Milter-greylist

Hi,

I have a machine running sendmail + milter-greylist 4.2.6,
the OS is FreeBSD 8, if that matters.  All works very well,
except for a small detail ...  I have configured sendmail
to use STARTTLS + SASL, so I can use the mailserver for
sending messages from my mobile phone.  For simplicity, I
use a shared secret (password) using PLAIN authentication
over a TLS-encrypted channel, but not certificate stuff.
All of that works well, too, but the authenticated sessions
are subject to greylisting, which doesn't make sense and
causes problems.

So the question is, how to disable greylisting for authen-
ticated sessions?  I can't just whitelist the IP addresses
because they are randomly assigned by the mobile provider
(they don't even have DNS PTR records), and I certainly
don't want to whitelist the provider's whole network.

Here's an excerpt from the maillog:

sm-mta[90312]: STARTTLS=server, relay=[{phone's IP}], version=TLSv1/SSLv3,
        verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[90312]: AUTH=server, relay=[{phone's IP}], authid={user}@{mymailserver},
        mech=PLAIN, bits=0
milter-greylist: p2NC8Lev090312: addr [{phone's IP}][{phone's IP}] from
        <{my from addr}> to <{rcpt addr}> delayed for 00:03:00 (ACL 330)
sm-mta[90312]: p2NC8Lev090312: Milter: to=<{rcpt addr}>, reject=451
        4.7.1 Greylisting in action, please come back in 00:03:00
sm-mta[90312]: p2NC8Lev090312: from=<{my from addr}>, size=0, class=0,
        nrcpts=0, proto=ESMTP, daemon=MSA-v4, relay=[{phone's IP}]

Of course, the tuple is then automatically whitelisted, and
the message passes through a few minutes later (or half an
hour later) -- unless the phone goes offline to save power,
and then gets a new address assigned from the provider, so
the delivery fails again.  :-(

A successful delivery is logged like this:

sm-mta[90349]: STARTTLS=server, relay=[{phone's IP}], version=TLSv1/SSLv3,
        verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
sm-mta[90349]: AUTH=server, relay=[{phone's IP}], authid={user}@{mymailserver},
        mech=PLAIN, bits=0
milter-greylist: p2NCHFrX090349: addr {phone's IP} from <{my from addr}> rcpt
        <{rcpt addr}>: autowhitelisted for 120:00:00
sm-mta[90349]: p2NCHFrX090349: from=<{my from addr}>, size=2275, class=0,
        nrcpts=3, msgid=<{some long string}@...>, proto=ESMTP,
        daemon=MSA-v4, relay=[{phone's IP}]
sm-mta[90349]: p2NCHFrX090349: Milter add: header: X-Greylist: Delayed for
        00:08:54 by milter-greylist-4.2.6 ({mymailserver} [{server's IP}]);
        Wed, 23 Mar 2011 13:17:36 +0100 (CET)
sm-mta[90351]: p2NCHFrX090349: to=<{rcpt addr}>, delay=00:00:22,
        xdelay=00:00:00, mailer=esmtp, pri=92275, relay={rcpt's server}
        [{rcpt's server's IP}], dsn=2.0.0, stat=Sent ({accept message})

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn-
chen, HRB 125758,  Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"It combines all the worst aspects of C and Lisp:  a billion different
sublanguages in one monolithic executable.  It combines the power of C
with the readability of PostScript."
        -- Jamie Zawinski, when asked: "What's wrong with perl?"

Oliver,

> So the question is, how to disable greylisting for authen-
> ticated sessions?  I can't just whitelist the IP addresses

Try using the auth and/or tls racl. Something like:

racl whitelist auth /.*/

See the greylist.conf man page for more info.

John

John Wood wrote:
 > Oliver,
 > 
 > > So the question is, how to disable greylisting for authen-
 > > ticated sessions?  I can't just whitelist the IP addresses
 > 
 > Try using the auth and/or tls racl. Something like:
 > 
 > racl whitelist auth /.*/

Thanks for the hint, but the documentation states that
authenticated sessions are not greylisted by *default*.

However, just a minute ago I found out that I forgot to
add {auth_authen} to the milter macros.  My mistake.
I'm adding it right now, assuming that it will fix the
problem.

Best regards
   Oliver


-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn-
chen, HRB 125758,  Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"[...]  one observation we can make here is that Python makes
an excellent pseudocoding language, with the wonderful attribute
that it can actually be executed."  --  Bruce Eckel

Oliver, 

> Thanks for the hint, but the documentation states that
> authenticated sessions are not greylisted by *default*.
> 
> However, just a minute ago I found out that I forgot to add 
> {auth_authen} to the milter macros.  My mistake. I'm adding it right 
> now, assuming that it will fix the problem.

Ah, sorry about that. I assumed you had tried it and it wasn't working 
right. I'd think that will fix your issue, too.

John

Oliver Fromme <olli@...> wrote:

> Thanks for the hint, but the documentation states that
> authenticated sessions are not greylisted by *default*.

IIRC they are until you start using auth clauses in ACL, but I am not
sure. Someone will have to look at the code.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

> IIRC they are until you start using auth clauses in ACL, but I am not
> sure. Someone will have to look at the code.

That is what the documentation says (for both auth and tls)

"Using such a clause automatically disable global STARTTLS and SMTP AUTH 
whitelisting, like if the noauth keyword would have been used."