>>> I have using policyd 2.0.10 and have the problem with the very popular >>> Russian mail server mail.ru. >>> >>> When it sends mail to my server, it try to send me the mail from >>> different smtp servers with different IP adresses. And my greylisting >>> rule always reject mail with "Recipient address rejected: Greylisting >>> in effect, please come back later". >>> >>> For example, it first it try to deliver via f52.mail.ru and got the >>> answer "Recipient address rejected: Greylisting in effect, please come >>> back later". >>> After some time it repeats the attempt from other IP f44.mail.ru and >>> got answer "Greylisting in effect" again. >>> Third attempt from f93.mail.ru also got this answer. >>> They have many servers: f93.mail.ru >>> f64.mail.ru >>> fallback7.mail.ru >>> fallback3.mail.ru >>> and many other... >>> >>> So, the message are not delivered very long time. >>> >>> Good solution for solve problems like this will be add feature to >>> disable greylisting via DNS name of sender IP. For example, I will can >>> add %.mail.ru servers to whitelist and solve this problem. >> An easier solution is to select a suitable netmask when adding the >> Greylist policy. Typically such server clusters are in a small >> network range. >> When adding a policy, it's the Track option - next to the pull-down >> manu with only Sender IP, you can enter a mask length - and the popup >> help suggests /24 is a sane value (which I'd agree with). >> >> Doing it your way means having to whitelist loads of outfits as you >> get complaints - mail.ru are far from alone in using clusters of >> outbound mail handlers. > Yes, I can add those IP addresses to whitelists, but, as I see, they > are from different subnets (94.100.xx.xx, 217.69.xx.xx, etc), and > sometimes it changes (mail.ru adds new servers). So periodically I > must monitor logs and updates this whitelist. > > Will be better to add whitelist via dns name like %.mail.ru, > %.gmail.com, etc, because in logs I see the dns name of those IP > always with mail.ru suffix. > > For quicker sql quieries will better to store them in reverse order > (ru.mail.%, com.gmail.%) - did you plan to add this feature? > > We can store it in greylisting_whitelist table like the IP subnets: > SenderIP:192.168.0.0/16 > SenderHost:ru.mail.%
Reverse DNS names can be forged very easily. All a spammer needs to do is add a PTR record for their IP like hello.example.net. and suddenly all their mail will bypass your greylisting. % is also not something supported anywhere in v2 ? -N
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users
