[mr88talent]

Adding Postgrey selective greylisting to a Fedora or RedHat system.
http://isg.ee.ethz.ch/tools/postgrey/
Anyone running amavisd-new will have this stuff, but just in case:

Code: Select all

yum install perl-Net-Server perl-IO-Multiplex perl-BerkeleyDB perl-Net-DNS

visit:
http://www.lfarkas.org/linux/packages/
and see if a more appropriate rpm can be found (although since this is a Perl program
there may not be much difference) and change the download location as needed (also change
the version if needed):

Code: Select all

cd /usr/local/src
wget http://www.lfarkas.org/linux/packages/fc4/i386/RPMS/postgrey-1.27-0.noarch.rpm
rpm -Uvh postgrey-1.27-0.noarch.rpm

If you run Postfix chrooted:

Code: Select all

cp /etc/passwd /var/spool/postfix/etc/passwd

You will find some whitelist files here:

/etc/postfix/postgrey_whitelist_clients
/etc/postfix/postgrey_whitelist_clients.local
/etc/postfix/postgrey_whitelist_recipients

Code: Select all

vi /etc/rc.d/init.d/postgrey

change:

OPTIONS="--unix=$SOCKET"

to:

OPTIONS="--unix=$SOCKET --inet=127.0.0.1:60000 --delay=29"

save and exit. Notice I greylist for only 29 seconds.

Then start Postgrey

Code: Select all

/etc/rc.d/init.d/postgrey start

and check that it is listening on port 60000:

Code: Select all

lsof | grep postgrey | grep LISTEN

for more info: 'perldoc postgrey'

We are going to set up greylisting such that it attempts to only
greylist certain clients hopefully avoiding greylisting clients
likely to be mainstream servers.

Code: Select all

vi /etc/postfix/check_client_fqdn

and insert:

Code: Select all

/^unknown$/                                  greylist
/^[^\.]*[0-9][^0-9\.]+[0-9]/                 greylist
/^[^\.]*[0-9]{5}/                            greylist
/^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[a-z]/ greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/            greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./    greylist
/^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/         greylist

Code: Select all

vi /etc/postfix/main.cf

and add these two lines:
(if you aleady have something in smtpd_restriction_classes
then you would add greylist to the list)

smtpd_restriction_classes = greylist
greylist = check_policy_service inet:127.0.0.1:60000

At The Very Bottom of smtpd_recipient_restrictions add:
check_client_access regexp:/etc/postfix/check_client_fqdn

This example shows both policyd-weight and postgrey selective greylisting:

Code: Select all

smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_unlisted_recipient,
    reject_unauth_pipelining,
    check_recipient_access hash:/etc/postfix/polw_recipient_exceptions,
    check_client_access hash:/etc/postfix/polw_client_exceptions,
    check_sender_access hash:/etc/postfix/polw_sender_exceptions,
    check_policy_service inet:127.0.0.1:12525,
    check_client_access regexp:/etc/postfix/check_client_fqdn

Code: Select all

postfix reload

Remember that reject_unlisted_recipient can be used to reject mail to invalid recipients
quicker than smtpd_reject_unlisted _recipient (which would reject after greylisting).
However, it is required that you do in fact have a list of valid recipients for your
address class (such as relay_recipient_maps would be used with the relay_domains
address class). See:
http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient
http://www.postfix.org/postconf.5.html#relay_recipient_maps

If you know in advance which senders/clients/recipients you never want greylisted
you can OK them in one of the polw_*_exceptions maps - but be aware of what would
happen if you were to place other restrictions after these access maps.

Code: Select all

tail -f /var/log/maillog

Jan 25 21:01:09 sfa postfix/policydweight[2383]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5
NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5
(check from: .example. - helo: .wyrsck. - helo-domain: .wyrsck.)
FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=192.168.1.41> <helo=wyrsck>
<from=garyv@example.com> <to=garyv@example.com>, rate: 1.5

Jan 25 21:01:09 sfa postfix/policydweight[2383]: decided action=DUNNO
NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=1.5
RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .example. - helo: .wyrsck.
- helo-domain: .wyrsck.) FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=192.168.1.41>
<helo=wyrsck> <from=garyv@example.com> <to=garyv@example.com>, rate: 1.5

Jan 25 21:01:09 sfa postfix/smtpd[2379]: NOQUEUE: reject: RCPT from unknown[192.168.1.41]:
450 <unknown[192.168.1.41]>: Client host rejected: Greylisted, see
http://isg.ee.ethz.ch/tools/postgrey/he ... .com.html; from=<garyv@example.com>
to=<garyv@example.com> proto=ESMTP helo=<wyrsck>


A couple minutes later I tried again:

Jan 25 21:04:03 sfa postfix/policydweight[2383]: decided action=DUNNO
using cached result; rate: 1.5

Jan 25 21:04:03 sfa postgrey[2303]: delayed 174 seconds: client=192.168.1.41,
from=garyv@example.com, to=garyv@example.com

Jan 25 21:04:04 sfa postfix/smtpd[2396]: 134C07EE4D: client=unknown[192.168.1.41]


and I could send mail.
I'm not sure if logwatch will complain.
This is a lifesaver for a system in trouble.

In master.cf one might also consider lowering this setting from a default of 50:

Code: Select all

smtp      inet  n       -       n       -       -       smtpd
        -o smtpd_client_connection_count_limit=21

Personally I have only seen dictionary attacks exceed this, but your situation may be different, so please test.

[mr88talent]

And now on to policyd-weight. Visit:
http://www.policyd-weight.org
and modify the version shown on the following two lines (if the version is different):

Code: Select all

mkdir /usr/local/src/policyd-weight-0.1.14-beta-0
cd /usr/local/src/policyd-weight-0.1.14-beta-0
wget http://policyd-weight.org/policyd-weight
wget http://www200.pair.com/mecham/spam/policyd-weight.conf
chmod +x policyd-weight
cp policyd-weight /usr/sbin
cp policyd-weight.conf /etc/policyd-weight.conf
adduser -r -d /var/policyd-weight -c "policyd-weight user" -s /sbin/nologin polw
mkdir /var/run/policyd-weight
chown -R polw:polw /var/run/policyd-weight
yum install perl-Net-DNS

postconf -e "smtpd_policy_service_timeout = 240s"
postconf -e "smtpd_policy_service_max_idle = 900s"

If running Postfix chrooted:

Code: Select all

cp /etc/passwd /var/spool/postfix/etc/passwd

Code: Select all

cd /etc/rc.d/init.d
wget http://www200.pair.com/mecham/redhat/policyd-weight
chmod +x policyd-weight
chkconfig policyd-weight --add
service policyd-weight start
lsof | grep LISTEN | grep polw

This should show something like:
policyd-w 2153 polw 4u IPv4 7654 TCP localhost.localdomain:12525 (LISTEN)

Code: Select all

vi /etc/postfix/main.cf

Make sure your have "reject_invalid_hostname" in one of your restriction sets, e.g.:

smtpd_helo_restrictions = reject_invalid_hostname

Make sure you have:

smtpd_helo_required = yes

At the bottom of smtpd_recipient_restrictions add three access lists that
can be used to whitelist senders/clients/recipients/ and then add
the policyd-weight policy service following these. They must end up
at the bottom and they must be after reject_unauth_destination or you
risk becoming an open relay. Here is a sample:

Code: Select all

smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_unauth_pipelining,
    check_recipient_access hash:/etc/postfix/polw_recipient_exceptions,
    check_client_access hash:/etc/postfix/polw_client_exceptions,
    check_sender_access hash:/etc/postfix/polw_sender_exceptions,
    check_policy_service inet:127.0.0.1:12525

then:

Code: Select all

touch /etc/postfix/polw_recipient_exceptions
touch /etc/postfix/polw_client_exceptions
touch /etc/postfix/polw_sender_exceptions
postmap /etc/postfix/polw_recipient_exceptions
postmap /etc/postfix/polw_client_exceptions
postmap /etc/postfix/polw_sender_exceptions
postfix reload

tail -f /var/log/maillog

Since I have not tried this on a production system I'm not sure if or
how it might affect a logwatch report.

The changes from the defaults are in /etc/policyd-weight.conf
If you feel the need, you can change settings there. The most important
setting is $REJECTLEVEL

There is a sample that shows what can be set in policyd-weight.conf but policyd-weight is complex in the way certain rules affect the score of other rules so it's really best for someone not willing to spend the time trying to understand how it all works to stick to adjusting $REJECTLEVEL.
http://policyd-weight.org/policyd-weight.conf.sample

[AnonymousDog]

Logwatch does not complain (e.g., list as unmatched) postgrey entries in maillog.

[DaveD]

If I already had recipient_classes enabled (none, low, filter)

Would adding the

Code: Select all

check_policy_service inet:127.0.0.1:60000

To the recipient classes that I want to have the greylisting option still work? Or does greylisting only work as its own class?

After using the instructions above, postgrey start pulls this:

ERROR: --unix or --inet must be specified

Hmm...I must be missing something...

Fedora Core 4 system....

[DaveD]

The additional recipient class works...

However, startup options aren't clearly working as I can type:

Code: Select all

/usr/sbin/postgrey -d --inet=127.0.0.1:6000 --delay=29

and it fires right up.

I'll look through the script later on tonight.

[DaveD]

NM....

Linux user brain fart.

Startup script works, if you type the path...

HEY! This greylisting is pretty darn cool.

Did some of you find that you had to bump up the delay a little?

I bumped mine up to 90 seconds and that got rid of some more persistent baddies.

[mr88talent]

You could be right. I think 58 or 59 might be a better number than 29. Postfix by default allows a client to make up to 50 connections (within a 60 second period), but some legitimate servers try back in 60 and I don't want to put them off for a second time.

[DaveD]

Need some regular expression help...

I don't quite have a handle on wild cards yet, but I have been noticing alot of mail coming from such addresses as ppp91-blah-blah and blah-blah-t-dialup-blah...

Which under the current recommended Postgrey regime... won't get any of those greylisted.

I want to greylist all addresses with the word "dial" in it...period.

or PPP or dsl...

What line would I add to get that effect...

[DaveD]

OH!

And if you would like a Greylist report.... **Beware, this report takes abit**

For Fedora:

Code: Select all

cat /var/log/maillog | postgreyreport --nosingle_line --check_sender=mx,a --show_tries --separate_by_subnet=":===============================================================================================\n" |/bin/mail -s "Spam Filter Greylist Report" root

For Debian:

Code: Select all

cat /var/log/mail.log | postgreyreport --nosingle_line --check_sender=mx,a --show_tries --separate_by_subnet=":===============================================================================================\n" |/bin/mail -s "Spam Filter Greylist Report" root

Gives you a run down of whom is greylisted from what IP...Hostname...and subnet...