Subject: Re: milter-greylist
To: None <rmk@rmkhome.com>
From: Eric Schnoebelen <eric@cirr.com>
List: pkgsrc-users
Date: 10/28/2006 21:17:33
Rick Kelly writes:
- Does anyone use this software?

	I'm using it on NetBSD 2.0*, 3.0_STABLE, and 4.0_BETA
(with pkgsrc sendmail).  In fact, I recently submitted patches
to bring milter-greylist up to date (and they've been applied,
and further updated.)

	Picking on a handy host (running pkgsrc/mail/sendmail,
4.0_BETA), I have the following in rc.conf:

	sendmail=YES            sendmail_flags="-Lsm-mta -bd -q30m"
	sendmail_suidroot=NO
	smmsp=YES               smmsp_flags="-Lsm-msp-queue -Ac -q30m"
	miltergreylist=YES

The following in sendmail.mc:
	dnl set up milter-greylist
	MAIL_FILTER(`greylist',
	    `S=unix:/var/milter-greylist/milter-greylist.sock, F=T, T=S:60s;R:60s;E:5m')dnl

which leads to the following lines in /etc/mail/sendmail.cf:

	# Input mail filters
	O InputMailFilters=greylist

	# Milter options
	#O Milter.LogLevel
	O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr}
	O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}
	O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
	O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr}
	O Milter.macros.eom={msg_id}
	Xgreylist, S=unix:/var/milter-greylist/milter-greylist.sock, F=T, T=S:60s;R:60s;E:5m

And the following for /etc/mail/greylist.conf (which is based
off of a milter-greylist 1.x or 2.x config, I've been running it
for a while..)

	#
	# Greylisting config file
	#
	# $Id: greylist.conf,v 1.8 2006/10/18 18:20:40 root Exp $
	#

	# Uncomment this to enable debug output.
	# Note that options appearing before the "verbose" option in this
	# file will not be treated verbosely.
	# May be overridden by the "-v" command line argument.
	#verbose

	# If you work with multiple MXs, list them with
	# peer entries to enable greylist sync among the MXs.
	#
	#	egsner, rosebud, milo, & ihnp4.
	#peer 192.67.63.1
	peer 192.67.63.7
	peer 192.67.63.6
	peer 192.67.63.8


	# You may wish to use a specific local address or port for
	# syncing between MXs. Of course one of your interfaces
	# must have the address assigned. An '*' for the address
	# means any address.
	#syncaddr *
	#syncaddr * port 7689
	#syncaddr 192.0.2.2
	#syncaddr 192.0.2.2 port 9785
	#syncaddr 2001:db8::1:c3b5:123
	#syncaddr 2001:db8::1:c3b5:123 port 1234

	# Greylisting your own MTA is a very bad idea: never
	# comment this line, except for testing purposes.
	acl whitelist addr 127.0.0.0/8

	# If you use IPv6, uncomment this.
	#acl whitelist addr ::1/128

	# You will want to avoid greylisting your own clients
	# as well, by filtering out your IP address blocks.
	# Here is an example if you use 192.0.2.0/16.
	acl whitelist addr 192.67.63.0/27

	# It is also possible to whitelist sender
	# machines using their DNS names.
	#acl whitelist domain example.net

	# You can avoid greylisting by filtering on the sender
	# envelope address, but this is not a good idea: it
	# can be trivially forged.
	#acl whitelist from friendly@example.com

	# Some of your users do not get any spam because
	# their addresses have never been collected by
	# spammers. They will want to avoid the extra delivery
	# delay caused by grey listing. You can filter on the
	# recipient envelope address to achieve that.
	#acl whitelist rcpt John.Doe@example.net

	# It is possible to use regular expressions in domain, from
	# and rcpt lines. The expression must be enclosed by
	# slashes (/). Note that no escaping is available to
	# provide slashes inside the regular expression.
	#acl whitelist rcpt /.*@example\.net/

	# This option tells milter-greylist when it should
	# add an X-Greylist header. Default is all, which
	# causes a header to always be added. Other possible
	# values are none, delays and nodelays
	#report all

	# This option attempts to make milter-greylist more
	# friendly with sender callback systems. When the
	# message is from <>, it will be temporarily
	# rejected at the DATA stage instead of the RCPT
	# stage of the SMTP transaction. In the case of a
	# multi recipient DSN, whitelisted recipient will
	# not be honoured.
	#delayedreject

	# Uncomment if you want auto-whitelist to work for
	# the IP rather than for the (IP, sender, receiver)
	# tuple.
	#lazyaw

	# How often should we dump to the dumpfile (0: on each change, -1: never).
	#dumpfreq 10m

	# How long will the greylist database retain tuples.
	timeout 2d

	# Do not use ${greylist} macros from sendmail's access DB.
	#noaccessdb

	# Use extended regular expressions instead of basic
	# regular expressions.
	#extendedregex

	#
	# All of the following options have command-line equivalents.
	# See greylist.conf(5) for the exact equivalences.
	#

	# How long does auto-whitelisting last (set it to 0
	# to disable auto-whitelisting). Here, 3 days.
	# May be overridden by the "-a autowhite_delay" command line argument.
	autowhite 2d

	# Specify the netmask to be used when checking IPv4 addresses
	# in the greylist.
	# May be overridden by the "-L cidrmask" command line argument.
	#subnetmatch /24

	# Specify the netmask to be used when checking IPv6 addresses
	# in the greylist.
	# May be overridden by the "-M prefixlen" command line argument.
	#subnetmatch6 /64

	# Normally, clients that succeed SMTP AUTH are not
	# greylisted. Uncomment this if you want to
	# greylist them regardless of SMTP AUTH.
	# May be overridden by the "-A" command line argument.
	#noauth

	# If milter-greylist was built with SPF support, then
	# SPF-compliant senders are not greylisted. Uncomment
	# this to greylist them regardless of SPF compliance.
	# May be overridden by the "-S" command line argument.
	#nospf

	# Uncomment if you want milter-greylist to remain
	# in the foreground (no daemon).
	# May be overridden by the "-D" command line argument.
	#nodetach

	# Uncomment this if you do not want milter-greylist
	# to tell its clients how long they are greylisted.
	# May be overridden by the "-q" command line argument.
	#quiet

	# You can specify a file where milter-greylist will
	# store its PID.
	# May be overridden by the "-P pidfile" command line argument.
	pidfile "/var/run/milter-greylist.pid"

	# You can specify the socket file used to communicate
	# with sendmail.
	# May be overridden by the "-p socket" command line argument.
	socket "/var/milter-greylist/milter-greylist.sock"

	# The dumpfile location.
	# May be overridden by the "-d dumpfile" command line argument.
	#dumpfile "/var/milter-greylist/greylist.db"

	# The user the milter should run as.
	# May be overridden by the "-u username" command line argument.
	user "smmsp"

	#
	#	greylisting based on RBL's -- going for dynamic hosts, mostly
	#
	dnsrbl	"NJABL" dnsbl.njabl.org 127.0.0.2
	dnsrbl	"NJABL" dnsbl.njabl.org 127.0.0.3
	dnsrbl	"NJABL" dnsbl.njabl.org 127.0.0.4
	dnsrbl	"NJABL" dnsbl.njabl.org 127.0.0.9
	dnsrbl	"SPAMHAUS" sbl.spamhaus.org 127.0.0.2

	acl greylist dnsrbl "NJABL" delay 1h
	acl greylist dnsrbl "SPAMHAUS" delay 1h

	# This is a list of broken MTAs that break with greylisting. Copied from
	# http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.12
	acl whitelist addr 12.5.136.141/32    # Southwest Airlines (unique sender)
	acl whitelist addr 12.5.136.142/32    # Southwest Airlines
	acl whitelist addr 12.5.136.143/32    # Southwest Airlines
	acl whitelist addr 12.5.136.144/32    # Southwest Airlines
	acl whitelist addr 12.107.209.244/32  # kernel.org (unique sender)
	acl whitelist addr 12.107.209.250/32  # sourceware.org (unique sender)
	acl whitelist addr 63.82.37.110/32    # SLmail
	acl whitelist addr 63.169.44.143/32   # Southwest Airlines (unique sender, no retry)
	acl whitelist addr 63.169.44.144/32   # Southwest Airlines (unique sender, no retry)
	acl whitelist addr 64.7.153.18/32     # sentex.ca (common pool)
	acl whitelist addr 64.12.136.0/24     # AOL (common pool)
	acl whitelist addr 64.12.137.0/24     # AOL
	acl whitelist addr 64.12.138.0/24     # AOL
	acl whitelist addr 64.124.204.39      # moveon.org (unique sender)
	acl whitelist addr 64.125.132.254/32  # collab.net (unique sender)
	acl whitelist addr 66.94.237.16/28    # Yahoo Groups servers (common pool)
	acl whitelist addr 66.94.237.32/28    # Yahoo Groups servers (common pool)
	acl whitelist addr 66.94.237.48/30    # Yahoo Groups servers (common pool)
	acl whitelist addr 66.100.210.82/32   # Groupwise?
	acl whitelist addr 66.135.192.0/19    # Ebay
	acl whitelist addr 66.162.216.166/32  # Groupwise?
	acl whitelist addr 66.206.22.82/32    # Plexor
	acl whitelist addr 66.206.22.83/32    # Plexor
	acl whitelist addr 66.206.22.84/32    # Plexor
	acl whitelist addr 66.206.22.85/32    # Plexor
	acl whitelist addr 66.218.66.0/23     # Yahoo Groups servers (common pool)
	acl whitelist addr 66.218.67.0/23     # Yahoo Groups servers (common pool)
	acl whitelist addr 66.218.68.0/23     # Yahoo Groups servers (common pool)
	acl whitelist addr 66.27.51.218/32    # ljbtc.com (Groupwise)
	acl whitelist addr 152.163.225.0/24   # AOL
	acl whitelist addr 194.245.101.88/32  # Joker.com
	acl whitelist addr 195.235.39.19/32   # Tid InfoMail Exchanger v2.20
	acl whitelist addr 195.46.220.208/32  # mgn.net
	acl whitelist addr 195.46.220.209/32  # mgn.net
	acl whitelist addr 195.46.220.210/32  # mgn.net
	acl whitelist addr 195.46.220.211/32  # mgn.net
	acl whitelist addr 195.46.220.221/32  # mgn.net
	acl whitelist addr 195.46.220.222/32  # mgn.net
	acl whitelist addr 195.238.2.0/24     # skynet.be (wierd retry pattern)
	acl whitelist addr 195.238.3.0/24     # skynet.be
	acl whitelist addr 204.107.120.10/32  # Ameritrade (no retry)
	acl whitelist addr 205.188.0.0/16     # AOL
	acl whitelist addr 205.206.231.0/24   # SecurityFocus.com (unique sender)
	acl whitelist addr 207.115.63.0/24    # Prodigy - retries continually
	acl whitelist addr 207.171.168.0/24   # Amazon.com
	acl whitelist addr 207.171.180.0/24   # Amazon.com
	acl whitelist addr 207.171.187.0/24   # Amazon.com
	acl whitelist addr 207.171.188.0/24   # Amazon.com
	acl whitelist addr 207.171.190.0/24   # Amazon.com
	acl whitelist addr 211.29.132.0/24    # optusnet.com.au (wierd retry pattern)
	acl whitelist addr 213.136.52.31/32   # Mysql.com (unique sender)
	acl whitelist addr 216.33.244.0/24    # Ebay
	acl whitelist addr 217.158.50.178/32  # AXKit mailing list (unique sender)

	# How long a client has to wait before we accept
	# the messages it retries to send. Here, 1 hour.
	# May be overridden by the "-w greylist_delay" command line argument.
	acl greylist default delay 15m

--
Eric Schnoebelen		eric@cirr.com		http://www.cirr.com
  "Linux in some ways is the Jerry Springer of operating systems, ..."
		 Bruce Becker in comp.sys.sun.wanted