This site is now 100% read-only, and retired.

Greylisting with exim4

Posted by Steve on Fri 24 Jun 2005 at 12:27

Greylisting is a relatively recent approach which is designed to cut down on the reciept of incoming SPAM messages. Rather than something running after the mail has been received it attempts to ensure you don't recieve mail from spammers in the first place by rejecting messages at SMTP time.

Like many anti-SPAM methods it is seen by many as a controversial approach because it can result in the loss of legitimate mail.

However in many cases the benefits outweigh the drawbacks, and whilst there exists the risk that mail will be dropped the sender of the mail will see an error message - so there's no risk that the mail will be dropped "silently" as with some other anti-SPAM solutions.

Greylisting is a simple means of attempting to combat incoming mail SPAM with multiple implementations for different mail servers:

Each of these packages work in the same way, the difference comes from the way they hook up to the mailserver itself. There are is non-mailserver specific software around, but these must be configured more.

What normally happens when mail is delivered to your mailserver is fairly simple:

An incoming connection is made from the machine that wants to send mail, (OK possibly that machine directly, or possibly another mail server en route), and the mail is immediately accepted by your mail server.

(There may well be more steps for your mailserver - for example you may filter virus mails at SMTP time.)

With the installation of greylisting things change:

When a new connection is made to your mailserver to deliver a mail the server will check that this is permitted:

  • If the remote machine has previously attempted to deliver mail to the given address it is allowed, and everything works as it did before.
  • If this is a message from a machine which has not previously connected the server will respond with a temporary error.

The intention is that incoming mail messages will initially be given an error code - and they will then queue the message.

After a while they will retry the original delivery. At this point the mailserver with greylisting upon it will realise that this client previously attempted to deliver the mail and allow it.

So what does this mean?

  • Initial messages from new hosts will be delayed until their mailserver retries.
  • Malformed mail servers which do not retry (which hopefully includes all spammers) will not have their mail accepted.

If this was a legitimate server which sent the message then a bounce will eventually be generated informing the sender that their mail was not delivered.

In practical terms this should all work out, so long as you are not averse to having your incoming mail subjected to delays due to the retry period.

Installing the software and configuring it is very straightfoward:

apt-get install greylistd

To configure the software there's a helpful tool installed, called greylistd-setup-exim4 whihc you use to update your exim4 configuration file(s) easily, although I'd suggest you backup your existing configuration first by running:

cp -R /etc/exim4 /etc/exim4.pre-greylist

Once you've got a good backup you can update your exim4 configuration by running the following command:

greylistd-setup-exim4 add

(If you don't wish to risk this you can see exactly what needs to be changed by reading the documentation in /usr/share/doc/greylistd.)

The greylist deamon can be adjusted via the file /etc/greylistd/config, this allows you to setup the length of time before a retry will be accepted. By default this is an hour, I've reduced my server to 30minutes.

You can also setup a list of hosts which will never be greylisted via the file /etc/greylistd/whitelist-hosts. This will augment the whitelists which are kept in /var/lib/greylistd/whitelist-hosts - which will be upgraded with the package, and shouldn't be editted by hand.

Once that's done you'll be working with greylisting. You can keep an eye upon the mail which is being temporarily rejected by looking at the logfile /var/log/exim4/rejectlog.

Mail which has been rejected will appear with an explaination. This is a sample entry:

2005-06-21 21:34:33 H=mail6.optimalorigin.com [65.196.164.6] F=<info-smlsm@netsingular.com> temporarily rejected RCPT <sexy@steve.org.uk>: greylisted.

As with all SPAM solutions this technique could become less effective over time, as spammers start using mailing software or zombie hosts which will retry deliveries.

However even if that occurs we've achieved something - reduced SPAM throughput from the senders. Maybe not much, but hopefully enough to reduce the total volume of mail sent in any given day..

 

 


Re: greylisting with exim4
Posted by Anonymous (129.177.xx.xx) on Fri 24 Jun 2005 at 12:59
A nice, quick intro -- however; I think it's always good to place backup examples *before*, examples how to implement changes in an article...

Granted we hope new and old admins alike read the article thorougly, *then* tests this on a test-server, and finally, after testing deploys it on a production machine...

Unfortunately, I think many admins, when trying something new, tend to follow a tutorial to the letter -- and running backup *after* the changes are made isn't very helpful :-D

[ Parent ]

Re: greylisting with exim4
Posted by Steve (82.41.xx.xx) on Fri 24 Jun 2005 at 13:00
[ View Weblogs ]

Probably a wise suggestion, I know I've been guilty in the past of not backing up things until I realise I've had a problem.

I've updated the piece to put the backup note first, in case it saves somebody!

Steve
-- Steve.org.uk

[ Parent ]

Re: greylisting with exim4
Posted by Eirik (129.177.xx.xx) on Fri 24 Jun 2005 at 16:05
That first post was me actually. I'd conveniently set up my qmail-aliases to disregard most addresses starting with debian- ... except for the lists I'm explicitly on (security and announce).

*blushes*

I've just recieved too much spam to my debian-aliases.

[ Parent ]

Re: greylisting with exim4
Posted by Anonymous (67.172.xx.xx) on Fri 1 Jul 2005 at 20:28
This is why your config files should be under CVS or subversion.

[ Parent ]

Re: greylisting with exim4
Posted by Anonymous (213.164.xx.xx) on Fri 24 Jun 2005 at 15:19
Steve - Why do you use Exim? Why is it the best?
I'm a postfix man myself.

[ Parent ]

Re: greylisting with exim4
Posted by Steve (82.41.xx.xx) on Fri 24 Jun 2005 at 15:30
[ View Weblogs ]

It's not the best for everybody. Just for me, because it's the one that I'm most familiar with.

The mailserver poll a while back showed most people seem to prefer postfix, the reason I post most mail things in an exim fashion is because I'm more comfortable with it and more familiar with it.

I deal with postfix a fair bit, and sendmail too - but my natural inclination for mailserver related jobs is exim4. (See for example Setting up mail forwarding for a rare example of different servers combined).

(If anybody wants to submit postfix/sendmail related articles I'll happily accept them. Even qmail too, if you must ;)

Still all is not lost, I'll shortly be posting a postfix book review which you might enjoy...

Steve
-- Steve.org.uk

[ Parent ]

Re: greylisting with exim4
Posted by Eirik (129.177.xx.xx) on Fri 24 Jun 2005 at 16:02
Personally I use exim on my boxes because it's the Debian Default, and it gets the job done nicely. But I don't handle any high-volume mailservers -- so the choice of server doesn't really matter much for me.

My recommendation if you want to change mailservers away from exim, would be qmail -- but it's all a matter of what you know, and what those around you know.

[ Parent ]

Re: Greylisting with exim4
Posted by Anonymous (81.56.xx.xx) on Sat 25 Jun 2005 at 08:41

Thanks Steve for this nice article. I'd like to suggest the use of RBL in conjonction to greylist -- not as an added measure but as in RBL-driven greylisting. Just add a

dnslists = sbl-xbl.spamhaus.org

or whatever RBL you like. This mitigates the drawbacks of greylisting by putting only emails that are already presumed to be bad through greylisting.

[ Parent ]

Re: Greylisting with exim4
Posted by Anonymous (147.252.xx.xx) on Fri 10 Mar 2006 at 12:39
Hi

Where are you putting this command into exim .conf or what??

Cheers

Richard

[ Parent ]

Re: Greylisting with exim4
Posted by chris (217.8.xx.xx) on Mon 27 Jun 2005 at 11:02
[ View Weblogs ]
Just installed :)

Seems to be working - mail is being rejected 451 - have to wait and see if it is allowed through later.

Did notice one thing - one server (and it's a valid mail too) has its retry in this situation set to one minute - think I may drop postmaster there a note :)

[ Parent ]

Re: Greylisting with exim4
Posted by Anonymous (141.52.xx.xx) on Tue 28 Jun 2005 at 08:42
I'm just wondering on how well this approach is going to work a setup where a backup MX is in place. E.g. my DNS-MX record looks like this:

myhost.com mail is handled by 10 myhost.com.
myhost.com mail is handled by 20 mx01.kundenserver.de.

If the greylistd on myhost.com replies with a temporary error I'd expect the sending MTA to connect to mx01.kundenserver.de, no? Since I cannot install a greylistd on the mx01 machine, all my mail would go there, right?

Is anyone aware of this behaviour? Is there a solution to that?

Marcus.

[ Parent ]

Re: Greylisting with exim4
Posted by Steve (82.41.xx.xx) on Wed 29 Jun 2005 at 00:57
[ View Weblogs ]

In general I believe it is important to have the same SPAM filtering, and content filtering, setup on all MX servers.

There have been a lot of examples of SPAM and viral propogation which deliberately targets the backup MX servers - precisely because these have historically been more permissive in what they accept.

If you don't have control over the backup mail handler you're out of luck - perhaps removing it might be an option? Most modern mailservers will retry the primary server repeatedly anyway, unless you reall need the massive redundency then having only one mailserver isn't a big problem.

Steve
-- Steve.org.uk

[ Parent ]

Re: Greylisting with exim4
Posted by Anonymous (62.3.xx.xx) on Thu 7 Jul 2005 at 00:47
SPAM (capitalised) is a trademark of Hormel, spam is UBE.

[ Parent ]

Re: Greylisting with exim4
Posted by phoenix (193.113.xx.xx) on Wed 11 Jan 2006 at 16:00
I put greylistd on my mail server (and my MX) a couple of weeks ago. I used to get a couple of bits of spam every day; I now get zero! and from what I can tell, not a single bit of mail hasn't been delivered that should have been.

[ Parent ]

Re: Greylisting with exim4
Posted by Anonymous (88.112.xx.xx) on Thu 19 Oct 2006 at 18:59
I just tried installing this on Debian (apt-get install greylistd) and added the necessary config-lines via "greylistd-setup-exim4 add".

Now, I can see in the logs that all connections are being greylisted. Also, I see that the sending mailservers are re-trying several times, yet they still continue to stay greylisted.
Any clues what could be wrong here?

[ Parent ]

Re: Greylisting with exim4
Posted by Anonymous (81.17.xx.xx) on Tue 13 Mar 2007 at 15:17
I got the same problems.. failing e-mails get bounced with this error:

Diagnostic-Code: SMTP; 451 Temporary local problem - please try later

[ Parent ]

Re: Greylisting with exim4
Posted by Anonymous (81.17.xx.xx) on Sat 26 May 2007 at 12:06
Yep, same thing here..

[ Parent ]