emmanuel Dreyfus wrote:
>>
>>
>> On Mon, Jul 13, 2009 at 10:58:38AM -0700, Rick Knight wrote:
>> > So I need to NAT the SMTP traffic directly to the mail server, not
>> using
>> > port forwarding, just NAT?
>> >
>> > I don't see a way to do that in my router. In fact, I have very little
>> > control over the router's NAT functions.
>>
>> You said it stopped working: if it worked before, then you can go back
>> to your previous configuration.
>>
>> --
>> Emmanuel Dreyfus
>> manu@... <mailto:manu%40netbsd.org>
>>
>>
>
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>
>

Spam detection software, running on the system mail.rlknight.com , has identified this incoming email as possible spam.  The original message has been