help with cbpolicyd, problem with greylisting, internal posts
-
- Advanced member
- Posts: 62
- Joined: Fri Sep 12, 2014 10:41 pm
- Location: Palisades, NY
- ZCS/ZD Version: Release 8.7.1_GA_1670.RHEL6_64_2016
- Contact:
help with cbpolicyd, problem with greylisting, internal posts
Release 7.2.7_GA_2942.RHEL5_64_20140314190109 RHEL5_64 NETWORK edition.
---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle
---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle
-
- Advanced member
- Posts: 62
- Joined: Fri Sep 12, 2014 10:41 pm
- Location: Palisades, NY
- ZCS/ZD Version: Release 8.7.1_GA_1670.RHEL6_64_2016
- Contact:
help with cbpolicyd, problem with greylisting, internal posts
So, has anyone got greylisting on 7.2 to work? Maybe you can tell me how you allow Authenticated SASL users to bypass greylisting.
I tried addiing
5|Sender:$*|Whitelist authenticated users|0
to the greylisting_whitelist but that made no difference.
Anyone?
Thanks,
Jeff
[quote user="jefft@iri.columbia.edu"]Release 7.2.7_GA_2942.RHEL5_64_20140314190109 RHEL5_64 NETWORK edition.
---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle[/QUOTE]
I tried addiing
5|Sender:$*|Whitelist authenticated users|0
to the greylisting_whitelist but that made no difference.
Anyone?
Thanks,
Jeff
[quote user="jefft@iri.columbia.edu"]Release 7.2.7_GA_2942.RHEL5_64_20140314190109 RHEL5_64 NETWORK edition.
---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle[/QUOTE]
-
- Outstanding Member
- Posts: 391
- Joined: Sat Sep 13, 2014 12:06 am
help with cbpolicyd, problem with greylisting, internal posts
I'm interested in the same, how to skip greylisting for authenticated users? Should I just "move" them to send thru port 587?
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
help with cbpolicyd, problem with greylisting, internal posts
Hi,
I'll try to give you an answer tomorrow (lab enviroment not accesible right now). What I'll do is to create the rule in my enviroment (8.5) and give you the result sqlite entry just to see if it is the same as yours.
I'll try to give you an answer tomorrow (lab enviroment not accesible right now). What I'll do is to create the rule in my enviroment (8.5) and give you the result sqlite entry just to see if it is the same as yours.
-
- Advanced member
- Posts: 58
- Joined: Fri Sep 12, 2014 10:27 pm
help with cbpolicyd, problem with greylisting, internal posts
I think I have the same problem as you. Used to use postgrey, switched to policyd to have greylisting method that didn't require modifications each upgrade but discovered the internal SASL sender issues.
Ended up turning it off while waiting for fixes that are probably not coming until 9.x.
http://forums.zimbra.com/showthread.php ... highlight=
https://bugzilla.zimbra.com/show_bug.cgi?id=83968
Ended up turning it off while waiting for fixes that are probably not coming until 9.x.
http://forums.zimbra.com/showthread.php ... highlight=
https://bugzilla.zimbra.com/show_bug.cgi?id=83968
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
help with cbpolicyd, problem with greylisting, internal posts
Hi,
Sorry for the delay, I completly forgot about this.
Only option that I see is for "source" is "Sender IP". So at this point, only options I can think of are:
- Have your users to use Web client. As you already added your stores to the whitelist, this should do it.
- Use autowhitelisting so you temporaly add sender IPs from senders that retry a certain number of mails.
Do you need help with any of these? I could create the rules for AWL if you want and share them with you if you need them.
Sorry for the delay, I completly forgot about this.
Only option that I see is for "source" is "Sender IP". So at this point, only options I can think of are:
- Have your users to use Web client. As you already added your stores to the whitelist, this should do it.
- Use autowhitelisting so you temporaly add sender IPs from senders that retry a certain number of mails.
Do you need help with any of these? I could create the rules for AWL if you want and share them with you if you need them.
help with cbpolicyd, problem with greylisting, internal posts
Whitelisting is not possible, since the user may be on a dialup connection or in a bar. AWL could temporary go, if the user's client retries after some minutes it will work, but still it's not a solution. The best would be to disable GL for authenticated users.
-
- Advanced member
- Posts: 58
- Joined: Fri Sep 12, 2014 10:27 pm
help with cbpolicyd, problem with greylisting, internal posts
Yeah, that's what I would like to do. Quanah mentioned in the linked thread and bug report there apparently needs to be a redesign to allow us to do what we want to do with SASL users. I admit I don't know enough about cbpolicyd rules to know if there's a workaround until those fixes are in, but the indication from Quanah in that thread was it wasn't possible yet.
We can't force everyone to use the web interface (IMAP and mobile clients) so I disabled greylisting for now.
We can't force everyone to use the web interface (IMAP and mobile clients) so I disabled greylisting for now.
help with cbpolicyd, problem with greylisting, internal posts
Has someone tried to move the permit_sasl_authenticated line in /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf one line before the policyd service? Postifx reload and changes should be applied.
If anyone test this before the weekend please post back resuts!
edit: I just found out that ZCS 8.6.0 is out, but i don't see the bug in the fixed issues.
Edit2: I just tested it. I don't know why I thought that I need to change the smtpd_recipient_restrictions.cf . It is obviously smtpd_sender_restrictions.cf. That solved it for me. My smtpd_sender_restrictions.cf now looks like this:
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
permit_sasl_authenticated
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re%%
permit_mynetworks
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
Reload postfix and Outlook authenticated users are now not greylisted!
If anyone test this before the weekend please post back resuts!
edit: I just found out that ZCS 8.6.0 is out, but i don't see the bug in the fixed issues.
Edit2: I just tested it. I don't know why I thought that I need to change the smtpd_recipient_restrictions.cf . It is obviously smtpd_sender_restrictions.cf. That solved it for me. My smtpd_sender_restrictions.cf now looks like this:
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
permit_sasl_authenticated
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re%%
permit_mynetworks
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
Reload postfix and Outlook authenticated users are now not greylisted!