Postscreen and/or milter-greylist

[xy16644]

On my old server I am running Postfix, mail/postgrey and Postscreen (as well as Spamassassin and ClamAV but that is not relevant to this post). This combination has been fantastic since I implemented it. The only annoying issue with Postgrey has been (obviously) the delays in email delivery at times.

I am now considering running the same setup as above but replacing Postgrey with mail/milter-greylist. I see that milter-greylist does whitelisting by default and can blacklist or greylist depending on the rules set in the config file.

The questions I have are:

1) If I continue using Postscreen, is there anypoint in using milter-greylist with DNS RBLs?

2) Is it better to drop Postscreen and just use milter-greylist? ie: Use milter-greylist to do ALL DNS RBL checking, blacklisting/greylisting/whitelisting?

Ideally I would like to keep Postscreen as it has been super. I would also like to use greylisting but would like more control over it and like milter-greylists default behaviour of whitelisting (there are obviously rules before the whitelisting rule to greylist or blacklist).

I'd be interested in hearing the forums thought on this, especially on milter-greylist.

Thank you.

 

[wblock@]

mail/milter-greylist has been working great for me for years, although I use it with Sendmail. Sorry, don't understand question 1, RBLs are not a replacement for greylisting, or vice versa.

 

[kpa]

RBLs can complement greylisting nicely and in case of mail/milter-greylist you can handle all greylisting and RBL based blocking in one single service, no need to install anything else.

 

[wblock@]

Sendmail handles RBLs natively, so I've never seen a reason to use mail/milter-greylist for that.

 

[kpa]

Yes, the only reason I used the mail/milter-greylist for RBLs was easier configuration. I prefer to keep the sendmail(8) configuration changes to the minimum.

 

[xy16644]

mail/milter-greylist has been working great for me for years, although I use it with Sendmail. Sorry, don't understand question 1, RBLs are not a replacement for greylisting, or vice versa.

From what I understand about mail/milter-greylist you can have blacklists, greylists and whitelists. As follows:

dnsrbl "MTAWL" list.dnswl.org 127.0.0.0/16
dnsrbl "SORBS DUN" dnsbl.sorbs.net 127.0.0.10

racl whitelist dnsrbl "MTAWL"
racl blacklist dnsrbl "SORBS DUN"
racl greylist list "users" delay 1m
racl whitelist default

So I thought the mail/milter-greylist was using DNSRBL like Postscreen does? ie: Some of my Postscreen looks like this:

postscreen_dnsbl_sites = zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        dnsbl.ahbl.org*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
        list.dnswl.org=127.[0..255].[0..255].0*-2
        list.dnswl.org=127.[0..255].[0..255].1*-3
        list.dnswl.org=127.[0..255].[0..255].[2..255]*-4

Am I confusing the two?

RBLs can complement greylisting nicely and in case of mail/milter-greylist you can handle all greylisting and RBL based blocking in one single service, no need to install anything else.

Yes! This is what I was wondering @kpa! I guess the question is, is there any point in having Postscreen configured AND mail/milter-greylist for DNSRBL?

The way I see it is, if I used Postscreen AND milter-greylist, Postscreen would stop most junk mail before it even touches Postfix. The emails that sneak through Postscreen would/could be greylisted by default I guess by mail/milter-greylist?

@wblock@: Would you mind sharing your /usr/local/etc/mail/greylist.conf?

So to summarise in a diagram:

Incoming email ---> Postscreen (uses DNSRBLs) ---> Postfix (milters) ---> milter-greylist (greylisting on by default but no point in using DNSBLs since Postscreen has already done this check?)

 

[wblock@]

I'll summarize what is set in milter-greylist.conf:

greylist 5m

Set a five-minute timeout.

list "mynetwork" addr { 127.0.0.1/8 10.0.0.0/8 192.168.1.0/24 }

Create an access list for the inside network.

list "gooddomains" domain {    \
       apache.org              \
       freebsd.org             \
       freedesktop.org         \
       ...
}

Create an access list for domains that can skip greylisting.

racl whitelist list "mynetwork"
racl whitelist list "gooddomains"
racl greylist default

Whitelist and greylist the access lists.

 

[xy16644]

@wblock@: Thats interesting, I see you have changed the default behaviour from whitelisting to greylisting. I can't figure out why you'd set the defaults to whitelisting, doesn't that defeat the object of greylisting then?

Do you not bother with DNSRBL then in mail/milter-greylist?

What about SPF checking, do you enable or use this feature in mail/milter-greylist?

I think a good combination would be to use Postscreen for the DNSRBL stuff and then use mail/milter-greylist purely for greylisting?

 

[wblock@]

No, I put DNSBL entries in hostname.mc. Performance-wise, I doubt that it matters where they go as long as they are done before greylisting.

I've never bothered with SPF. The only time I've ever noticed it being used is in actual spam.

 

[xy16644]

Yeah, I have been wondering about SPF. What about DKIM, any point in bothering with that?

 

[wblock@]

I have not used DKIM, either. Both it and SPF are not anti-spam measures, just anti-forgery. If you use some big spam evaluation package like SpamAssassin, SPF and DKIM might help in scoring.

 

[xy16644]

I seem to be having an issue with mail/milter-greylist. When I enable mail/milter-greylist in Postfix and I send myself a test email I get the following error:

 warning: connect to Milter service unix:/var/milter-greylist/milter-greylist.sock: Permission denied

In my /usr/local/etc/mail/greylist.conf I have set:

user "mailnull:mailnull"

and the directory permissions are set as follow:

drwxr-xr-x   2 mailnull mailnull   3B Jan 25 09:44 milter-greylist/

My /var/log/milter-greylist/greylist.log is empty.

In /usr/local/etc/postfix/main.cf I have set:

smtpd_milters = unix:/var/run/clamav/clmilter.sock
                         unix:/var/run/spamass-milter/spamass-milter.sock
                         unix:/var/milter-greylist/milter-greylist.sock

I've run out of ideas, how do I resolve this permission error to get greylisting to work?

 

[wblock@]

In greylist.conf, I just have

user "mailnull"

 

[xy16644]

I tried that too but still no joy. I just don't understand why there is nothing appearing in the logfile.

 

[xy16644]

So I have had no luck getting mail/milter-greylist working unfortunately.

I have started looking at alternatives. I was looking at SQLgrey. Does anyone have any experience with this port? Any good?

I see it has a nice web front end for managing your whitelists and blacklists as well as tracking the state of your greylist:

sgwi

Appreciate any thoughts or comments!

 

[kpa]

Try setting the user and group to postfix, I think that's what mail/postfix expects from the sockets it feeds the data to be filtered.

 

[xy16644]

Try setting the user and group to postfix, I think that's what mail/postfix expects from the sockets it feeds the data to be filtered.

Thanks @kpa, I tried your suggestion but I'm still getting:

Jan 26 16:57:02 mail postfix/smtpd[10796]: warning: connect to Milter service unix:/var/milter-greylist/milter-greylist.sock: Permission denied

In /usr/local/etc/mail/greylist.conf I changed user to:

user "postfix:postfix"

I restarted the daemon but still no joy.

 

[kpa]

Recreate the socket as well. The user setting is not enough if I remember right.

Edit: Also take a look the owner of the enclosing directory of the socket file under /var, that has to be postfix as well I think.

 

[xy16644]

Currently /var/milter-greylist/ has the following permissions:

drwxr-xr-x   2 mailnull  mailnull     3B Jan 26 16:55 milter-greylist

In the /var/milter-greylist/ directory I have:

srwxr-xr-x   1 mailnull  mailnull     0B Jan 26 16:55 milter-greylist.sock

How do you recreate the socket?

 

[kpa]

I don't remember exactly but if you delete it the service startup will probably recreate it using the owner given in the configuration file.

 

[xy16644]

So I changer the permissions on /var/milter-greylist/:

drwxr-xr-x   2 postfix  postfix     3B Jan 26 17:39 milter-greylist

And I stopped the service and deleted:

rm /var/milter-greylist/milter-greylist.sock

Funny thing is, when I started the service back up again, the permissions changed back to what they were for the socket file:

srwxr-xr-x  1 mailnull  mailnull     0B Jan 26 17:39 /var/milter-greylist/milter-greylist.sock

My config file looks like this currently:

pidfile "/var/run/milter-greylist.pid"
socket "/var/milter-greylist/milter-greylist.sock"
dumpfile "/var/milter-greylist/greylist.db" 600
dumpfreq 1
user "postfix:postfix"

 

[xy16644]

I also tried reinstalling the port (and deleting the directories and config files) but this hasn't helped.

 

[kpa]

See if you have to set the user in rc.conf, the rc(8) file for the port seems have an option for that:

miltergreylist_runas="postfix:postfix"

 

[xy16644]

See if you have to set the user in rc.conf, the rc(8) file for the port seems have an option for that:

That fixed it!

I added to /etc/rc.conf:

miltergreylist_runas="postfix:postfix"

Thank you very much!

 

[xy16644]

I've been using milter-greylist for a few days now and theres something I am unsure of. In the header of one email I have:

X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.4.3

But I know that this email took 45minutes to be delivered. Why is the header saying the email was not delayed by milter-greylist then?