Milter-greylist

System : 
Linux mail-2012.trezor 2.6.32-220.17.1.el6.i686 #1 SMP Thu
Apr 26 13:37:46 EDT 2012 i686 i686 i386 GNU/Linux
I am using : sendmail-8.14.4-8.el6.i686,
milter-greylist-4.2.7-1.el6.rf.i686, MailWatch Version = 1.2.0, MailScanner
Version = 4.84.5, PHP Version = 5.3.3, MySQL Version = 5.1.61
And it generally works.
BUT the last few days my server is relaying mail from China
IP addressess.
I have checkjed it, but all checks say that it is not a open
relay (IP : 195.88.12.36, you can check too).
 
Characteristical for mails is this from logs :
“skipping greylist because this is the default action”
 
Please help!
 
Velda

abcde fgh <ebel674@...> wrote:

> Characteristical for mails is this from logs :
> "skipping greylist because this is the default action"

Could you post tour greylist.conf?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Wed, Mar 6, 2013 at 7:38 AM, abcde fgh <ebel674@...> wrote:
>
> System :
> Linux mail-2012.trezor 2.6.32-220.17.1.el6.i686 #1 SMP Thu Apr 26 13:37:46 EDT 2012 i686 i686 i386 GNU/Linux
> I am using : sendmail-8.14.4-8.el6.i686, milter-greylist-4.2.7-1.el6.rf.i686, MailWatch Version = 1.2.0, MailScanner Version = 4.84.5, PHP Version = 5.3.3, MySQL Version = 5.1.61
> And it generally works.
> BUT the last few days my server is relaying mail from China IP addressess.
> I have checkjed it, but all checks say that it is not a open relay (IP : 195.88.12.36, you can check too).
>
> Characteristical for mails is this from logs :
> “skipping greylist because this is the default action”
>

I think the greylist milter is the wrong place to look for this
problem.  Why is your sendmail accepting non-local addresses in the
first place?   Normally you need entries in the /etc/mail/access that
match the sender or they need to be authenticated, to accept them.

-- 
   Les Mikesell
     lesmikesell@...

On Wed, Mar 06, 2013 at 10:17:04AM -0600, Les Mikesell wrote:
> On Wed, Mar 6, 2013 at 7:38 AM, abcde fgh <ebel674@...> wrote:
[..]
> > BUT the last few days my server is relaying mail from China IP addressess.
> > I have checkjed it, but all checks say that it is not a open relay (IP : 195.88.12.36, you can check too).
> >
> > Characteristical for mails is this from logs :
> > ?skipping greylist because this is the default action?
> >
> 
> I think the greylist milter is the wrong place to look for this
> problem.  Why is your sendmail accepting non-local addresses in the
> first place?   Normally you need entries in the /etc/mail/access that
> match the sender or they need to be authenticated, to accept them.

As I could see his side ok regarding 
 * relaying foreign domains: will be denied
 * accepting non existent local addresses: responds with user unknown
 * handling of @... or local domain as sender: relaying denied

Above milter-greylist message has nothing to do with relaying. A
dicision in this regard will be made by Sendmail.
To see what happened you should look for sendmail log entries. If you
find such a transfer, gather all lines with the same queue-id ...
As already mentioned, this maybe a case for a sendmail forum.

Anyway, provide as much information as possible if expect to get 
a helpful answer. ;)


Johann E. K.

Les Mikesell <lesmikesell@...> wrote:

> I think the greylist milter is the wrong place to look for this
> problem.

"skipping greylist because this is the default action" is produced by
milter-greylist, it therefore backs the idea that milter-greylist
accepted the message...

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Wed, Mar 6, 2013 at 7:24 PM, <manu@...> wrote:
>
> > I think the greylist milter is the wrong place to look for this
> > problem.
>
> "skipping greylist because this is the default action" is produced by
> milter-greylist, it therefore backs the idea that milter-greylist
> accepted the message...

No, that just means it didn't match anything that you've configured
milter-greylist to process.  But even without installing,
milter-greylist sendmail should reject any non-local addresses unless
the source is authenticated or explicitly permitted to RELAY in the
access file.    I don't think a milter can accept something that other
sendmail operations would reject.

-- 
   Les Mikesell
    lesmikesell@...

Les Mikesell <lesmikesell@...> wrote:

> No, that just means it didn't match anything that you've configured
> milter-greylist to process.  But even without installing,
> milter-greylist sendmail should reject any non-local addresses unless
> the source is authenticated or explicitly permitted to RELAY in the
> access file.    I don't think a milter can accept something that other
> sendmail operations would reject.

I may have misunderstood OP. I thought the problem was spam getting in.
Indeed, if it is an open relay issue, this is a sendmail configuration
problem.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

You are, of course correct.
I have looked up my access file, but it is OK, here it is :
Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
10                                      RELAY
So as far as I can see, the problem is not here...

--- In milter-greylist@yahoogroups.com, Les Mikesell <lesmikesell@...> wrote:

>
> On Wed, Mar 6, 2013 at 7:38 AM, abcde fgh <ebel674@...> wrote:
> >
> > System :
> > Linux mail-2012.trezor 2.6.32-220.17.1.el6.i686 #1 SMP Thu Apr 26 13:37:46 EDT 2012 i686 i686 i386 GNU/Linux
> > I am using : sendmail-8.14.4-8.el6.i686, milter-greylist-4.2.7-1.el6.rf.i686, MailWatch Version = 1.2.0, MailScanner Version = 4.84.5, PHP Version = 5.3.3, MySQL Version = 5.1.61
> > And it generally works.
> > BUT the last few days my server is relaying mail from China IP addressess.
> > I have checkjed it, but all checks say that it is not a open relay (IP : 195.88.12.36, you can check too).
> >
> > Characteristical for mails is this from logs :
> > "skipping greylist because this is the default action"
> >
> 
> I think the greylist milter is the wrong place to look for this
> problem.  Why is your sendmail accepting non-local addresses in the
> first place?   Normally you need entries in the /etc/mail/access that
> match the sender or they need to be authenticated, to accept them.
> 
> -- 
>    Les Mikesell
>      lesmikesell@...
>

Thank you.
I will look this up too.
As you have stated, server is not and open relay, so I have no idea how this is happening...
There is nothing in sendmail logs that is of help either.
If you could point me to a good sendmail forum, I would be thankful...

--- In milter-greylist@yahoogroups.com, Johann Klasek <johann@...> wrote:

>
> On Wed, Mar 06, 2013 at 10:17:04AM -0600, Les Mikesell wrote:
> > On Wed, Mar 6, 2013 at 7:38 AM, abcde fgh <ebel674@...> wrote:
> [..]
> > > BUT the last few days my server is relaying mail from China IP addressess.
> > > I have checkjed it, but all checks say that it is not a open relay (IP : 195.88.12.36, you can check too).
> > >
> > > Characteristical for mails is this from logs :
> > > ?skipping greylist because this is the default action?
> > >
> > 
> > I think the greylist milter is the wrong place to look for this
> > problem.  Why is your sendmail accepting non-local addresses in the
> > first place?   Normally you need entries in the /etc/mail/access that
> > match the sender or they need to be authenticated, to accept them.
> 
> As I could see his side ok regarding 
>  * relaying foreign domains: will be denied
>  * accepting non existent local addresses: responds with user unknown
>  * handling of @localhost.localdomain or local domain as sender: relaying denied
> 
> Above milter-greylist message has nothing to do with relaying. A
> dicision in this regard will be made by Sendmail.
> To see what happened you should look for sendmail log entries. If you
> find such a transfer, gather all lines with the same queue-id ...
> As already mentioned, this maybe a case for a sendmail forum.
> 
> Anyway, provide as much information as possible if expect to get 
> a helpful answer. ;)
> 
> 
> Johann E. K.
>

The problem is that I have checked access file already, and some sites that check servers for relaying, and all is OK.
I use Dovecot, and there is nothing there either (so they are not logging into system).
So I am at a loss...

--- In milter-greylist@yahoogroups.com, Les Mikesell <lesmikesell@...> wrote:

>
> On Wed, Mar 6, 2013 at 7:24 PM, <manu@...> wrote:
> >
> > > I think the greylist milter is the wrong place to look for this
> > > problem.
> >
> > "skipping greylist because this is the default action" is produced by
> > milter-greylist, it therefore backs the idea that milter-greylist
> > accepted the message...
> 
> No, that just means it didn't match anything that you've configured
> milter-greylist to process.  But even without installing,
> milter-greylist sendmail should reject any non-local addresses unless
> the source is authenticated or explicitly permitted to RELAY in the
> access file.    I don't think a milter can accept something that other
> sendmail operations would reject.
> 
> -- 
>    Les Mikesell
>     lesmikesell@...
>

On Thu, Mar 7, 2013 at 12:24 PM, ebel674 <ebel674@...> wrote:
>
> The problem is that I have checked access file already, and some sites that check servers for relaying, and all is OK.
> I use Dovecot, and there is nothing there either (so they are not logging into system).
> So I am at a loss...

Can you post a matching set of 'from=' and 'to=' lines from
/var/log/maillog for a message that had both a remote source and
remote destination?  Maybe something there will give a hint about why
it was accepted.

-- 
   Les Mikesell
     lesmikesell@...

ebel674 <ebel674@...> wrote:

> As you have stated, server is not and open relay, so I have no idea how
> this is happening...
> There is nothing in sendmail logs that is of help either.

Could you show a snipet of the sendmail logs?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Here it is (part of the message, it is VERy long) :

# less /var/log/maillog|grep r27JHKTm013174
Mar 7 20:17:32 mail-2012 milter-greylist: r27JHKTm013174: addr = [113.109.183.96][113.109.183.96], from = <user1 A my.domain>, rcpt = <liudianaw A btamail.net.cn>
Mar 7 20:17:32 mail-2012 milter-greylist: r27JHKTm013174: skipping greylist because this is the default action, (from=<user1 A my.domain>, rcpt=<liudianaw A btamail.net.cn>, addr=[113.109.183.96][113.109.183.96]) ACL 227

ETC


--- In milter-greylist@yahoogroups.com, Les Mikesell <lesmikesell@...> wrote:

>
> On Thu, Mar 7, 2013 at 12:24 PM, ebel674 <ebel674@...> wrote:
> >
> > The problem is that I have checked access file already, and some sites that check servers for relaying, and all is OK.
> > I use Dovecot, and there is nothing there either (so they are not logging into system).
> > So I am at a loss...
> 
> Can you post a matching set of 'from=' and 'to=' lines from
> /var/log/maillog for a message that had both a remote source and
> remote destination?  Maybe something there will give a hint about why
> it was accepted.
> 
> -- 
>    Les Mikesell
>      lesmikesell@...
>

On Fri, Mar 08, 2013 at 06:41:20AM -0000, ebel674 wrote:
> Here it is (part of the message, it is VERy long) :
> 
> # less /var/log/maillog|grep r27JHKTm013174
> Mar 7 20:17:32 mail-2012 milter-greylist: r27JHKTm013174: addr = [113.109.183.96][113.109.183.96], from = <user1 A my.domain>, rcpt = <liudianaw A btamail.net.cn>
> Mar 7 20:17:32 mail-2012 milter-greylist: r27JHKTm013174: skipping greylist because this is the default action, (from=<user1 A my.domain>, rcpt=<liudianaw A btamail.net.cn>, addr=[113.109.183.96][113.109.183.96]) ACL 227

No, we need the "sendmail" lines (probably matching r27JHKTm013174), not
the one from milter-greylist!!!

If they are not there, raise to logging level in sendmail.mc/sendmail.cf
(but this should be already at the proper level by default).


Johann E.K.

On Thu, Mar 07, 2013 at 06:22:33PM -0000, ebel674 wrote:
> I will look this up too.
> As you have stated, server is not and open relay, so I have no idea how this is happening...
> There is nothing in sendmail logs that is of help either.
> If you could point me to a good sendmail forum, I would be thankful...

Newsgroup comp.mail.sendmail maybe one of them (see Google groups), but don't waste
their time if you are no able to provide some meaningful "sendmail" (!) log lines or
sendmail config (at least partially).
I could explain a lot about debugging sendmail configs but I think won't help if we
are not getting even the simplest information out of the logs ...


Johann E. K.

Thank you for the pointer.
I have given the output from maillog a few hour ago (see list below).

--- In milter-greylist@yahoogroups.com, Johann Klasek <johann@...> wrote:

>
> On Thu, Mar 07, 2013 at 06:22:33PM -0000, ebel674 wrote:
> > I will look this up too.
> > As you have stated, server is not and open relay, so I have no idea how this is happening...
> > There is nothing in sendmail logs that is of help either.
> > If you could point me to a good sendmail forum, I would be thankful...
> 
> Newsgroup comp.mail.sendmail maybe one of them (see Google groups), but don't waste
> their time if you are no able to provide some meaningful "sendmail" (!) log lines or
> sendmail config (at least partially).
> I could explain a lot about debugging sendmail configs but I think won't help if we
> are not getting even the simplest information out of the logs ...
> 
> 
> Johann E. K.
>

On Fri, Mar 08, 2013 at 08:12:00AM -0000, ebel674 wrote:
> Thank you for the pointer.
> I have given the output from maillog a few hour ago (see list below).

Alas, you are probably wrong. Are you refering to the following?

On Fri, Mar 08, 2013 at 06:41:20AM -0000, ebel674 wrote:
> Here it is (part of the message, it is VERy long) :
>
> # less /var/log/maillog|grep r27JHKTm013174
> Mar 7 20:17:32 mail-2012 milter-greylist: r27JHKTm013174: addr = [113.109.183.96][113.109.183.96],
+from = <user1 A my.domain>, rcpt = <liudianaw A btamail.net.cn>
> Mar 7 20:17:32 mail-2012 milter-greylist: r27JHKTm013174: skipping greylist because this is the
+default action, (from=<user1 A my.domain>, rcpt=<liudianaw A btamail.net.cn>,
+addr=[113.109.183.96][113.109.183.96]) ACL 227

As already noted, this is *NOT* from "sendmail". This would even in
maillog if sendmail would deny this mail. Again: You cannot judge on
these lines on whether the mail gets through or not! Provide sendmail's
lines!


Johann E.K.