Koozali.org formerly Contribs.org

Greylisting - how to setup cqgreylist

aarik

Greylisting - how to setup cqgreylist
« on: August 18, 2006, 08:34:19 AM »
Here's a howto i modified to setup cqGreylist on an SME server.
Hope this helps someone.


-Harry Incs
harry at networkincs.com

-----------------------------------------------------------------------------------------


cqGreylist for SME

cqGreylist - plain greylisting for qmail
------------------------------------------
Original software from http://oss.albawaba.com/cqgreylist.html
These instructions have been modified for the SME server.

What is greylisting?
--------------------

Greylisting is a new method of blocking significant amounts of spam at the mailserver level, but without resorting to heavyweight statistical analysis or other heuristical (and error-prone) approaches. Consequently, implementations are fairly lightweight, and may even decrease network traffic and processor load on your mailserver.

Greylisting relies on the fact that most spam sources do not behave in the same way as "normal" mail systems. Although it is currently very effective by itself, it will perform best when it is used in conjunction with other forms of spam prevention. For a detailed description of the method,

See http://projects.puremagic.com/greylisting/ for more details.

What is cqGreylist?
------------------

cqgreylist is an implementation of greylisting written in C for qmail, I wrote it in C because the other perl implementation out there were just too slow for my needs and brought the server to its knees with 70-100 concurrent smtp connections, so this implementation is intended for heavy traffic servers (250,000+ smtp connections per day).

I wrote this with the help of the two perl implementations found here
( Sirko Zidlewitz )
http://www.datenklause.de/en/software/qgreylistrbl.html
and here
( Jon Atkins )
http://www.jonatkins.com/page/software/qgreylist

please note that this implementation provides only greylisting based on the source IP address and not the full triplet as suggested in the greylisting whitepaper.

Requirements
------------

make, gcc & glibc I guess, I didn't use fancy libraries.

Download cqGreylist
------------------

The latest version can be found at:

http://oss.albawaba.com


Installing cqGreylist ****Modified for SME Server*******
--------------------

1 - untar
#tar -zxvf cqgreylist-0.2.tar.gz

2 - change basic configuration, its noted what variables you can change
#cd cqgreylist-0.2
#vim cqgreylist.c

3 - create the folder to hold the files
#mkdir /var/qmail/cqgreylist
#chown qmaild: /var/qmail/cqgreylist

4 - compile  ***you will need GCC installed, or you can compile on a CentOS machine like i did******
#make

5 - copy the binary
#cp cqgreylist /var/qmail/bin/

6 - edit the run script for smtpfron-qmail, located in /service/smtpfront-qmail/run
add the line below above "/usr/bin/smtpfront-qmail"

/var/qmail/bin/cqgreylist \


7 - notify tcpserver that the run script has changed
#svc -h /service/qmail-smtpd

8 - add this one liner to crontab to clean old files, here I chose 1 day for
life of each entry, you can adjust this to your liking.
23 * * * * /usr/bin/find /var/qmail/cqgreylist -mtime +1 -type f -exec  rm -f {} \;

Whitelisting
------------

to whitelist certain hosts to skip greylisting for them you need to add them to tcpserver's cdb file, cqgreylist checks if the environment variales WHITELISTED or RELAYCLIENT are declared, if any of them is, greylisting is skipped, here is an example from my tcp.smtp file located in /etc/tcprules

edit tcp.smtp
then execute the following:

#cp tcp.smtp.cdb tcp.smtp.cdb.old
#rm tcp.smtp.cdb
#tcprules tcp.smtp.cdb tcp.smtp.tmp \ < tcp.smtp

the last command will create the new cdb file that will be used by service




***********************************


127.0.0.1:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
xxx.xxx.xxx.xxx:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
xxx.xxx.xxx.xxx:allow,MAILRULES="/var/qmail/control/mailrules.default",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
xxx.xxx.xxx.:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
xxx.xxx.xxx.:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
172.16.:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"

#http://greylisting.org/whitelisting.shtml
# Public Servers

# Southwest Airlines (unique sender, no retry)
12.5.136.141:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Southwest Airlines (unique sender, no retry)
12.5.136.142:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Southwest Airlines (unique sender, no retry)
12.5.136.143:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Southwest Airlines (unique sender, no retry)
12.5.136.144:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# kernel.org mailing lists (high traffic, unique sender per mail)
12.107.209.244:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# SLmail
63.82.37.110:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Southwest Airlines (unique sender, no retry)
63.169.44.143:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Southwest Airlines (unique sender, no retry)
63.169.44.144:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# sentex.ca (common pool)
64.7.153.18:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool) - http://postmaster.aol.com/servers/imo.html
64.12.137:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
64.12.138:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# moveon.org (unique sender per attempt)
64.124.204.39:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# collab.net (unique sender per attempt)
64.125.132.254:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# zproxy.gmail.com (common server pool, bad 451 handling?)
64.233.162:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# rproxy.gmail.com (common server pool, bad 451 handling?)
64.233.170:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# nproxy.gmail.com (common server pool, bad 451 handling?)
64.233.182:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# wproxy.gmail.com (common server pool, bad 451 handling?)
64.233.184:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Groupwise?
65.82.241.160:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Yahoo Groups servers (common pool, no retry)
66.94.237:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Groupwise?
66.100.210.82:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Ebay (for time critical alerts)
66.135.209:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Ebay (common pool)
66.135.197:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Groupwise?
66.162.216.166:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# PLEXOR
66.206.22.82:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# PLEXOR
66.206.22.83:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# PLEXOR
66.206.22.84:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# PLEXOR
66.206.22.85:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Yahoo Groups servers (common pool, no retry)
66.218.66:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Yahoo Groups servers (common pool, no retry)
66.218.67:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Yahoo Groups servers (common pool, no retry)
66.218.69:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# gmail (common server pool, bad 451 handling)
66.249.82:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# ljbtc.com (Groupwise)
66.27.51.218:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Groupwise?
66.89.73.101:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Groupwise?
68.15.115.88:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# qproxy.gmail.com (common server pool, bad 451 handling?)
72.14.204:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
152.163.225:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Joker.com (email forwarding server)
194.245.101.88:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Tid InfoMail Exchanger v2.20
195.235.39.19:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# skynet.be (wierd retry pattern, common pool)
195.238.2:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# skynet.be (wierd retry pattern, common pool)
195.238.3:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Groupwise?
204.60.8.162:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Ameritrade (no retry)
204.107.120.10:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
205.188.139.136:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
205.188.139.137:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
205.188.144.207:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
205.188.144.208:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
205.188.156.66:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
205.188.157:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AOL (common pool)
205.188.159.7:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# SecurityFocus.com (unique sender per attempt)
205.206.231:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# sentex.ca (common pool)
205.211.164.50:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Prodigy (broken software that retries continually with no delay)
207.115.63:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Amazon.com (common pool)
207.171.168:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Amazon.com (common pool)
207.171.180:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Amazon.com (common pool)
207.171.187:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Amazon.com (common pool)
207.171.188:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Amazon.com (common pool)
207.171.190:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Ticketmaster (poor retry config)
209.104.63:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# sourceware.org mailing lists (high traffic, unique sender per mail)
209.132.176.174:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# optusnet.com.au (wierd retry pattern and more than 48hrs)
211.29.132:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Mysql.com (unique sender)
213.136.52.31:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Yahoo Mail?
216.136.226.0:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# Groupwise?
216.157.204.5:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# proxy.gmail.com (common server pool, bad 451 handling?)
216.239.56:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"
# AXKit mailing list (unique sender per attempt)
217.158.50.178:allow,RELAYCLIENT="",QMAILQUEUE="/usr/bin/qmail-queue.amavis"

:allow,MAILRULES="/var/qmail/control/mailrules.default",QMAILQUEUE="/usr/bin/qmail-queue.amavis"


********************************************************





Testing
-------

Send some emails from an external host which *isn't* allowed to relay or whitelisted. If you don't have an external account send a 'help' command to a majordomo or simillar list server to get a reply.

For each external server which attempts to send mail a file will be created in /var/qmail/cqgreylist/first_octet_of_ip/. Check this is happening. If it is not, check the permissions/owner on the directory - you will not receive any mail until this is fixed.
also check owner and permissions of all modified files.

Watch your mail log file.



Other Links
-----------

http://oss.albawaba.com/cqgreylist.html

http://greylisting.org/whitelisting.shtml

http://linsec.ca/misc_services/tcpserver.php

http://www.networkincs.com




Contact
-------
Harry Incs
harry at networkincs.com

Offline raem

  • *
  • 3,972
Re: Greylisting - how to setup cqgreylist
« Reply #1 on: August 18, 2006, 08:55:27 AM »
aarik

Gordon Rowell did some earlier work on this & created a beta rpm for install to sme 6.

Ultimately the weaknesses of various mail servers was deemed to make greylisting impractical, unless you were willing to watch your server and do a lot of regular tweaking.

Search the devinfo list for details.
...

aarik

Greylisting - how to setup cqgreylist
« Reply #2 on: August 18, 2006, 09:04:22 AM »
I currently manage the mail gateways for a large multinational comapny with about 14,000 active mailboxes. I have found that greylisting works great in reducing spam and otherwise unwanted email. Af far as managing it, after the initial install and building of an appropriate whitelist, there isn't much to do. Occasionally i may add an ip to the list, in reality it is much less work than dealing with spamassassin quarantines and other methods such as HELO verification.

Greylisting is actually used by major "spam" appliances under different names, including Barracuda and ironMail.

Offline JonB

  • *
  • 351
Greylisting - how to setup cqgreylist
« Reply #3 on: August 18, 2006, 09:45:30 AM »
This topic belongs in the SME6 forum.

SME7 does not use smtpfront-qmail. It uses qpsmtpd which includes a plugin for greylisting which is not enabled by default but can be.

Personally I found that greylisting caused more problems than it solved due to misbehaving mail servers that did not bother to resend the emails or re-delivered them several days later.

I also have users that get jobs sent to them from National Accounts that need to be responded to immediately or else they miss out.

Jon
...

Greylisting - how to setup cqgreylist
« Reply #4 on: August 18, 2006, 04:35:56 PM »
How do you enable greylisting in SME 7.  My IP is being hammered by a zombie attack of spam.  looking for anything.

Thanks

Offline raem

  • *
  • 3,972
Greylisting - how to setup cqgreylist
« Reply #5 on: August 19, 2006, 04:57:37 AM »
ltc6netspec

Have you enabled RBL's ? Search here on RBL
...