Milter-greylist

Hello!

I'm trying to get whitelisting with Sendmails access.db to work, with no luck :(

I'm using 4.6.2. The milter works just fine otherwise except for the access.db feature.

In my servers sendmail.mc i got:

dnl

dnl Milter macros (required by milter-greylist)

dnl

define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl

define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl

define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl

define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl

I also got this at the end of sendmail.mc:

dnl

dnl Required by milter-greylist

dnl

LOCAL_CONFIG

Kstorage macro

LOCAL_RULESETS

SLocal_check_rcpt

R$+ $: $(storage {greylist} $) $&{client_addr}

R$+ $: $>A <$1> <?> <+Connect> <$1>

R<$+> <$*> $: $(storage {greylist} $@ $1 $) $2

As mentioned in the documentation, I made sure to use tabs in front om the $:

I'm not really sure what the exact syntax is suppost to be in the access file. I've tried a few variations.

My last bet was this:

Connect:example.com OK

Also tried:

Connect:example.com WHITE

Nothing seems to work, incoming messages are treated by the normal racl rules and seems to be ignored by the acceess.db whitelisting.

Is there anyone with a working configuration who can provide some help what I'm missing or doing wrong?

(And yes, I do rebuild sendmail.cf and access.db and restart Sendmail between changes while testing...)

Thank you!

markus@... [milter-greylist] <milter-greylist@yahoogroups.com>
wrote:

>  define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
>  define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
>  define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
>  define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl

I understand you need to export the macros obtained from access.db if
you want to see them in milter-greylist.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Tue, Jun 27, 2017 at 03:58:52PM +0000, markus@... [milter-greylist] wrote:
> Hello!
>  
> 
>  I'm trying to get whitelisting with Sendmails access.db to work, with no luck :(
>  I'm using 4.6.2. The milter works just fine otherwise except for the access.db feature.
>  
> 
>  In my servers sendmail.mc i got:
>  
> 
>  dnl
>  dnl Milter macros (required by milter-greylist)
>  dnl
>  define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
>  define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
>  define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
>  define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl
>  
> 
>  I also got this at the end of sendmail.mc:
>  
> 
>  dnl
>  dnl Required by milter-greylist
>  dnl
>  LOCAL_CONFIG
>  Kstorage macro
>  LOCAL_RULESETS
>  SLocal_check_rcpt
>  R$+         $: $(storage {greylist} $) $&{client_addr}
>  R$+         $: $>A <$1> <?> <+Connect> <$1>
>  R<$+> <$*>  $: $(storage {greylist} $@ $1 $) $2
>  
> 
>  As mentioned in the documentation, I made sure to use tabs in front om the $:
>  
> 
>  I'm not really sure what the exact syntax is suppost to be in the access file. I've tried a few variations.
>  My last bet was this:
>  
> 
>  Connect:example.com OK
>  
> 
>  Also tried:
>  
> 
>  Connect:example.com WHITE

Because the rules above are using client_addr, it uses the IP address for
a match in access-db!

You have to state the ip address in access-db ...

Connect:1.2.3.4         OK

(OK, RELAY, WHITE tells milter-greylist to whitelist the IP) - use WHITE
to prevent side-effects (not allowing any relaying to foreign hosts).

For a simple fix, change client_addr to client_name
which contains the hostname or in case this isn't resolveable [a.b.c.d]
for IPv4 or something like this [IPv6:2a02:c207:2011:3138::1] for IPv6
addresses.

This checks the address and if not found the hostname against access-db
...

SLocal_check_rcpt
R$+             $: $(storage {greylist} $) $&{client_addr}
R$+             $: $>A <$1> <?> <+Connect> <$1>
R<?> <$+>       $: <?> $&{client_name}
R<?> $+         $: $>A <$1> <?> <+Connect> <$1>
R<$+> <$*>      $: $(storage {greylist} $@ $1 $) $1

Regards,

Johann K.

> Because the rules above are using client_addr, it uses the IP address for
> a match in access-db!
> 
> You have to state the ip address in access-db ...
> 
> Connect:1.2.3.4 OK
> 
> (OK, RELAY, WHITE tells milter-greylist to whitelist the IP) - use WHITE
> to prevent side-effects (not allowing any relaying to foreign hosts).
> 
> For a simple fix, change client_addr to client_name
> which contains the hostname or in case this isn't resolveable [a.b.c.d]
> for IPv4 or something like this [IPv6:2a02:c207:2011:3138::1] for IPv6
> addresses.
> 
> This checks the address and if not found the hostname against access-db
> ...
> 
> SLocal_check_rcpt
> R$+ $: $(storage {greylist} $) $&{client_addr}
> R$+ $: $>A <$1> <?> <+Connect> <$1>
> R<?> <$+> $: <?> $&{client_name}
> R<?> $+ $: $>A <$1> <?> <+Connect> <$1>
> R<$+> <$*> $: $(storage {greylist} $@ $1 $) $1
> 
> Regards,
> 
> Johann K.

Thank you!
I tried your config code above and made some progress.

Connect:example.com WHITE

With the WHITE keyword, my server responded with "reject=553 5.3.0 WHITE”, so I changed to OK.

Connect:example.com OK

That didn’t yield an error, but it wasn’t picked up by milter-greylist, so instead I tried:

Connect:complete.hostname.example.com OK

THAT did work, finally ML reported "X-Greylist: Message whitelisted by Sendmail access database, not delayed”. Great!
Too bad I didn’t work with domain name only, that makes this feature pretty useless.

I think I’ll return to whitelisting within greylist.conf

…unless someone with mad m4 skills has another suggestion to try! :)


- ME

On Thu, Jun 29, 2017 at 09:29:58PM +0200, Markus Edemalm markus@... [milter-greylist] wrote:
> > Because the rules above are using client_addr, it uses the IP address for
> > a match in access-db!
> > 
> > You have to state the ip address in access-db ...
> > 
> > Connect:1.2.3.4 OK
> > 
> > (OK, RELAY, WHITE tells milter-greylist to whitelist the IP) - use WHITE
> > to prevent side-effects (not allowing any relaying to foreign hosts).
> > 
> > For a simple fix, change client_addr to client_name
> > which contains the hostname or in case this isn't resolveable [a.b.c.d]
> > for IPv4 or something like this [IPv6:2a02:c207:2011:3138::1] for IPv6
> > addresses.
[..]

> > SLocal_check_rcpt
> > R$+ $: $(storage {greylist} $) $&{client_addr}
> > R$+ $: $>A <$1> <?> <+Connect> <$1>
> > R<?> <$+> $: <?> $&{client_name}
> > R<?> $+ $: $>A <$1> <?> <+Connect> <$1>
> > R<$+> <$*> $: $(storage {greylist} $@ $1 $) $1
[..]
> I tried your config code above and made some progress.

Fine!

> Connect:example.com WHITE
> 
> With the WHITE keyword, my server responded with "reject=553 5.3.0 WHITE???, so I changed to OK.

Yes, a side-effect of the other kind ...

> 
> Connect:example.com OK

Indeed, the better one.


> That didn???t yield an error, but it wasn???t picked up by milter-greylist, so instead I tried:
> 
> Connect:complete.hostname.example.com OK
> 
> THAT did work, finally ML reported "X-Greylist: Message whitelisted by Sendmail access database, not delayed???. Great!
> Too bad I didn???t work with domain name only, that makes this feature pretty useless.
> 
> I think I???ll return to whitelisting within greylist.conf
> 
> ???unless someone with mad m4 skills has another suggestion to try! :)

Easy, just use Ruleset "D" (domain match) instead of "A" (address match).
I was wrong in my previous attempt to fix this.
See 5th line ...

SLocal_check_rcpt
R$+ $: $(storage {greylist} $) $&{client_addr}
R$+ $: $>A <$1> <?> <+Connect> <$1>
R<?> <$+> $: <?> $&{client_name}
R<?> $+ $: $>D <$1> <?> <+Connect> <$1>
R<$+> <$*> $: $(storage {greylist} $@ $1 $) $1


Have fun,
Johann K.

> 29 juni 2017 kl. 23:38 skrev Johann Klasek johann@... [milter-greylist] <milter-greylist@yahoogroups.com>:
> 
> Easy, just use Ruleset "D" (domain match) instead of "A" (address match).
> I was wrong in my previous attempt to fix this.
> See 5th line ...
> 
> SLocal_check_rcpt
> R$+ $: $(storage {greylist} $) $&{client_addr}
> R$+ $: $>A <$1> <?> <+Connect> <$1>
> R<?> <$+> $: <?> $&{client_name}
> R<?> $+ $: $>D <$1> <?> <+Connect> <$1>
> R<$+> <$*> $: $(storage {greylist} $@ $1 $) $1
> 
> Have fun,
> Johann K.

Thank you Johann! It’s working now! :)

Now I only need to maintain one whitelist, shared between Sendmails dnsbl feature and milter-greylist.
The Sendmail config above should be included in the official documentation.

Thanks again.

-ME

On Sat, Jul 01, 2017 at 06:17:03PM +0200, Markus Edemalm markus@... [milter-greylist] wrote:
> > 29 juni 2017 kl. 23:38 skrev Johann Klasek johann@... [milter-greylist] <milter-greylist@yahoogroups.com>:
> Thank you Johann! It???s working now! :)

Great!

> Now I only need to maintain one whitelist, shared between Sendmails dnsbl feature and milter-greylist.

Nice.

> The Sendmail config above should be included in the official documentation.

@Emmanuel, could you incorporate following patch for the README file?

--- README      2016-11-24 05:35:40.000000000 +0100
+++ README.N    2017-07-03 13:23:37.596828522 +0200
@@ -175,10 +175,26 @@
 SLocal_check_rcpt
 R$+            $: $(storage {greylist} $) $&{client_addr}
 R$+            $: $>A <$1> <?> <+Connect> <$1>
-R<$+> <$*>     $: $(storage {greylist} $@ $1 $) $2
+R<?> <$+>      $: <?> $&{client_name}
+R<?> $+                $: $>D <$1> <?> <+Connect> <$1>
+R<$+> <$*>     $: $(storage {greylist} $@ $1 $) $1
 
 Note that there must be tabs and no spaces before the "$:"!
 
+Some sample entries for /etc/mail/access ...
+
+Connect:1.2.3          OK
+Connect:provider.net   OK
+
+As RHS the keywords "WHITE", "RELAY" or "OK" are allowed. But to make sure
+Sendmail keeps accepting mails from the given source "OK" is the usually
+the best, except explicitly full relaying is desired where "RELAY" should
+be given.
+On the LHS the tag "connect:" is mandatory, followed by either an address
+or a domain (both of them might be partial, covering a whole network or
+any subdoman).
+
+
  3 Configuring Postfix with milter-greylist
  ==========================================
 

Regards,

Johann

Johann Klasek johann@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> @Emmanuel, could you incorporate following patch for the README file?

Done.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...