Milter-greylist

Here is our latest stable release

https://ftp.espci.fr/pub/milter-greylist/milter-greylist-4.6.tgz
MD5 (milter-greylist-4.6.tgz) = 7a185a73bea8e052e0054d182085bf1d

Changelog since previous stable release
4.6
        No changes since rc1
4.6rc1
        Fix file descriptor leak in spamd code (Attila Bruncsak)
4.6a2
        Fix strtok_r() state usage (Attila Bruncsak)
        Document queueID log for PostFix (Steven Hiscocks)
4.6a1
        Support IPv6 DNSRBL (Kazuyuki YOSHIDA, Hajimu UMEMOTO)
4.5.16
        Reflect config syntax in addhheader logs (Steven Hiscocks)
        Honour daemon option in Redhat startup script (Attila Bruncsak)
        Fix crash in SPF code
4.5.15
        Use QueueId on Postfix (Steven Hiscocks)
        Only change socket ownership if it exists in filesystem
        Index option for the addheader clause (Steven Hiscocks)
        Add format strings for SPF and DKIM results (Steven Hiscocks)
        Update author list
4.5.14
        Build fixes
4.5.13
        Accept format strings in helo acl and compare without case (Jim Klimov)
        Improve configure ability to run with -Werror (Jim Klimov)
        Overcome select(2) file descriptor limit (Attila Bruncsak) 
        Support glob(7) pattern matching for properties
4.5.12
        Prevent buffer overflow on IP address in DRAC code (David Binderman)
        Remove duplicate dkim check in configure (Jim Klimov)
        Let MX clause work if a MX has no DNS A record (Rudy Eschauzier)
        Fix build on CentOS (Mart Pirita)
4.5.11
        Use asynchronous LDAP calls to reduce lock contention on heavy load
4.5.10
        Fix msgcount miscomputation and crashes
4.5.9
        multiracl option to disable sticky whitelisting among recipients
4.5.8
        FreeBSD build fix (John Wood)
        Fix CRLF in multiline headers for DKIM (John Wood)
        Support OpenDKIM (John Wood)
        Build if PACKAGE_URL is not defined
        res_state Solaris build fix  (Attila Bruncsak) 
        Fix maxpeek usage for body matching clauses (Jean-Jacques Puig)
4.5.7
        Do not use strndup() for POSIX.1-2001 compatibility
4.5.6
        Fix bug that replaced first character of hostname by '['
        Do not force into lowercases properties set using the set clause
        Add %cA and %ca to report current ACL line number and id
        Increase format string maximum length to 4096
        Break long SMTP replies in mutiple lines
        Add configure --disable-parallel-make in case make -j is unsupported
4.5.5
        Documentation update
4.5.4
        Fix memory leak in log ACL clause
        Updated AUTHORS in man page
        Typos in man page, style (Jim Klimov)
        Numeric operator tests for property versus number
        Numeric operator tests for property versus property
4.5.3
        format string expanstion now honour %r everywhere possible
        unbracket option to resolved MTA-passed bracketed unresolved IP
        set ACL clause to set/increment/decrement properties
        log ACL clause to send formatted string to syslog
4.5.2
        Fix crash when chown socket without group
        Fix memory leak in nsupdate config reload
        Fix nsupdate servers option
        Build fixes (John Wood)
        Fix ACL bypass for second recipient when sender passed auth/tls/spf
        Parallel build (Jim Klimov)
        Configurable package information (Jim Klimov)
        More verbosity in SPF logs (Jim Klimov)
        Use localaddr for p0f and %V format string (Jim Klimov)
        Search . first for includes (Jim Klimov)
        Make unknown AF family non fatal in p0f, report errors once (Jim Klimov)
4.5.1
        DNS update support
        make clean clears milter-greylist.spec
        Use ZZ for unknown GeoIP country
        Add IPv6 support for MX sync (Hajimu UMEMOTO)
4.4.3
        More Solaris build fixes (Jim Klimov)
        Fix swapped %f and %r for stat example in default greylist.conf
        Support p0f v3.06 and up with --with-p0f-src or --enable-p0f306
4.4.2
        Solaris build fixes (Jim Klimov, Matthias Scheler)
4.4.1
        Make sure socket ownership will not cause sendmail to complain


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hello,
I'm using milter-greylist for quite some years. I have a probably simple 
question. I found that many Spammers use  SPF records so whitelisting 
mails from MTAs with SPF records does not seem a solution to me. 
Therefore I have nospf for years in my config. On the other hand there 
are many big mail hosters sending from a whole bunch of MTAs. When they 
get greylisted, the next attempt will come from another MTA so there's 
another tupel IP, from, to and it gets greylisted again. In sum this 
sometimes leads to good mail getting delayed for hours or days. How to 
come around this problem?

I did not really find a documentation what the different values for 
"spf" would mean. man page is rather short on this.

I want mail from one sender to one recipient get greylisted only the 
configured timespan - regardless from which (spf verified) MTA the 
connection attempt comes. I'm quite sure this is possible - just do not 
know how...

Thx,
Carsten

Am 04.08.2016 19:59, schrieb Mauricio Teixeira 
mauricio.teixeira@... [milter-greylist]:
> I started using DNSWL, then most of my problems with those senders 
> that use multiple IPs have gone away.
>
That sounds a good workaround I surely will give a trial, thank you! 
Nevertheless I would like to know whether milter-greylist has some 
build-in feature to cope with multiple IPs (it should as it is spf aware).

Carsten

4 \u0430\u0432\u0433\u0443\u0441\u0442\u0430 2016�\u0433. 20:43:34 CEST, "Carsten Grammes cgrammes@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>Am 04.08.2016 19:59, schrieb Mauricio Teixeira 
>mauricio.teixeira@... [milter-greylist]:
>> I started using DNSWL, then most of my problems with those senders 
>> that use multiple IPs have gone away.
>>
>That sounds a good workaround I surely will give a trial, thank you! 
>Nevertheless I would like to know whether milter-greylist has some 
>build-in feature to cope with multiple IPs (it should as it is spf
>aware).
>
>Carsten

Well, technically "it should" is wishful thinking ;)

In the end, it verifies if a specific remote IP address is a valid sender for a specific email domain. One address, as recorded in the database tuple (subject to later cidr-length matching as another poster reminded). It has lots of rules to let you check this, such as explicit IP addresses or cidr masks for hosts you know, previous automatic whitelisting, presence in dnsbl/dnswl services, or matching an spf record (and you should at least test it doesn't allow all internet including e.g. 127.0.0.1) among others.

So for general solution - there is none maybe. Reasonable ones were suggested; mixing spf-trust with a list of domains you know to have unspecified many relays and want to trust is a reasonable ruleset. DNSWL is also a good choice, make sure to place it before DNSBL as those often put a shadow on larger network ranges (e.g. whole ISPs one customer of which sent spam recently).

HTH,
Jim Klimov 
--
Typos courtesy of K-9 Mail on my Samsung Android

Hi, SPF check is just one step of the spam tests. There are lots of parameters that you can mark a mail as spam. So I think you should change your system 

5 \u0430\u0432\u0433\u0443\u0441\u0442\u0430 2016�\u0433. 9:19:37 CEST, "Can \u015eirin sirincan@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>  Hi,
>
>SPF check is just one step of the spam tests. There are lots of
>parameters
>that you can mark a mail as spam. So I think you should change your
>system
>through a scoring mechanism. I can suggest MailScanner or you can use
>spamAssasin as a milter for your MTA.
>
>Can
>
>Quoting "'Grammes, Carsten' cgrammes@... [milter-greylist]"
><milter-greylist@yahoogroups.com>:
>
>> Hello,
>> I'm using milter-greylist for quite some years. I have a probably
>simple
>> question. I found that many Spammers use� SPF records so whitelisting
>> mails from MTAs with SPF records does not seem a solution to me.
>> Therefore I have nospf for years in my config. On the other hand
>there
>> are many big mail hosters sending from a whole bunch of MTAs. When
>they
>> get greylisted, the next attempt will come from another MTA so
>there's
>> another tupel IP, from, to and it gets greylisted again. In sum this
>> sometimes leads to good mail getting delayed for hours or days. How
>to
>> come around this problem?
>>
>> I did not really find a documentation what the different values for
>> "spf" would mean. man page is rather short on this.
>>
>> I want mail from one sender to one recipient get greylisted only the
>> configured timespan - regardless from which (spf verified) MTA the
>> connection attempt comes. I'm quite sure this is possible - just do
>not
>> know how...
>>
>> Thx,
>> Carsten
>>
>> ------------------------------------
>>
>> ------------------------------------
>>
>> ------------------------------------
>>
>> Yahoo Groups Links
>>
>>
>>

Note that with expression evaluation you can also implement scoring within milter-greylist. That's what we do, to avoid expensive checks like content inspection and drop 95% of spam before it gets to content. The rest is cheap to inspect thoroughly with SA and ClamAV ;)

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android