Greylisting - check against a higher subnet class?

Questions and answers about how to do stuff
Post Reply
dreniarb
Posts: 25
Joined: 23 Sep 2015 15:44

Greylisting - check against a higher subnet class?

Post by dreniarb »

Instead of the sending server needing to have the exact ip address as before, is it possible to change it so that only the first 2 or 3 octets need to match? I think this would make greylisting less intrusive particularly from mail servers like gmail, or yahoo that rarely send from the same ip address.
User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: Greylisting - check against a higher subnet class?

Post by darky83 »

I never played with it, but it is possible to allow the subnets.

see the file /etc/sqlgrey/sqlgrey.conf

By default it is set to smart, if you set it to classc the subnet is allowed after one host within the subnet is validated.
The 'smart' option is default but it hardly seems to work correctly for google/yahoo etc like you mention.

Code: Select all

## Greylisting method:
# - full   : greylist by IP address
# - classc : greylist by class C network. eg:
#            2.3.4.6 connection accepted if 2.3.4.145 did connect earlier.
# - smart  : greylist by class C network unless there is no reverse lookup
#            or it looks like a home-user address.
# NOTE: IPv6 addresses are treated the same way in 'classc' and 'smart':
#       First the algorithm decides whether the address is in a EUI-64 form
#       or not. If it is then the whole /64 subnet is regarded as "class C"
#       and all the hosts from that subnet are greylisted with the same
#       rule. For non-EUI-64 addresses the full address is processed.
# Default is smart
# greymethod = smart
After changing this you will probably need to restart the sql grey service.

I never tried it myself but let is know, will test myself if I got the time :)
Version eFa 4.x now available!
dreniarb
Posts: 25
Joined: 23 Sep 2015 15:44

Re: Greylisting - check against a higher subnet class?

Post by dreniarb »

Just made the change. Still learning a lot about the ins and outs of this. Probably will be for a long time. Been a Mailenable user for nearly 10 years now so I'm mainly used to how they do things - log files, config files, etc etc. Obviously EFA has a bit of a learning curve for me.

Looking at the Greylist/Domains section on the web interface it seems like it's already done alright with whitelisting a few gmail addresses before I made the change, so perhaps the change wasn't absolutely necessary. But since you mentioned that "smart" doesn't always work well with gmail and yahoo I'm going to go ahead and leave the setting in place.

Thanks for the quick response!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Greylisting - check against a higher subnet class?

Post by pdwalker »

Mostly, I'd just leave it alone.

I had the same "problem" when I first turned on the efa device. Lots of mail from google was getting temporarily bounced.

After a few days, the greylist database was populated and mail would just go through without delays.
dreniarb
Posts: 25
Joined: 23 Sep 2015 15:44

Re: Greylisting - check against a higher subnet class?

Post by dreniarb »

Agreed. It's been doing just fine now.
dreniarb
Posts: 25
Joined: 23 Sep 2015 15:44

Re: Greylisting - check against a higher subnet class?

Post by dreniarb »

I know this is old but was wondering if it's possible to do greylisting based on a class b subnet? Having some trouble with a few places:

Code: Select all

Sep 21 14:57:30 mucefa sqlgrey: grey: new: 104.47.37(104.47.37.47), davi@meter.com -> amil@ities.com
Sep 21 15:12:22 mucefa sqlgrey: grey: new: 104.47.36(104.47.36.57), davi@meter.com -> amil@ities.com
Sep 21 15:30:45 mucefa sqlgrey: grey: new: 104.47.41(104.47.41.86), davi@meter.com -> amil@ities.com
Sep 21 16:31:41 mucefa sqlgrey: grey: new: 104.47.33(104.47.33.88), davi@meter.com -> amil@ities.com
Sep 22 10:37:17 mucefa sqlgrey: grey: new: 104.47.32(104.47.32.52), davi@meter.com -> amil@ities.com
Sep 22 10:51:34 mucefa sqlgrey: grey: new: 104.47.40(104.47.40.68), davi@meter.com -> amil@ities.com
If it could have just gone off of 104.47.*.* then the next time it came through it would have made it.
dreniarb
Posts: 25
Joined: 23 Sep 2015 15:44

Re: Greylisting - check against a higher subnet class?

Post by dreniarb »

I'm still having trouble with this. Was wondering if anyone knows if changing it to class b is possible?
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: Greylisting - check against a higher subnet class?

Post by stusmith »

You might be better off whitelisting Office 365/outlook.com...

/etc/sqlgrey/clients_fqdn_whiteliest.local

Code: Select all

*.messagelabs.com
messagelabs.com
*.mxlogic.com
mxlogic.com
*.outbound.protection.outlook.com
outbound.protection.outlook.com
If you look at /etc/sqlgrey/clients_ip_whitelist you'll see examples of class B networks that are whitelisted. You may need to run sudo update_sqlgrey_config afterwards
Post Reply