# Postscreen and/or milter-greylist



## xy16644 (Jan 21, 2014)

On my old server I am running Postfix, mail/postgrey and Postscreen (as well as Spamassassin and ClamAV but that is not relevant to this post). This combination has been fantastic since I implemented it. The only annoying issue with Postgrey has been (obviously) the delays in email delivery at times.

I am now considering running the same setup as above but replacing Postgrey with mail/milter-greylist. I see that milter-greylist does whitelisting by default and can blacklist or greylist depending on the rules set in the config file.

The questions I have are:

1) If I continue using Postscreen, is there anypoint in using milter-greylist with DNS RBLs?

2) Is it better to drop Postscreen and just use milter-greylist? ie: Use milter-greylist to do ALL DNS RBL checking, blacklisting/greylisting/whitelisting?

Ideally I would like to keep Postscreen as it has been super. I would also like to use greylisting but would like more control over it and like milter-greylists default behaviour of whitelisting (there are obviously rules before the whitelisting rule to greylist or blacklist).

I'd be interested in hearing the forums thought on this, especially on milter-greylist. 

Thank you.


----------



## wblock@ (Jan 21, 2014)

mail/milter-greylist has been working great for me for years, although I use it with Sendmail.  Sorry, don't understand question 1, RBLs are not a replacement for greylisting, or vice versa.


----------



## kpa (Jan 21, 2014)

RBLs can complement greylisting nicely and in case of mail/milter-greylist you can handle all greylisting and RBL based blocking in one single service, no need to install anything else.


----------



## wblock@ (Jan 21, 2014)

Sendmail handles RBLs natively, so I've never seen a reason to use mail/milter-greylist for that.


----------



## kpa (Jan 21, 2014)

Yes, the only reason I used the mail/milter-greylist for RBLs was easier configuration. I prefer to keep the sendmail(8) configuration changes to the minimum.


----------



## xy16644 (Jan 21, 2014)

wblock@ said:
			
		

> mail/milter-greylist has been working great for me for years, although I use it with Sendmail.  Sorry, don't understand question 1, RBLs are not a replacement for greylisting, or vice versa.



From what I understand about mail/milter-greylist you can have blacklists, greylists and whitelists. As follows:


```
dnsrbl "MTAWL" list.dnswl.org 127.0.0.0/16
dnsrbl "SORBS DUN" dnsbl.sorbs.net 127.0.0.10

racl whitelist dnsrbl "MTAWL"
racl blacklist dnsrbl "SORBS DUN"
racl greylist list "users" delay 1m
racl whitelist default
```

So I thought the mail/milter-greylist was using DNSRBL like Postscreen does? ie: Some of my Postscreen looks like this:


```
postscreen_dnsbl_sites = zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        dnsbl.ahbl.org*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
        list.dnswl.org=127.[0..255].[0..255].0*-2
        list.dnswl.org=127.[0..255].[0..255].1*-3
        list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
```

Am I confusing the two?



			
				kpa said:
			
		

> RBLs can complement greylisting nicely and in case of mail/milter-greylist you can handle all greylisting and RBL based blocking in one single service, no need to install anything else.



Yes! This is what I was wondering @kpa! I guess the question is, is there any point in having Postscreen configured AND mail/milter-greylist for DNSRBL?

The way I see it is, if I used Postscreen AND milter-greylist, Postscreen would stop most junk mail before it even touches Postfix. The emails that sneak through Postscreen would/could be greylisted by default I guess by  mail/milter-greylist?

@wblock@: Would you mind sharing your /usr/local/etc/mail/greylist.conf?

So to summarise in a diagram:

Incoming email ---> Postscreen (uses DNSRBLs) ---> Postfix (milters) ---> milter-greylist (greylisting on by default but no point in using DNSBLs since Postscreen has already done this check?)


----------



## wblock@ (Jan 21, 2014)

I'll summarize what is set in milter-greylist.conf:


```
greylist 5m
```
Set a five-minute timeout.


```
list "mynetwork" addr { 127.0.0.1/8 10.0.0.0/8 192.168.1.0/24 }
```
Create an access list for the inside network.


```
list "gooddomains" domain {    \
       apache.org              \
       freebsd.org             \
       freedesktop.org         \
       ...
}
```

Create an access list for domains that can skip greylisting.


```
racl whitelist list "mynetwork"
racl whitelist list "gooddomains"
racl greylist default
```

Whitelist and greylist the access lists.


----------



## xy16644 (Jan 21, 2014)

@wblock@: Thats interesting, I see you have changed the default behaviour from whitelisting to greylisting. I can't figure out why you'd set the defaults to whitelisting, doesn't that defeat the object of greylisting then?

Do you not bother with DNSRBL then in mail/milter-greylist?

What about SPF checking, do you enable or use this feature in mail/milter-greylist?

I think a good combination would be to use Postscreen for the DNSRBL stuff and then use mail/milter-greylist purely for greylisting?


----------



## wblock@ (Jan 21, 2014)

No, I put DNSBL entries in _hostname_.mc.  Performance-wise, I doubt that it matters where they go as long as they are done before greylisting.

I've never bothered with SPF.  The only time I've ever noticed it being used is in actual spam.


----------



## xy16644 (Jan 21, 2014)

Yeah, I have been wondering about SPF. What about DKIM, any point in bothering with that?


----------



## wblock@ (Jan 21, 2014)

I have not used DKIM, either.  Both it and SPF are not anti-spam measures, just anti-forgery.  If you use some big spam evaluation package like SpamAssassin, SPF and DKIM might help in scoring.


----------



## xy16644 (Jan 25, 2014)

I seem to be having an issue with mail/milter-greylist. When I enable mail/milter-greylist in Postfix and I send myself a test email I get the following error:

```
warning: connect to Milter service unix:/var/milter-greylist/milter-greylist.sock: Permission denied
```

In my /usr/local/etc/mail/greylist.conf I have set:

```
user "mailnull:mailnull"
```

and the directory permissions are set as follow:

```
drwxr-xr-x   2 mailnull mailnull   3B Jan 25 09:44 milter-greylist/
```

My /var/log/milter-greylist/greylist.log is empty.

In /usr/local/etc/postfix/main.cf I have set:

```
smtpd_milters = unix:/var/run/clamav/clmilter.sock
                         unix:/var/run/spamass-milter/spamass-milter.sock
                         unix:/var/milter-greylist/milter-greylist.sock
```


I've run out of ideas, how do I resolve this permission error to get greylisting to work?


----------



## wblock@ (Jan 25, 2014)

In greylist.conf, I just have

```
user "mailnull"
```


----------



## xy16644 (Jan 25, 2014)

I tried that too but still no joy. I just don't understand why there is nothing appearing in the logfile.


----------



## xy16644 (Jan 26, 2014)

So I have had no luck getting mail/milter-greylist working unfortunately. 

I have started looking at alternatives. I was looking at SQLgrey. Does anyone have any experience with this port? Any good?

I see it has a nice web front end for managing your whitelists and blacklists as well as tracking the state of your greylist:

sgwi

Appreciate any thoughts or comments!


----------



## kpa (Jan 26, 2014)

Try setting the user and group to postfix, I think that's what mail/postfix expects from the sockets it feeds the data to be filtered.


----------



## xy16644 (Jan 26, 2014)

kpa said:
			
		

> Try setting the user and group to postfix, I think that's what mail/postfix expects from the sockets it feeds the data to be filtered.



Thanks @kpa, I tried your suggestion but I'm still getting:

```
Jan 26 16:57:02 mail postfix/smtpd[10796]: warning: connect to Milter service unix:/var/milter-greylist/milter-greylist.sock: Permission denied
```

In /usr/local/etc/mail/greylist.conf I changed user to:

```
user "postfix:postfix"
```

I restarted the daemon but still no joy.


----------



## kpa (Jan 26, 2014)

Recreate the socket as well. The user setting is not enough if I remember right.

Edit: Also take a look the owner of the enclosing directory of the socket file under /var, that has to be postfix as well I think.


----------



## xy16644 (Jan 26, 2014)

Currently /var/milter-greylist/ has the following permissions:

```
drwxr-xr-x   2 mailnull  mailnull     3B Jan 26 16:55 milter-greylist
```

In the /var/milter-greylist/ directory I have:

```
srwxr-xr-x   1 mailnull  mailnull     0B Jan 26 16:55 milter-greylist.sock
```

How do you recreate the socket?


----------



## kpa (Jan 26, 2014)

I don't remember exactly but if you delete it the service startup will probably recreate it using the owner given in the configuration file.


----------



## xy16644 (Jan 26, 2014)

So I changer the permissions on /var/milter-greylist/:

```
drwxr-xr-x   2 postfix  postfix     3B Jan 26 17:39 milter-greylist
```

And I stopped the service and deleted:

```
rm /var/milter-greylist/milter-greylist.sock
```

Funny thing is, when I started the service back up again, the permissions changed back to what they were for the socket file:

```
srwxr-xr-x  1 mailnull  mailnull     0B Jan 26 17:39 /var/milter-greylist/milter-greylist.sock
```

My config file looks like this currently:

```
pidfile "/var/run/milter-greylist.pid"
socket "/var/milter-greylist/milter-greylist.sock"
dumpfile "/var/milter-greylist/greylist.db" 600
dumpfreq 1
user "postfix:postfix"
```


----------



## xy16644 (Jan 26, 2014)

I also tried reinstalling the port (and deleting the directories and config files) but this hasn't helped.


----------



## kpa (Jan 26, 2014)

See if you have to set the user in rc.conf, the rc(8) file for the port seems have an option for that:


```
miltergreylist_runas="postfix:postfix"
```


----------



## xy16644 (Jan 26, 2014)

kpa said:
			
		

> See if you have to set the user in rc.conf, the rc(8) file for the port seems have an option for that:



That fixed it!

I added to /etc/rc.conf:


```
miltergreylist_runas="postfix:postfix"
```

Thank you very much!


----------



## xy16644 (Feb 9, 2014)

I've been using milter-greylist for a few days now and theres something I am unsure of. In the header of one email I have:


```
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.4.3
```

But I know that this email took 45minutes to be delivered. Why is the header saying the email was not delayed by milter-greylist then?


----------



## wblock@ (Feb 10, 2014)

That's the second arrival of the mail, so that time it was let through.


----------



## xy16644 (Feb 18, 2014)

I've had some issues with Ebay emails not being delivered since I started using milter-greylist. I have created a manual whitelist to allow ebay.com and ebay.co.uk to allow the email to be delivered.

Have you experienced issues like this with milter-greylist? I don't remember ever having any issues with postgrey but since using milter-greylist I have had to whitelist a few domains and one IP address.

The problem with whitelisting domain names is that if someone spoofs their address it'll sneak through the greylisting! And for someone as big as Ebay I don't know what all the SMTP IP addresses are to be able to whitelist them.

I was just curious how other people deal with these kinds of issues with greylisting (milter-greylist in particular)?


----------



## wblock@ (Feb 19, 2014)

I've whitelisted some domains with no notable problems.  Forgery of the From: line is not going to be a problem, because it's going to look at the DNS hostname of the sender instead.  Of course whitelisting the domain requires getting the right domain, and a lot of large sites outsource email or have servers under a different domain than the obvious one.  It's easy to see these when the mail gets hits the greylist for the first time.


----------



## ShelLuser (Feb 19, 2014)

I know I'm a bit late with my response and I also realize that my comment maybe plain out moot at this point in time, but I can't help wonder if you realize(d) that mail/postgrey also provides whitelists? You have postgrey_whitelist_recipients as well as postgrey_whitelist_clients which you can use for that.

Figured I'd mention it because when going over this thread it almost looks as if Postgrey doesn't support this feature while in fact it does.


----------

