BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Greylisting with PF
Pages: 1, 2, 3, 4, 5, 6, 7

From the Greylist into the Whitelist

You don't have to worry about moving items from the greylist to the whitelist. spamlogd will take care of that for you. If you're setting this up for the first time, start spamlogd:

/usr/local/libexec/spamlogd

To ensure that spamlogd starts at boot, add a line to /etc/rc.conf:

pfspamlogd_enable="YES"

spamlogd updates the spamd database (/var/db/spamd). When it sees a successful connection, spamd in turn uses this database to decide whether someone is on the whitelist or greylist. To provide spamlogd with the information it needs, you must log your mail server activity. See lines 13 and 14 in my example PF rules. Read all the details in man spamlogd.

If spamlogd does not start, it is probably because pflogd is not running. Start it. This is how spamlogd looks when it is running:

# ps auwx | grep spamlogd 
root    94345  ??  Ss   11:36AM   0:00.00 /usr/local/libexec/spamlogd
root    94349  p2  S+   11:36AM   0:00.00 grep spamlogd

A Sample Greylisting

It's helpful to send a message from a non-whitelisted server and demonstrate how the server moves from the greylist to the whitelist. I will be sending from dan@zip.example.org to dan@nyi.example.org. For your information, zip runs Sendmail and nyi runs Postfix. In both cases, that is completely irrelevant to greylisting.

Here is an extract from the sending mailserver. I guess I should point out that this server is in New Zealand and the one I'm sending to is in New York.

Nov 9 06:30:06 zip sm-mta[59825]: kA8HThYO059822:
to=<dan@nyi.example.org>, ctladdr=<dan@zip.example.org>
(1001/1001), delay=00:00:20, xdelay=00:00:20, mailer=esmtp,
pri=30391, relay=nyi.example.org. [64.147.113.42], dsn=4.3.0,
stat=Deferred: 451 Temporary failure, please try again
later.

A new host, zip.example.org, previously unknown to nyi.example.org, attempted to send email. spamd on nyi correctly asked zip to try again. The mail queue on zip should show something like:

$ mailq
                /var/spool/mqueue (1 request)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
kA8HThYO059822       34 Thu Nov  9 06:29 <dan@zip.example.org>
                 (Deferred: 451 Temporary failure, please try again later.)
                                         <dan@nyi.example.org>
                Total requests: 1

Looking at the logs on nyi, I see this in /var/log/spamd:

Nov  8 12:29:58 nyi spamd[27528]:
203.118.144.46: connected (1/0)
Nov  8 12:29:59 nyi spamd[27528]: (GREY) 203.118.144.46:
<dan@zip.example.org> -> <dan@nyi.example.org>
Nov  8 12:29:59 nyi spamd[27528]: 203.118.144.46: disconnected
after 1 seconds.

Furthermore, you can see that zip is greylisted:

$ spamdb | grep nz
GREY|203.118.144.46|<dan@zip.example.org>|<dan@nyi.example.org>|1163006999|1163021399|1163021399|1|0

I waited. Shortly thereafter, zip tried again, and again spamd asked it to try again. Here is the log entry from zip, the sending mailserver:

Nov  9 06:43:02 zip sm-mta[59893]:
kA8HThYO059822: to=<dan@nyi.example.org>,
ctladdr=<dan@zip.example.org> (1001/1001), delay=00:13:16,
xdelay=00:00:05, mailer=esmtp, pri=120391, relay=nyi.example.org.
[64.147.113.42], dsn=4.3.0, stat=Deferred: 451 Temporary failure,
please try again later.

Checking on nyi, I looked in the spamd database again:

$ spamdb | grep 203.118.144.46
GREY|203.118.144.46|<dan@zip.example.org>|<dan@nyi.example.org>|1163006999|1163021399|1163021399|2|0

There it was, clear as day. The entry has been greylisted. The three numeric fields indicate timestamps related to this host. The 2 means the host has attempted delivery twice. The 0 means the host has not yet delivered any mail.

Why was the second attempt not allowed? spamd has three time parameters related to greylisting. See the man page for better definitions. The values shown are the defaults.

  1. passtime: if after this time period, spamlogd sees a retried delivery, it will move the server to the whitelist (25 minutes).
  2. greyexp: entries on the greylist will be removed if there have been no retries within this period (4 hours).
  3. whiteexp: entries on the whitelist are removed if there has been no mail activity in this time period (36 days).

The default passtime value (see man spamd) is 25 minutes. A host will remain greylisted for at least 25 minutes before it can move to the whitelist. What will move it to the whitelist? A retry after passtime minutes. This requires three delivery attempts; the third will succeed if it occurs after the passtime period and before the greyexp period terminates. By default, the sending mailserver will be greylisted for 25 minutes, and then has until four hours after the first delivery attempt to try again. After the greylisting period expires, the sending host must go through the greylisting process again.

Pages: 1, 2, 3, 4, 5, 6, 7

Next Pagearrow





Sponsored by: