Mailing List Archive: exim: users

Greylisting - Chnging IPs

Index | Next | Previous | View Threaded

gpeel at thenetnow

May 7, 2008, 2:24 PM

Post #1 of 17 (700 views)
Permalink

Greylisting - Chnging IPs

Hi all,

I have recently implimented greylist on some of our servers, and am seeing a
few domain, that return multiple IP address. How is that handled.

I am also seeing a few (like telus.net) that resend mail from a different
mail server than the original. How do we handle that?

I have my accept time set to 2 minutes. Does anyone think thats too long?

-Grant

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

renaud at llorien

May 8, 2008, 12:03 AM

Post #2 of 17 (675 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Grant Peel wrote:
> Hi all,
>
> I have recently implimented greylist on some of our servers, and am seeing a
> few domain, that return multiple IP address. How is that handled.
>
It depends of your implementation, but, in general, it is not handled at
all and some ISP need whitelisting (eg skynet.be)

> I am also seeing a few (like telus.net) that resend mail from a different
> mail server than the original. How do we handle that?

As I said formerly

>
> I have my accept time set to 2 minutes. Does anyone think thats too long?
>

Many server queues are run every 15 minutes, so setting even 14 minutes
should be good. Some even recommend setting a delay of 1 hour.

Attachments:

smime.p7s (3.21 KB)

hs at schlittermann

May 8, 2008, 12:49 AM

Post #3 of 17 (674 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Grant Peel <gpeel[at]thenetnow.com> (Mi 07 Mai 2008 23:24:07 CEST):
> Hi all,
>
> I have recently implimented greylist on some of our servers, and am seeing a
> few domain, that return multiple IP address. How is that handled.
>
> I am also seeing a few (like telus.net) that resend mail from a different
> mail server than the original. How do we handle that?

We do greylisting based on

<sender address> + <recpient address>

independend on IP addresses, as some ISPs use rotating outgoing servers
for the same message.

Best regards from Dresden
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -

Attachments:

signature.asc (0.18 KB)

warren at decoy

May 8, 2008, 3:39 AM

Post #4 of 17 (675 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

On 07/05/2008, Grant Peel <gpeel[at]thenetnow.com> wrote:
>
>
> I have recently implimented greylist on some of our servers, and am seeing
> a
> few domain, that return multiple IP address. How is that handled.
>
> I am also seeing a few (like telus.net) that resend mail from a different
> mail server than the original. How do we handle that?
>
> I have my accept time set to 2 minutes. Does anyone think thats too long?

GMail uses multiple fallback servers, as an example [a-z]proxy.gmail.com so
you will see mail not been delivered from their servers if greylisting is
enabled. As Heiko has mentioned he uses just the sender and recipient
address as the condition. What you can also do is just add the /24 network
for the connecting host into your condition instead of the hosts sending
address. This would cater for GMail and many others.

You could also defer after the DATA has finished. You will now have the
message ID which you could use as part of your checks.

Warren
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

andrew.johnson at sappsys

May 8, 2008, 5:03 AM

Post #5 of 17 (674 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

> On 07/05/2008, Grant Peel <gpeel[at]thenetnow.com> wrote:
> >
> >
> > I have recently implimented greylist on some of our servers, and am
> seeing
> > a
> > few domain, that return multiple IP address. How is that handled.
> >
> > I am also seeing a few (like telus.net) that resend mail from a
> different
> > mail server than the original. How do we handle that?
> >
> > I have my accept time set to 2 minutes. Does anyone think thats too
> long?
>

We do :-

# Whitelisted IP Addresses
accept log_message = Whitelisted ($sender_host_address)
condition = ${if eq \

{${lookup{$sender_host_address}iplsearch{/etc/exim/whitelist_addresses}{foun
d}{notfound}}}\
{found}\
{yes}{no}\
}

Then we have a lookup file :-

(Excerpt)
195.188.213.0/29: Blueyonder
195.188.213.8/31: Blueyonder
193.252.22.156/30: Freeserve
193.252.22.128/32: Freeserve
64.97.168.37/32: Tucows
64.97.136.128/26: Tucows
65.54.246.0/24: Hotmail
209.85.132.130/32: Google
209.85.132.184/29: Google
209.85.132.241/32: Google
209.85.132.244/32: Google
209.85.132.250/32: Google
212.159.30.228/32: Google
64.233.162.176/28: Google
64.233.162.224/27: Google
64.233.182.167/32: Google
64.233.184.130/32: Google
64.233.184.224/27: Google
66.249.82.224/28: Google
66.249.92.171/32: Google
66.249.93.114/32: Google
66.249.93.27/32: Google
134.159.150.64/26: Messagelabs
193.109.254.0/23: Messagelabs
194.106.220.0/23: Messagelabs
195.245.230.0/23: Messagelabs
203.129.72.208/28: Messagelabs
203.129.72.240/28: Messagelabs
203.129.74.224/27: Messagelabs
203.166.119.128/26: Messagelabs
212.125.75.0/27: Messagelabs
216.82.240.0/20: Messagelabs
62.173.108.16/28: Messagelabs
62.173.108.208/28: Messagelabs
62.231.131.0/24: Messagelabs
64.124.170.128/28: Messagelabs
85.158.136.0/21: Messagelabs

-Andy-

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

dwmw2 at infradead

May 8, 2008, 5:10 AM

Post #6 of 17 (675 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

On Wed, 2008-05-07 at 17:24 -0400, Grant Peel wrote:
> Hi all,
>
> I have recently implimented greylist on some of our servers, and am seeing a
> few domain, that return multiple IP address. How is that handled.

I'm not sure what you mean by 'return multiple IP address', or why it
should matter.

> I am also seeing a few (like telus.net) that resend mail from a different
> mail server than the original. How do we handle that?

It means that you shouldn't include the originating IP address as one of
the criteria for matching emails. I use {sender,recipients,message-id}.

I do also _store_ the sending IP address (and HELO name). When the same
mail is seen again later, that IP address and HELO are added to a 'known
resenders' list -- since they obviously retry sending mail, there's no
point ever greylisting mail from there again. It would just be a delay
with no real chance of any benefit.

I add the {IP,HELO} of the _original_ sender rather than the one which
does the retry -- that means we don't force people into their backup
delivery route for evermore.

http://david.woodhou.se/eximconf/include/acl-greylist-sqlite

> I have my accept time set to 2 minutes. Does anyone think thats too long?

That seems reasonable enough.

--
dwmw2

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

P.A.Chambers at exeter

May 8, 2008, 9:14 AM

Post #7 of 17 (674 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

On Thu, 8 May 2008 12:39:41 +0200 Warren Baker <warren[at]decoy.co.za> wrote:

> On 07/05/2008, Grant Peel <gpeel[at]thenetnow.com> wrote:
> >
> >
> > I have recently implimented greylist on some of our servers, and am seeing
> > a
> > few domain, that return multiple IP address. How is that handled.
> >
> > I am also seeing a few (like telus.net) that resend mail from a different
> > mail server than the original. How do we handle that?
> >
> > I have my accept time set to 2 minutes. Does anyone think thats too long?
>
>
>
> GMail uses multiple fallback servers, as an example [a-z]proxy.gmail.com so
> you will see mail not been delivered from their servers if greylisting is
> enabled. As Heiko has mentioned he uses just the sender and recipient
> address as the condition. What you can also do is just add the /24 network
> for the connecting host into your condition instead of the hosts sending
> address. This would cater for GMail and many others.
>
> You could also defer after the DATA has finished. You will now have the
> message ID which you could use as part of your checks.
>
>
> Warren

The message ID is not a mandatory header, so that could be a problem. I use
the date header, which is mandatory. (You could opt to substitute the body size
if the date is missing.)

Phil.
---------------------------------------
Phil Chambers (postmaster[at]exeter.ac.uk)
University of Exeter

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

hs at schlittermann

May 9, 2008, 3:16 PM

Post #8 of 17 (647 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Hello David,

David Woodhouse <dwmw2[at]infradead.org> (Do 08 Mai 2008 14:10:21 CEST):
>
> It means that you shouldn't include the originating IP address as one of
> the criteria for matching emails. I use {sender,recipients,message-id}.

But this means that you're greylisting in your DATA acl (to get the
message id). Didn't you experience problems with returning a 4xx there?
I'm talking about serious operated MTAs being choked on 4xx after
sending the final dot. (Despite the fact that some RFC allows 4xx at
this point.)

Best regards from Dresden
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -

Attachments:

signature.asc (0.18 KB)

dean at iglou

May 10, 2008, 8:18 AM

Post #9 of 17 (637 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

On Sat, May 10, 2008 at 12:16:03AM +0200, Heiko Schlittermann wrote:
> Hello David,
>
> David Woodhouse <dwmw2[at]infradead.org> (Do 08 Mai 2008 14:10:21 CEST):
> >
> > It means that you shouldn't include the originating IP address as one of
> > the criteria for matching emails. I use {sender,recipients,message-id}.
>
> But this means that you're greylisting in your DATA acl (to get the
> message id). Didn't you experience problems with returning a 4xx there?
> I'm talking about serious operated MTAs being choked on 4xx after
> sending the final dot. (Despite the fact that some RFC allows 4xx at
> this point.)

What kind of problems would you expect to see?

We've been running greylisting in our DATA ACL for several years now
on a heavily loaded mail server and have never had any reports of problems.

--
Dean Brooks
dean[at]iglou.com

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

hs at schlittermann

May 10, 2008, 1:39 PM

Post #10 of 17 (612 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Dean Brooks <dean[at]iglou.com> (Sa 10 Mai 2008 17:18:53 CEST):
> >
> > But this means that you're greylisting in your DATA acl (to get the
> > message id). Didn't you experience problems with returning a 4xx there?
> > I'm talking about serious operated MTAs being choked on 4xx after
> > sending the final dot. (Despite the fact that some RFC allows 4xx at
> > this point.)
>
> What kind of problems would you expect to see?
>
> We've been running greylisting in our DATA ACL for several years now
> on a heavily loaded mail server and have never had any reports of problems.

I expected clients (MTA) not expecting a 4xx after transmission of the
data portion. And thus not resending the mail as expected.

Best regards from Dresden
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -

Attachments:

signature.asc (0.18 KB)

renaud at llorien

May 10, 2008, 11:51 PM

Post #11 of 17 (621 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Dean Brooks wrote:
> On Sat, May 10, 2008 at 12:16:03AM +0200, Heiko Schlittermann wrote:
>> Hello David,
>>
>> David Woodhouse <dwmw2[at]infradead.org> (Do 08 Mai 2008 14:10:21 CEST):
>>> It means that you shouldn't include the originating IP address as one of
>>> the criteria for matching emails. I use {sender,recipients,message-id}.
>> But this means that you're greylisting in your DATA acl (to get the
>> message id). Didn't you experience problems with returning a 4xx there?
>> I'm talking about serious operated MTAs being choked on 4xx after
>> sending the final dot. (Despite the fact that some RFC allows 4xx at
>> this point.)
>
> What kind of problems would you expect to see?
>

Some versions of MS exchange do strange things when receiving a 4xx
error at the end of data. They just hide the message from the queue (you
cannot even search for it, you will not find it) and the message is
never retried. But if the server is rebooted (or any other thing
restarting the MTA part) the message comes back into the queue. This is
not often a problem as MS servers tend to be rebooted each week. The
version of exchange doing this is 2003 but not all the times, it seems
this is due to a combination of patch level in the OS and patch level in
exchange itself. It is not trivial to reproduce but I have seen it
happen more than once.

Attachments:

smime.p7s (3.21 KB)

renaud at llorien

May 10, 2008, 11:52 PM

Post #12 of 17 (621 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Attachments:

smime.p7s (3.21 KB)

dean at iglou

May 11, 2008, 8:03 AM

Post #13 of 17 (612 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

On Sat, May 10, 2008 at 10:39:59PM +0200, Heiko Schlittermann wrote:
> Dean Brooks <dean[at]iglou.com> (Sa 10 Mai 2008 17:18:53 CEST):
> > >
> > > But this means that you're greylisting in your DATA acl (to get the
> > > message id). Didn't you experience problems with returning a 4xx there?
> > > I'm talking about serious operated MTAs being choked on 4xx after
> > > sending the final dot. (Despite the fact that some RFC allows 4xx at
> > > this point.)
> >
> > What kind of problems would you expect to see?
> >
> > We've been running greylisting in our DATA ACL for several years now
> > on a heavily loaded mail server and have never had any reports of problems.
>
> I expected clients (MTA) not expecting a 4xx after transmission of the
> data portion. And thus not resending the mail as expected.

Well, after running 4xx at end of DATA for 2 years now with
approximately 10,000 users, we've never run into a situation with a
client complaining about missing email.

Keep in mind, though, that greylisting is best performed only on
suspicious hosts (i.e. listed on RBL, missing PTR, etc), which is
likely one of the reasons we haven't run into problems.

--
Dean Brooks
dean[at]iglou.com

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

hs at schlittermann

May 12, 2008, 2:27 PM

Post #14 of 17 (587 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Hello,

Renaud Allard <renaud[at]llorien.org> (So 11 Mai 2008 08:51:03 CEST):
>
> Some versions of MS exchange do strange things when receiving a 4xx
> error at the end of data. They just hide the message from the queue (you
> cannot even search for it, you will not find it) and the message is

Not only 4xx after end of data, it happens even if they get 4xx on
"RCPT TO".

> never retried. But if the server is rebooted (or any other thing
> restarting the MTA part) the message comes back into the queue. This is
> not often a problem as MS servers tend to be rebooted each week. The
> version of exchange doing this is 2003 but not all the times, it seems
> this is due to a combination of patch level in the OS and patch level in
> exchange itself. It is not trivial to reproduce but I have seen it
> happen more than once.

Same story :)
For german capable readers:

http://blogs.technet.com/dmelanchthon/archive/2007/07/19/probleme-mit-greylisting.aspx

(I keep telling these admins, that 4xx is part of real life in
transporting mails, not just some result of greylisting. But some of
them are stupid... - I experienced less problems with admins on the
sending side if I do not mention greylisting but just temporary problems
(file system locking, virus scanner updates, 1000 other excuses (except
greylisting))).

Best regards from Dresden
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -

Attachments:

signature.asc (0.18 KB)

kroshka at atypon

May 12, 2008, 3:39 PM

Post #15 of 17 (587 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

Heiko Schlittermann wrote:
> sending side if I do not mention greylisting but just temporary problems
> (file system locking, virus scanner updates, 1000 other excuses (except
> greylisting))).

Sounds a lot like experiences I had mid 90s, where I had to "manipulate"
clueless helldesk people at ISPs when asking questions about my
connection. I could never say I used an alternative platform, since
they'd say they don't support it or I should use windows. :-/

I just surprises me that people who are put in responsible positions
like email administration don't know any better...

Greetings,
Jeroen

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

andyr at wizzy

May 14, 2008, 6:44 AM

Post #16 of 17 (552 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

On Wed, 07 May 2008, Grant Peel wrote:

> Hi all,
>
> I have recently implimented greylist on some of our servers, and am seeing a
> few domain, that return multiple IP address. How is that handled.
>
> I am also seeing a few (like telus.net) that resend mail from a different
> mail server than the original. How do we handle that?

I use SPF to whitelist domains.

Both skynet.be, telus.net and gmail.com have SPF listings.

So do some spammers, but - at least honesty is on their side.

Setup is here :-

http://wiki.aims.ac.za/mediawiki/index.php/SMTP

Cheers, Andy!

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

leo at dicea

Jun 21, 2008, 2:46 AM

Post #17 of 17 (275 views)
Permalink

Re: Greylisting - Chnging IPs [In reply to]

1. a good reason for a 4xx after data could be that during the sending
of a long message the disk of the server has been filled by another
process.
2. To avoit whitelisting i now use another option.
Before the actual message i send a dummy one, with just one line of
message "see next one" .
Then i write the message, then when i send my server has been whitelisted
...
If someone expecially on lists) complains about that, i tell himm that to
avoid this he should ungreylist me.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com