Mailing List Archive: exim: users

How to solve the problem with multiple sender IPs and (selective) greylisting?!

Index | Next | Previous | View Threaded

vincent.immler+exim at rub

Mar 7, 2010, 1:13 PM

Post #1 of 8 (1063 views)
Permalink

How to solve the problem with multiple sender IPs and (selective) greylisting?!

Hello exim-users,

I would like to discuss the following idea:
Usually a greylisting triplet consists of:
(IP address of the connecting host || Envelope sender address || Envelope recipient address)
Once a message passes the greylisting, it is assumed that this (sender+host) can be "trusted" for a specific recipient. But with multiple sender IPs for the same sender address, the same sender will be greylisted again, when sending from a different IP (e.g. Google).

As far as I know, there is no solution for that problem.

What about this:
deny spf = fail
deny spf = softfail
deny spf = err_perm
defer spf = err_temp
...
# now we only have to deal with spf = pass or none
...
greylisting (on condition X) using quadtuple: (IP address of the connecting host || Envelope sender address || Envelope recipient address || SPF entry)
Whereas the SPF entry could be sth like: ${lookup dnsdb{>: txt=$sender_address_domain}}, or even better, give exim a new $spf_stored_record variable that stores the content of the txt/spf record after the check is done. (a more advanced lookup would be better too. Additionally, one should be able to look up spf records, not just txt! http://www.exim.org/lurker/message/20090715.100550.553ea233.en.html)

That way, we can ask:
"If spf=none, do lookup as usual", otherwise add to database ...
"If SPF/TXT record of new message is already in greylist database and passed it once with sender-address-from-db=new-message-sender-address, we accept", otherwise add to database ...

Because we denied failed spf checks earlier, we can be sure that the spf entries in our database are genuine. Using the above method, we reward senders that publish spf records and treat others just as usual.

Probably, the gain is very small and the loss in performance does not justify it. (Perhaps, it makes sense if we have a very selective greylisting and small greylisting database)

Just an idea ...

Cheers,
Vincent

PS: I assume a greylisting setup like this one, not a a separate greylisting daemon: http://wiki.exim.org/FastGrayListMiniTutorial
PPS: The referenced wiki entry does not implement greylisting as it is intended. It stores _only_ the sender's domain instead of the complete sender's address. Additionally, multiple IPs are not possible. IMHO this is not what most greylisting people want!
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Lena at lena

Mar 8, 2010, 5:04 AM

Post #2 of 8 (1037 views)
Permalink

Re: How to solve the problem with multiple sender IPs and (selective) greylisting?! [In reply to]

> From: "Vincent C. Immler"

> with multiple sender IPs for the same sender address, the same sender will
> be greylisted again, when sending from a different IP (e.g. Google).
>
> As far as I know, there is no solution for that problem.

A solution: use only first three bytes of the IPv4 address,
and whitelist few senders which can resend a letter from other
IP-addresses in a block larger than /24.
I.e. use ${sg{$sender_host_address}{\N\.\d+$\N}{}}
for greylisting instead of $sender_host_address .
I attached excerpts from my config (including the whitelist) to
http://wiki.exim.org/DbLessGreyListingC

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jh at plonk

Mar 8, 2010, 6:04 AM

Post #3 of 8 (1036 views)
Permalink

Re: How to solve the problem with multiple sender IPs and (selective) greylisting?! [In reply to]

Lena [at] lena, 2010-03-08 14:04:

> and whitelist few senders which can resend a letter from other
> IP-addresses in a block larger than /24.
> I.e. use ${sg{$sender_host_address}{\N\.\d+$\N}{}}

I'd suggest to use ${mask:<IP address>/<bit count>} instead. regex is
not always the best solution. This also works with IPv6 (one should use
a different bit count for that, though).

> for greylisting instead of $sender_host_address .

Or, don't greylist the whole world by default, but only suspicious
connections, e.g. hosts listed in some dnslist (you can be very generous
about choosing them then), with unusual HELO/EHLO or from IPs which seem
to be dynamic. Works very fine here.

> I attached excerpts from my config (including the whitelist) to
> http://wiki.exim.org/DbLessGreyListingC

What's the big advantage over using the builtin sqlite support for
greylisting?

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

chris+exim at qwirx

Mar 8, 2010, 6:15 AM

Post #4 of 8 (1037 views)
Permalink

Re: How to solve the problem with multiple sender IPs and (selective) greylisting?! [In reply to]

Hi all,

On Mon, 8 Mar 2010, Jakob Hirsch wrote:
> Lena [at] lena, 2010-03-08 14:04:
>
>> and whitelist few senders which can resend a letter from other
>> IP-addresses in a block larger than /24. I.e. use
>> ${sg{$sender_host_address}{\N\.\d+$\N}{}} for greylisting instead of
>> $sender_host_address .
>
> Or, don't greylist the whole world by default, but only suspicious
> connections, e.g. hosts listed in some dnslist (you can be very generous
> about choosing them then), with unusual HELO/EHLO or from IPs which seem
> to be dynamic. Works very fine here.

Or, join Jaco Kroon's distributed greylist system, which is already
whitelisting most such hosts (e.g. Hotmail, Yahoo, Gmail) and in turn
contribute your own whitelist data.

http://www.mail-archive.com/exim-users [at] exim/msg33805.html

Works very fine here :)

Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Lena at lena

Mar 8, 2010, 7:58 AM

Post #5 of 8 (1041 views)
Permalink

Re: How to solve the problem with multiple sender IPs and (selective) greylisting?! [In reply to]

> From: Jakob Hirsch

> > and whitelist few senders which can resend a letter from other
> > IP-addresses in a block larger than /24.
> > I.e. use ${sg{$sender_host_address}{\N\.\d+$\N}{}}
>
> I'd suggest to use ${mask:<IP address>/<bit count>} instead. regex is
> not always the best solution.

In this case regex gives 5 bytes shorter result (without .0/24 at the end).

> This also works with IPv6 (one should use
> a different bit count for that, though).

Did someone receive a spam via IPv6 not from a real MTA?
Greylisting a MTA is useless.

> Or, don't greylist the whole world by default

The original poster wrote "selective" in Subject.

> > I attached excerpts from my config (including the whitelist) to
> > http://wiki.exim.org/DbLessGreyListingC
>
> What's the big advantage over using the builtin sqlite support for
> greylisting?

When I wrote that, I didn't know that sqlite is demonless. I run Exim
along with POP3 and web-server on VPS with 64M RAM + 128M swap for $6/month,
I don't want to spend more for more RAM, so I wanted minimal memory expense.
Please give a link to a sqlite greylisting implementation.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jh at plonk

Mar 9, 2010, 1:56 AM

Post #6 of 8 (1025 views)
Permalink

Re: How to solve the problem with multiple sender IPs and (selective) greylisting?! [In reply to]

Lena [at] lena, 2010-03-08 16:58:

>> I'd suggest to use ${mask:<IP address>/<bit count>} instead. regex is
>> not always the best solution.
> In this case regex gives 5 bytes shorter result (without .0/24 at the end).

True, but that's only relevant if you are really short on storage.

>> This also works with IPv6 (one should use
>> a different bit count for that, though).
> Did someone receive a spam via IPv6 not from a real MTA?

I heard of one case recently. With the rise of ipv6 we'll probably see
more, but it's not a problem right.

>> Or, don't greylist the whole world by default
> The original poster wrote "selective" in Subject.

Yes, in parenthesis. Greylisting gmail does not sound very selective to
me, but depends on one's selection criteria, of course.

>>> I attached excerpts from my config (including the whitelist) to
>>> http://wiki.exim.org/DbLessGreyListingC
>> What's the big advantage over using the builtin sqlite support for
>> greylisting?
> When I wrote that, I didn't know that sqlite is demonless. I run Exim

Too bad. One should check the available options before reinventing the
wheel :)

> Please give a link to a sqlite greylisting implementation.

http://plonk.de/sw/exim/greylist.txt has been out for quite a while.
There's also one in the wiki: http://wiki.exim.org/SimpleGreylisting

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

iane at sussex

Mar 9, 2010, 2:28 AM

Post #7 of 8 (1030 views)
Permalink

Re: How to solve the problem with multiple sender IPs and (selective) greylisting?! [In reply to]

--On 9 March 2010 10:56:11 +0100 Jakob Hirsch <jh [at] plonk> wrote:

>>> This also works with IPv6 (one should use
>>> a different bit count for that, though).
>> Did someone receive a spam via IPv6 not from a real MTA?
>
> I heard of one case recently. With the rise of ipv6 we'll probably see
> more, but it's not a problem right.

Right now our servers aren't accessible through IPv6, except through an
IPv4 tunnel, and I expect that's true for a lot of sites.

Hopefully, domain based reputation services will be better established
before IPv6. By which I mean that I hope domain based reputation services
(which rely on SPF, DKIM, etc) will be effective quite quickly.

I doubt that we'll ever accept email from a domain with AAAA records, but
no A or MX record. I hope that others will also adopt this policy when they
deploy IPv6 capable installations.

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

dwmw2 at infradead

Mar 15, 2010, 1:17 PM

Post #8 of 8 (877 views)
Permalink

Re: How to solve the problem with multiple sender IPs and (selective) greylisting?! [In reply to]

On Tue, 2010-03-09 at 10:56 +0100, Jakob Hirsch wrote:
> > Please give a link to a sqlite greylisting implementation.

> http://wiki.exim.org/SimpleGreylisting

As well as a simple sqlite-based implementation, that page contains a
general discussion about greylisting techniques. Some of those (using
the dnswl, greylisting only mail which is actually suspicious in some
way) would go a long way to solving the original problem that Vincent
was asking about.

--
David Woodhouse Open Source Technology Centre
David.Woodhouse [at] intel Intel Corporation

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads