Debian iTOps Tube

Tuesday, November 22, 2011

Using Greylisting

Using Greylisting

To maximize the effect of their efforts, spammers try to send email as quickly as possible. They take note of the emails that bounce, so that they know which addresses to remove from their lists to make their next mailing more efficient.


When mail servers receive mail too rapidly for them to handle, they can ask the sender to try again later. Spammers often view resending emails to valid addresses as a waste of computing time that could be used to send mail to brand new addresses that belong to faster mail servers. Emails that need to be resent are usually abandoned.


Some emails need reliable delivery to be effective and the senders of these types of messages are willing to resend. These include bank statement notifications, ecommerce purchase confirmations, and subscription newsletters.


In a previous section we saw where spamassassin always rejects emails from blacklisted sources. With greylisting, sources are just asked to resend. One of the most popular greylist mail filter (milter) products is the milter-greylist package which also works seamlessly with spamassassin. It is easy to use and I'll discuss how can be configured on your mail server.


Downloading and Installing milter-greylist

Most RedHat and Fedora Linux software product packages are available in the RPM format, whereas Debian and Ubuntu Linux use DEB format installation files. When searching for these packages remember that the filename usually starts with the software package name and is followed by a version number, as in milter-greylist-4.2.6-1400.fc14.x86_64.rpm. (For help on downloading and installing the required packages, seeChapter 6, Installing Linux Software).


Note: The milter-greylist package is a sendmail add-on and does not run as a daemon. You do have to restart sendmail for the settings to take effect.


Configuring milter-greylist

Configuring milter-greylist requires these four quick steps:


1. Add the milter-greylist statements listed in the README file to your /etc/mail/sendmail.mc file:


INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')

2. The previous step referenced the file /var/milter-greylist/milter-greylist.sock which now has to be created and owned by the grmilter user. You can do this by first searching for the grmilter user in /etc/passwd, to double check that the user first exists and that the directory is owned by this user also. Next create the file and change its ownership. The method can be seen here.


[root@bigboy tmp]# grep grey /etc/passwd
grmilter:x:495:494:Greylist-milter user:/var/lib/milter-greylist:/sbin/nologin
[root@bigboy tmp]# touch /var/lib/milter-greylist/milter-greylist.sock
[root@bigboy tmp]# chown grmilter:grmilter \
                         /var/lib/milter-greylist/milter-greylist.sock
[root@bigboy tmp]# ll /var/lib/milter-greylist/milter-greylist.sock
-rw-r--r-- 1 grmilter grmilter 0 Dec 12 00:26 /var/lib/milter-greylist/milter-greylist.sock
[root@bigboy tmp]#

3. Configure Greylist to start automatically on reboot. Fedora / CentOS / RedHat


[root@bigboy tmp]# chkconfig spamassassin on


Ubuntu / Debian


user@ubuntu:~$ sudo sysv-rc-conf spamassassin on


4. Edit the /etc/mail/greylist.conf configuration file. Here we set the "try again later" to five minutes and use the whitelist command to deactivate the timer for trusted networks so that mail is delivered immediately.


#
# File: /etc/mail/greylist.conf
#

# How long a client has to wait before we accept
# the messages it retries to send. Here, 1 hour.
#
greylist 5m

#
# Whitelist addresses within my own home/office network
#
acl whitelist addr 192.168.0.0/16

5. Run the activate-sendmail.sh script for the new settings to take effect.

Your new spam mitigation tool should now be fully functional. You are ready to go!


Configuring milter-greylist

Now that we have milter-greylist installed, we need to be able to do some basic troubleshooting. The /var/log/maillog file should be used to determine what is happening to your mail. Here are two samples of what to expect:


Dec 24 00:32:31 bigboy sendmail[28847]: jBO8WVnG028847: Milter: to=<spamvictim@my-web-site.org>, 
reject=451 4.7.1 Greylisting in action, please come back in 00:05:00

Dec 23 20:40:21 bigboy milter-greylist: jBO4eF2m027418: addr 211.115.216.225 from 
<slashdot@slashdot.org> rcpt <spamvictim@my-web-site.org>: autowhitelisted for 24:00:00

In the first entry, the email received is given a tag (jBO8WVnG028847) based on key characteristics in the mail header and a request is sent to the sender to resend the email in five minutes. Any email that is received with the same calculated key within the autowhite period configured in the greylist.conf file will then be automatically accepted without delay. In the second entry, the email has been resent and immediately accepted. Any other email from that source within the next 24 hours will be accepted without delay.


Note: Greylisting is very effective, but you will have to tne its operation to make sure critical emails are not delayed at all. One soluton is to set the autowhite period in /etc/mail/greylist.conf to slightly more than 24 hours especially if you get mail from certain recipients, such as newsletters, on a daily basis. This makes them arrive without interruption.

No comments:

Post a Comment