Outgoing greylist

Questions and answers about how to do stuff
Post Reply
froman
Posts: 21
Joined: 29 Aug 2017 03:41

Outgoing greylist

Post by froman »

hello.

I'm trying to config the greylist to filter incoming and outgoing emails, incoming works like a charm!, but I can't get the outgoing filter to work, I need to send all the new email destinations to the greylist.

I modified the sqlgrey.conf and change the option "optmethod = optout" to "optmethod = none" (according to the sqlgrey help "none : everyone is greylisted"), but nothing happen.

I change the order of the smtpd_recipient_restrictions, I puted the check_policy_service inet:127.0.0.1:2501 in the first place, this put the email in the greylist, but it puts the sender not the destination mail (useless).

can anyone give me a hand?

PS: sorry about my english.

PS2: I'm using "MailWatch for MailScanner v1.2.3-dev running on EFA-3.0.2.3"

thank you very much.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Outgoing greylist

Post by ovizii »

Why would you want to greylist your outgoing emails?
Don't you trust your own users?
They will probably get greylisted on the recipient side anyway :-)

What are you trying to accomplish?
froman
Posts: 21
Joined: 29 Aug 2017 03:41

Re: Outgoing greylist

Post by froman »

Hello Ovizii.

first, I never trust my own users, all the problems I have in my life are because of them!!

in a couple of months we had a few accounts compromised by spammers, and some accounts sent 1.500.000 emails in a couple of hours, I implemented a greylist with policyd on our zimbra server, it works very well, but is not transparent to the user, everytime a user try to send a email to a new destination, it gets an error on the webmail or email client (outlook, thunderbird, etc), and it has to manually resend the email once the greylist period is reached.

this is very annoying for our users, but it's 100% effective, that's why I need to work this out on the E.F.A appliance, since it's transparent to the user and it has a nice and simple web interface to manage (to assign that management to a junior technician)

thank you.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Outgoing greylist

Post by ovizii »

ouch. I understand now. thanks for explaining.
froman
Posts: 21
Joined: 29 Aug 2017 03:41

Re: Outgoing greylist

Post by froman »

no one? :crying-green:
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Outgoing greylist

Post by ovizii »

I change the order of the smtpd_recipient_restrictions, I puted the check_policy_service inet:127.0.0.1:2501 in the first place, this put the email in the greylist, but it puts the sender not the destination mail (useless).
after reading your post again, I don't think this will work. sqlgrey is doing greylisting and greylisting always applies based on the sender and not the recipient so I am unsure how you envision this to work?
greylisting protects you from "bad senders" so as you said, you want protection from "compromised" clients and those are the clients so what is wrong wit hyour current solution, I mean what exactly happens? does sqlgrey not greylist your sender email, then wait until the sender tries again before it sends out the email?
froman
Posts: 21
Joined: 29 Aug 2017 03:41

Re: Outgoing greylist

Post by froman »

the greylist on the inbound messages mark the sender.
on the outbound messages marks the destination.

this works perfect on the policyd embedded on the zimbra server. (but I need to do this on the E.F.A appliance.)
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Outgoing greylist

Post by ovizii »

policyd is a plicy deamon, that isn't actually "pure" greylisting as far as I know.

according to wikipedia, this is the definition of greylisting and sqlgrey does exactly that:
Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate the originating server will try again after a delay, and if sufficient time has elapsed the email will be accepted.
Just a suggestion but instead of twisting sqlgrey to do what it isn't supposed to do, if you need said functionality, why don't you add policyd to your EFA?
froman
Posts: 21
Joined: 29 Aug 2017 03:41

Re: Outgoing greylist

Post by froman »

because the management is very bad, it can't handle whitelist like sqlgrey
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Outgoing greylist

Post by ovizii »

Ok, I get that. still not seeing why the way sqlgrey works isn't good enough for you.

I assume it would work this way as I have never tried it:

a) a regular user sends email through your (possibly) exchange server? so the flow would be:
user => exchange => efa || greylisting applies || 5 minutes or so later your exchange resends the email => efa => external email server

b) a user with a compromised pc has countless emails going out through a local smtp server so the flow would be:
user => efa || greylisting applies || the rogue pc never resends the email => efa never relays the email to the external email server

From what I understand this is exactly what you are looking for, isn't it?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Outgoing greylist

Post by henk »

As I understand this.-I don't use greylisting-
To block mail from a compromised pc/server through a local smtp server, I use a firewall rule that blocks stuff like this. (in my case Pfsense)

Now only the mailserver can send mail. When using efa as outgoing mail server, also add the EFA ip to an Alias for mailserver.
Attachments
Firewall_ Rules_ LAN.png
Firewall_ Rules_ LAN.png (11.94 KiB) Viewed 9827 times
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Outgoing greylist

Post by pdwalker »

I do the same as Henk. Only my exchange server is allowed to send mail. Everything else is blocked completely. Exchange then delivers to EFA to check the messages.

So mail users have to use the exchange server. Compromised PCs are too dumb, to use the exchange server so they get blocked, and any attempts show up in my firewall logs.

Would this kind of setup work for you froman?
froman
Posts: 21
Joined: 29 Aug 2017 03:41

Re: Outgoing greylist

Post by froman »

yes, that's what I need.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Outgoing greylist

Post by pdwalker »

The if you have any control over the firewall, it should be easy for you.

If your firewall supports logging, then enable logging for any blocked port 25 attempts. That'll help you find any rogue mailers on your network.

Let us know how you get on with it.
froman
Posts: 21
Joined: 29 Aug 2017 03:41

Re: Outgoing greylist

Post by froman »

pdwalker wrote: 07 Sep 2017 03:47 The if you have any control over the firewall, it should be easy for you.

If your firewall supports logging, then enable logging for any blocked port 25 attempts. That'll help you find any rogue mailers on your network.

Let us know how you get on with it.
I already have that, that's not what I need


is really simple, for incoming mail, greylist the sender
for outgoing mail greylist the destination. nothing else, just that.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Outgoing greylist

Post by ovizii »

suit yourself. I can't add more to this topic.
Post Reply