Options to combat Greylisting false positives

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply

Would options to combat Greylisting false positives be useful for you?

Yes
6
67%
Maybe
2
22%
No
1
11%
What's Greylisting?
0
No votes
 
Total votes: 9

brashquido
Normal user
Normal user
Posts: 249
Joined: 2006-06-26 07:14
Location: Melbourne, Australia
Contact:

Options to combat Greylisting false positives

Post by brashquido » 2010-09-16 09:10

The greylisting functionality in hMail matches a specific IP to a specific email address which is a problem because email from larger environments often can originate from any number of different IP addresses. This results in email that has already been through the greylisting process to be greylisted again (causing undue delivery delay). It is even possible for legitimate email to bounce entirely should the sending smtp farm have enough IP addresses that email delivery is attempted through where the total email delivery attempts exceed the organisation SMTP retry cound and/or time window.

Other greylisting implementations I've seen combat these false positives by allowing the system to do a DNS A and/or MX lookup on the domain name of the incoming email address and if any of the IP addresses match the domain name of any previously caught email addresses then the email is passed. Sometimes DNS lookups might not be desirable so I've also seen options where the administrator can specify a network range to match rather than one specific IP. These sorts of options woul GREATLY aide the effectiveness of greylisting as currently there are way too many retries of legitimate emails. Looking at the triplets table now for my main email address and every single delayed email (15 in total) come from just 5 different legitimate email addresses. The only reason these emails are not being passed is because the sending IP address is different each time.
Dominic Ryan
astroroad.com.au

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Re: Options to combat Greylisting false positives

Post by Rainer » 2010-09-16 18:24

Hello brashquido, I see this problem every day in my log.
For example:

1. 212.227.17.8 -> 451 Please try again later.
2. 212.227.126.171 -> 451 Please try again later.
3. 212.227.126.186 -> 451 Please try again later.
4. 212.227.126.186 -> 250 OK.

Kind regards :)
Rainer Noa

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Options to combat Greylisting false positives

Post by ^DooM^ » 2010-09-16 20:48

This is similar in functionality as one of my requests http://www.hmailserver.com/forum/viewto ... =2&t=11682
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Options to combat Greylisting false positives

Post by mattg » 2010-09-17 02:27

This is already implemented isn't it? (well nearly - this test bypasses greylisting completely if mail is sent from a valid A or MX record)
http://www.hmailserver.com/documentatio ... reylisting
Bypass Greylisting when message arrives from A or MX record.

Prior to running grey listing, hMailServer will do a DNS/A and DNS/MX lookup. If the connecting address is found in one of the records, the grey listing will be skipped if this option is enbabled.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Options to combat Greylisting false positives

Post by ^DooM^ » 2010-09-17 11:27

When was that added Matt, do you remember?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Re: Options to combat Greylisting false positives

Post by Rainer » 2010-09-17 11:47

Hello, I hav activated the option "Bypass Greylisting when message arrives from A or MX record", but I think it dont work!

Kind regards :)
Rainer Noa

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Options to combat Greylisting false positives

Post by Bill48105 » 2010-09-19 01:40

^DooM^ wrote:When was that added Matt, do you remember?
Seems it's been there since 8/28/2009. Funny how our brains run garbage collection routines without us even realizing it. Supposedly it happens more & more as we age so I'm scared to get a day older as often as I forget things I once knew. lol

http://www.hmailserver.com/?page=changelog
Version 5.3 - Build 362 (2009-08-28)
"It's now possible to bypass grey listing if a connection arrives from a MX or A record for the sending domain."
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: Options to combat Greylisting false positives

Post by Slug » 2010-10-30 14:20

^DooM^ wrote:When was that added Matt, do you remember?
At least 6 or more months (might even be longer), I thought it came in with the first 5.3 branch

Michael

Edit Didn't read Bill's reply .. even longer then I thought.
Missing Hmailserver ... Now running Debian servers

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Options to combat Greylisting false positives

Post by ObiWan » 2010-11-02 11:22

mattg wrote:This is already implemented isn't it? (well nearly - this test bypasses greylisting completely if mail is sent from a valid A or MX record)
http://www.hmailserver.com/documentatio ... reylisting
Bypass Greylisting when message arrives from A or MX record.

Prior to running grey listing, hMailServer will do a DNS/A and DNS/MX lookup. If the connecting address is found in one of the records, the grey listing will be skipped if this option is enbabled.
Matt, I think that the GL skip should also be done in case of SPF pass; if a given IP is authorized by a valid
SPF record as sender for a given domain, then there's no need to apply graylisting to that IP; see, in many
cases (especially with large organizations) the outbound SMTP aren't listed as MX since they never receive
emails (their port 25 isn't published) but they're only used for message delivery

That said, a possible workaround may be the one posted here

http://www.hmailserver.com/forum/viewto ... 61#p117561

the "don't greylist" IP list used by the script comes from

http://sqlgrey.bouton.name/clients_ip_whitelist

http://projects.puremagic.com/web-svn/w ... ist_ip.txt

and is a "merged" version with some additional hosts ;-)

[edit]

sounds like the AOL pools weren't up to date; have a look at

http://postmaster.aol.com/Postmaster.OMRs.php

and add those to the gl whitelist too; something like

Code: Select all

64.12.78.142
64.12.140.129           #(aberrant mail)
64.12.140.130           #(aberrant mail)
64.12.100.31
64.12.102.              #[137-140]
64.12.137.              #[1-9]
64.12.137.11
64.12.138.200
64.12.138.204
64.12.138.209
64.12.138.210
64.12.143.              #[99-101]
64.12.143.              #[146-147]
64.12.143.151
64.12.206.              #[39-42]
64.12.207.              #[163-168]
64.12.95.83             #(aberrant mail)
64.12.95.96             #(aberrant mail)
64.12.143.145           #(aberrant mail)
64.12.143.152           #(aberrant mail)
205.188.255.11          #(aberrant mail)
205.188.255.12          #(aberrant mail)
205.188.249.            #[130-131] (aberrant mail)
205.188.159.            #[133-134] (aberrant mail)
205.188.105.            #[143-147]
205.188.139.            #[136-137]
205.188.144.            #[207-208]
205.188.157.            #[35-42]
205.188.91.             #[95-97]
205.188.159.7
205.188.169.203
205.188.249.129
205.188.249.            #[132-133]
205.188.58.             #[1-4]
205.188.58.             #[65-68]
should fit (feel free to explode the ranges if desired)
Last edited by ObiWan on 2010-11-02 11:36, edited 1 time in total.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Options to combat Greylisting false positives

Post by ^DooM^ » 2010-11-02 11:31

ObiWan wrote:Matt, I think that the GL skip should also be done in case of SPF pass
Changelog wrote:Version 5.2 - Build 348 (2009-06-07)
* In the grey listing options you can now choose to bypass greylisting if SPF passes.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Options to combat Greylisting false positives

Post by ObiWan » 2010-11-02 11:33

^DooM^ wrote:
ObiWan wrote:Matt, I think that the GL skip should also be done in case of SPF pass
Changelog wrote:Version 5.2 - Build 348 (2009-06-07)
* In the grey listing options you can now choose to bypass greylisting if SPF passes.
whoops... :)

Post Reply