help with cbpolicyd, problem with greylisting, internal posts

jefft@iri.columbia.edu · Fri Aug 15, 2014 11:38 am

Release 7.2.7_GA_2942.RHEL5_64_20140314190109 RHEL5_64 NETWORK edition.

---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle

jefft@iri.columbia.edu · Sun Aug 24, 2014 4:00 pm

So, has anyone got greylisting on 7.2 to work? Maybe you can tell me how you allow Authenticated SASL users to bypass greylisting.
I tried addiing

5|Sender:$*|Whitelist authenticated users|0

to the greylisting_whitelist but that made no difference.
Anyone?
Thanks,
Jeff
[quote user="jefft@iri.columbia.edu"]Release 7.2.7_GA_2942.RHEL5_64_20140314190109 RHEL5_64 NETWORK edition.

---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle[/QUOTE]

6233maxxer · Post by **6233maxxer** » Thu Nov 27, 2014 4:11 am

I'm interested in the same, how to skip greylisting for authenticated users? Should I just "move" them to send thru port 587?

pup_seba · Post by **pup_seba** » Thu Nov 27, 2014 4:32 am

Hi,

I'll try to give you an answer tomorrow (lab enviroment not accesible right now). What I'll do is to create the rule in my enviroment (8.5) and give you the result sqlite entry just to see if it is the same as yours.

pixelplumber · Post by **pixelplumber** » Fri Dec 12, 2014 5:12 am

I think I have the same problem as you. Used to use postgrey, switched to policyd to have greylisting method that didn't require modifications each upgrade but discovered the internal SASL sender issues.

Ended up turning it off while waiting for fixes that are probably not coming until 9.x.

http://forums.zimbra.com/showthread.php ... highlight=

https://bugzilla.zimbra.com/show_bug.cgi?id=83968

pup_seba · Post by **pup_seba** » Wed Dec 17, 2014 5:23 am

Hi,

Sorry for the delay, I completly forgot about this.

Only option that I see is for "source" is "Sender IP". So at this point, only options I can think of are:

- Have your users to use Web client. As you already added your stores to the whitelist, this should do it.

- Use autowhitelisting so you temporaly add sender IPs from senders that retry a certain number of mails.

Do you need help with any of these? I could create the rules for AWL if you want and share them with you if you need them.

maxxer · Post by **maxxer** » Thu Dec 18, 2014 4:58 am

Whitelisting is not possible, since the user may be on a dialup connection or in a bar. AWL could temporary go, if the user's client retries after some minutes it will work, but still it's not a solution. The best would be to disable GL for authenticated users.

pixelplumber · Post by **pixelplumber** » Thu Dec 18, 2014 5:07 am

Yeah, that's what I would like to do. Quanah mentioned in the linked thread and bug report there apparently needs to be a redesign to allow us to do what we want to do with SASL users. I admit I don't know enough about cbpolicyd rules to know if there's a workaround until those fixes are in, but the indication from Quanah in that thread was it wasn't possible yet.

We can't force everyone to use the web interface (IMAP and mobile clients) so I disabled greylisting for now.

snakeat3r · Post by **snakeat3r** » Thu Dec 18, 2014 6:25 pm

Has someone tried to move the permit_sasl_authenticated line in /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf one line before the policyd service? Postifx reload and changes should be applied.

If anyone test this before the weekend please post back resuts!

edit: I just found out that ZCS 8.6.0 is out, but i don't see the bug in the fixed issues.

Edit2: I just tested it. I don't know why I thought that I need to change the smtpd_recipient_restrictions.cf . It is obviously smtpd_sender_restrictions.cf. That solved it for me. My smtpd_sender_restrictions.cf now looks like this:

%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
permit_sasl_authenticated
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re%%
permit_mynetworks
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

Reload postfix and Outlook authenticated users are now not greylisted!