HOWTO Install greylisting with smtp auth.

Hi,

This is my first “howto”, so if anything is wrong, please correct me.

As many of you know, I’ve been after a greylisting solution for qmail for a long time now because we have it running on Windows servers and it runs really fine and keeps spammers back.

The problem with qmail is that greylisting (at least the current installs I had found) didn’t support “smtp auth”, so sending emails had to be done on port 587 (alternate port) and on a production server with more than 1000 email accounts we couldn’t get everyone to change their email client configurations, so I kept on looking.

Yesterday I found this install:

http://mij.oltrelinux.com/net/greylite/

and gave it a try on one of our boxes with hardly any traffic. It worked so well I installed it on our other boxes!.

As the instructions aren’t very clear (at least for me the first 150 times I read them :)), I’ll post step by step how I did it and if the guys at Interworx give it a try and like it, it could be implemented in the next version as an option.

Here we go:

We have CentOS 5.1 machines, so your mileage might vary.

One of the first requisites is to have sqlite3 installed, so I did:

cd ~

  wget http://sqlite.org/sqlite-3.5.4.tar.gz
  tar xvzf sqlite-3.5.4.tar.gz
  cd sqlite-3.5.4
  ./configure
  make
  sudo make install

After that I started actually installing greylite:

wget http://mij.oltrelinux.com/net/greylite/releases/greylite-2.3.tar.bz2
tar xjvf greylite-2.3.tar.bz2
cd greylite-2.3
make all install

That got me the binaries installed and now all I had to do was to configure it:

mkdir -p /var/db/greylite
sqlite3 -init greydb.sql /var/db/greylite/greylite.db
CTRL+D

The problem I encountered later on was that if left like this, the database would be “read-only” and greylisting wouldn’t work, so I had to change the permissions on the folder and greylite.db file.

cd /var/db/
chmod 777 greylite
cd greylite
chmod 777 greylite.db

I did try setting the permissions to a lower level, but then greylisting wouldn’t work and it said “cannot write to database. Set as readonly”. If anyone can give me the correct permissions, I would be very grateful.

Now to actually get greylisting in the smtp process:

nano /service/smtp/run

My file looked like this:

#!/bin/sh
QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail
MAXSMTPD=cat /var/qmail/control/concurrencyincoming
BLACKLIST=cat /var/qmail/control/blacklists
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=hostname
VCHKPW="/home/vpopmail/bin/vchkpw"

exec /usr/bin/softlimit -m 512000000
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
$RBLSMTPD $BLACKLIST $SMTPD $VCHKPW /bin/true 2>&1
and it ended up looking like this:

#!/bin/sh
QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail
MAXSMTPD=cat /var/qmail/control/concurrencyincoming
BLACKLIST=cat /var/qmail/control/blacklists
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=hostname
VCHKPW="/home/vpopmail/bin/vchkpw"
GREY="/usr/local/bin/greylite"

exec /usr/bin/softlimit -m 512000000
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
$GREY $RBLSMTPD $BLACKLIST $SMTPD $VCHKPW /bin/true 2>&1

Now to get the variables in the tcp.smtp file:

nano /etc/tcprules.d/tcp.smtp

The original file was:

127.:allow,RELAYCLIENT=""
:allow,LANG=“en_US”,QMAILQUEUE="/var/qmail/bin/simscan"
and after editing it, it was:

127.:allow,RELAYCLIENT=""
:allow,LANG=“en_US”,QMAILQUEUE="/var/qmail/bin/simscan",GREYLIST=“5”,DBFILE="/var/db/greylite/greylite.db",GREETDELAY=""

Now to include it in the tcp.smtp.cdb file:

 tcprules tcp.smtp.cdb footmpcdbfile < tcp.smtp

After that we want to check that the variables are being read correctly:

tcprulescheck tcp.smtp.cdb

and the result should be something like this:

rule :
set environment variable LANG=en_US
set environment variable QMAILQUEUE=/var/qmail/bin/simscan
set environment variable GREYLIST=5
set environment variable DBFILE=/var/db/greylite/greylite.db
set environment variable GREETDELAY=
allow connection

And finally you have to restart the service:

service smtp restart

You can now test the system by telnetting (you write the bits in red):

# telnet my.server.com 25
Trying 1.2.3.4...
Connected to my.server.com.
Escape character is '^]'.
220 my.server.com ESMTP
HELO asd
250 my.server.com
MAIL FROM:<youruser@yourhost.com>
250 ok
RCPT TO:<youruser@yourhost.com>
451 qqt failure (#4.3.0)    -- or --    452 insufficient system storage                    The connection is closed. Wait 30 seconds and try again the same         commands, the message should be accepted.         
                   [B]P.S.[/B]: ALWAYS test from an [B]external[/B] address, one for         which the GREYLIST environment variable will be set.         

Hopefully this works for someone and comes back to leave some feedback!

From here my thanks to Mij (mij@bitchx.it) for this great patch.

Now for my personal comments:

  • I’ve tried sending emails with authentication and it seems to work.
  • I’d like to be able to create a whitelist or similar, but the only option is to add “allowed IP addresses” in the tcp.smtp file. I’m not very happy with that.

Apart from that, it seems to be working really great for us…

Regards,

Daniel

http://mij.oltrelinux.com/net/greylite/

Nice idea. But, any possibility for a legitimate mail to not get delivered (due to only a few tries the mail server tried)?

If that concept would really work, then iworx guys should consider supporting this feature.

PS:
I guess, IF ALL genuine mail servers out there support/accept this system (requiring ALL incoming mails accepted only after a good number of tries), then probably it could be THE END to spam mails. :slight_smile: May be the mail servers have to do more work and we may get the mails somewhat delayed, but it will be worth to do it.

Great and thank you !

Did you test it with the a suspicion file/rules set ?

Paul

[quote=netipro;15186]Great and thank you !

Did you test it with the a suspicion file/rules set ?

Paul[/quote]

Yes, I have it working like that on both servers and it works fine :slight_smile: