1 Topic by thedukeness

  • thedukeness
  • Member
  • Offline
  • Registered: 2013-07-03
  • Posts: 11

Topic: Trouble getting whitelist to stop greylisting

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
============ Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.5-1
- Linux/BSD distribution name and version:  CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? not yet
- Related log if you're reporting an issue:
====

Hello, I would like iRedMail not to greylist or otherwise block email that is delivered from my backup mx servers.  These are:

mx1.dnsmadeeasy.com
mx2.dnsmadeeasy.com
mx3.dnsmadeeasy.com

I used wblist_admin.py to add these servers to the whitelist.  It didn't seem to allow DNS name so I added by IP.  If I list my whitelist it shows:

* List all inbound whitelist for account: @.
208.80.120.10
208.80.120.11
208.94.147.129
208.94.150.197
@.

However when those backup mx servers attempt to deliver to my domain I still get this message in the maillog:

NOQUEUE: reject: RCPT from mx1.dnsmadeeasy.com[208.80.120.10]: 451 4.7.1 <me@example.com>: Recipient address rejected: Intentional policy rejection, please try again later

Could you please let me know if I am configuring the whitelist incorrectly?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Trouble getting whitelist to stop greylisting

Could you please turn on debug mode in iRedAPD to help us understand why it doesn't bypass these backup mx servers?

Another way to solve it is listing them as trusted client in iRedAPD config file /opt/iredapd/settings.py, like this:

MYNETWORKS = ['208.80.120.10', '208.80.120.11', ...]

Restarting iRedAPD service is required.

Note: it's recommended to whitelist them, not add them as trusted clients.

3 Reply by thedukeness

  • thedukeness
  • Member
  • Offline
  • Registered: 2013-07-03
  • Posts: 11

Re: Trouble getting whitelist to stop greylisting

Thanks for helping me check this out.  Here is the debug log:

2016-09-15 22:30:05 INFO    + [zendesk.com]
2016-09-15 22:30:05 INFO    + [zoho.com]
2016-09-15 22:40:41 INFO Starting iRedAPD (version: 1.9.0, backend: pgsql), listening on 127.0.0.1:7777.
2016-09-15 22:40:41 INFO Log rotate type: time, interval: W6, backup copies: 12.
2016-09-15 22:40:41 INFO Loading plugin: reject_null_sender
2016-09-15 22:40:41 INFO Loading plugin: reject_sender_login_mismatch
2016-09-15 22:40:41 INFO Loading plugin: greylisting
2016-09-15 22:40:41 INFO Loading plugin: throttle
2016-09-15 22:40:41 INFO Loading plugin: sql_alias_access_policy
2016-09-15 22:40:41 INFO Loading plugin: amavisd_wblist
2016-09-15 22:47:33 DEBUG Connect from 127.0.0.1, port 53622.
2016-09-15 22:47:33 DEBUG smtp session: request=smtpd_access_policy
2016-09-15 22:47:33 DEBUG smtp session: protocol_state=RCPT
2016-09-15 22:47:33 DEBUG smtp session: protocol_name=ESMTP
2016-09-15 22:47:33 DEBUG smtp session: client_address=198.51.100.11
2016-09-15 22:47:33 DEBUG smtp session: client_name=mx1.dnsmadeeasy.com
2016-09-15 22:47:33 DEBUG smtp session: reverse_client_name=mx1.dnsmadeeasy.com
2016-09-15 22:47:33 DEBUG smtp session: helo_name=mx1.dnsmadeeasy.com
2016-09-15 22:47:33 DEBUG smtp session: sender=someone@example2.com
2016-09-15 22:47:33 DEBUG smtp session: recipient=me@example.com
2016-09-15 22:47:33 DEBUG smtp session: recipient_count=0
2016-09-15 22:47:33 DEBUG smtp session: queue_id=
2016-09-15 22:47:33 DEBUG smtp session: instance=df1.57db8775.27f27.0
2016-09-15 22:47:33 DEBUG smtp session: size=226
2016-09-15 22:47:33 DEBUG smtp session: etrn_domain=
2016-09-15 22:47:33 DEBUG smtp session: stress=
2016-09-15 22:47:33 DEBUG smtp session: sasl_method=
2016-09-15 22:47:33 DEBUG smtp session: sasl_username=
2016-09-15 22:47:33 DEBUG smtp session: sasl_sender=
2016-09-15 22:47:33 DEBUG smtp session: ccert_subject=
2016-09-15 22:47:33 DEBUG smtp session: ccert_issuer=
2016-09-15 22:47:33 DEBUG smtp session: ccert_fingerprint=
2016-09-15 22:47:33 DEBUG smtp session: ccert_pubkey_fingerprint=
2016-09-15 22:47:33 DEBUG smtp session: encryption_protocol=
2016-09-15 22:47:33 DEBUG smtp session: encryption_cipher=
2016-09-15 22:47:33 DEBUG smtp session: encryption_keysize=0
2016-09-15 22:47:33 DEBUG --> Apply plugin: reject_null_sender
2016-09-15 22:47:33 DEBUG <-- Result: DUNNO
2016-09-15 22:47:33 DEBUG --> Apply plugin: reject_sender_login_mismatch
2016-09-15 22:47:33 DEBUG Not an authenticated sender (no sasl_username).
2016-09-15 22:47:33 DEBUG [SQL] query alias domains: 
SELECT alias_domain
                               FROM alias_domain
                              WHERE alias_domain='example2.com' OR target_domain='example2.com'
                              LIMIT 1
2016-09-15 22:47:33 DEBUG SQL query result: None
2016-09-15 22:47:33 DEBUG Sender domain is not hosted locally.
2016-09-15 22:47:33 DEBUG <-- Result: DUNNO
2016-09-15 22:47:33 DEBUG --> Apply plugin: greylisting
2016-09-15 22:47:33 DEBUG [SQL] Query greylisting whitelists: 
SELECT id, sender, comment
               FROM greylisting_whitelists
              WHERE account IN ('me@example.com', '@example.com', '@.')
2016-09-15 22:47:33 DEBUG No whitelist found.
2016-09-15 22:47:33 DEBUG [SQL] query greylisting settings: 
SELECT id, account, sender, sender_priority, active
               FROM greylisting
              WHERE account IN ('me@example.com', '@example.com', '@.')
              ORDER BY priority DESC, sender_priority DESC
2016-09-15 22:47:33 DEBUG [SQL] query result: [(1, u'@.', u'@.', 0, 1)]
2016-09-15 22:47:33 DEBUG Greylisting should be applied according to SQL record: (id=1, account='@.', sender='@.')
2016-09-15 22:47:33 DEBUG [SQL] query greylisting tracking: 
SELECT init_time, blocked_count, block_expired, record_expired
               FROM greylisting_tracking
              WHERE     sender='someone@example2.com'
                    AND recipient='me@example.com'
                    AND client_address='198.51.100.11'
              LIMIT 1
2016-09-15 22:47:33 INFO [198.51.100.11] Client has not been seen before, greylisted.
2016-09-15 22:47:33 DEBUG [SQL] New tracking: 
INSERT INTO greylisting_tracking (sender, sender_domain,
                                                   recipient, rcpt_domain,
                                                   client_address,
                                                   init_time,
                                                   block_expired, record_expired,
                                                   blocked_count)
                      VALUES ('someone@example2.com', 'example2.com', 'me@example.com', 'example.com', '198.51.100.11', 1474004853, 1474005753, 1474177653, 1)
2016-09-15 22:47:33 DEBUG <-- Result: 451 4.7.1 Intentional policy rejection, please try again later
2016-09-15 22:47:33 DEBUG Session ended
2016-09-15 22:47:33 INFO [198.51.100.11] RCPT, someone@example2.com -> me@example.com, 451 4.7.1 Intentional policy rejection, please try again later

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Trouble getting whitelist to stop greylisting

This time the debug option is turned on, but no log related to throttling. Please try again.

5 Reply by thedukeness

  • thedukeness
  • Member
  • Offline
  • Registered: 2013-07-03
  • Posts: 11

Re: Trouble getting whitelist to stop greylisting

ZhangHuangbin wrote:

This time the debug option is turned on, but no log related to throttling. Please try again.

Is it possible that you didn't see the continuation of the log when you scroll down?  It says this which I think is a positive:

Client has not been seen before, greylisted.
DEBUG <-- Result: 451 4.7.1 Intentional policy rejection, please try again later

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Trouble getting whitelist to stop greylisting

Sorry about my previous reply, i mixed it with another forum thread. sad

The problem is: iRedAPD applies plugin 'greylisting' BEFORE 'amavisd_wblist', so it doesn't whitelist it. In this case, you should whitelist it for greylisting service too:
http://www.iredmail.org/docs/manage.ire … g-settings

7 Reply by thedukeness

  • thedukeness
  • Member
  • Offline
  • Registered: 2013-07-03
  • Posts: 11

Re: Trouble getting whitelist to stop greylisting

Thank you for sending that link.  I read through the documentation and I wasn't sure how I can use this tool to whitelist my backup MX servers.  The incoming mail would be from random senders and would not be coming from the servers listed in the sender domain's SFP record, it would be coming from my backup MX.

I think --from would need to allow ips in addition to email addresses.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Trouble getting whitelist to stop greylisting

You can use any (valid) address (ip, network, domain, email) as value of '--from'.