greylisting, policyd and sasl authenticated users

[pixelplumber]

I see questions along these lines have been asked before.
I have enabled greylisting with policyd as per the wiki entry. It's working and has succesfully reduced inbound spam.
However, I've noticed that it applies the greylisting policy to all users, whether authenticated or not, the zimbra policy in sqlite has an any|any source|destination.
This means however that users logging in via smartphones or laptops from external IPs to submit mail, although authenticated, still get delayed as per the default greylisting policy from the wiki. This is causing confusion.
Can anyone tell me how to edit the settings in postfix or policyd to bypass greylisting for autheticated external users - ie: those not in 'mynetworks'?
The policyd documentation is a bit light on this (most discussion of sasl users seems concerned with quotas module rather than greylisting module).
If I've been able to piece anything together from the link above and the (zimbra/policyd) wiki I'm guessing I have to do something along the lines of:

• create a policy at a higher priority than the zimbra default?
  
  
• add policy group that filters sasl auth users somehow?
  
  
• add policy group member that has the source|destination configured to opnly capture external sasl users?
  
  

Has anyone here sucessfully configured policyd to exclude external authenticated users from greylisting?
Thanks in advance.

[avea2003]

First: Link to instal WebUI

Two: read Docs

Three: Try

[quanah]

See https://bugzilla.zimbra.com/show_bug.cgi?id=83968

[pixelplumber]

Hi Quanah, that appears to be my issue, cbpolicyd is called before permit_sasl_authenticated users.
Is there a workaround with the MTA config that can execute it after permit_sasl_authenticated? I'm not using quotas at the moment. I don;t mind having to manually fiddle with the config files even if I have to do that after an upgrade each time.
Or should I try and create a new policy that specifies the sasl user in sqlite?

[quanah]

Sadly, I don't know a great way to workaround this issue without doing the redesign as noted in 38968. :/

[minhhoang]

[quote user="pixelplumber"]Hi Quanah, that appears to be my issue, cbpolicyd is called before permit_sasl_authenticated users.
Is there a workaround with the MTA config that can execute it after permit_sasl_authenticated? I'm not using quotas at the moment. I don;t mind having to manually fiddle with the config files even if I have to do that after an upgrade each time.
Or should I try and create a new policy that specifies the sasl user in sqlite?[/QUOTE]
Dear pixelplumber,
Do you find out any solution for this issue? My account on IPAD, and web mail is OK, however all outlook client just receive the message '451 4.7.1 : Sender address rejected: Greylisting in effect, please come back later' and mail got rejected not deferred as I followed wiki configuration.
This happens when outlook client sends mail to new mail address.
Best regards,

Minh.

[phoenix]

[quote user="minhhoang"]Do you find out any solution for this issue?[/QUOTE]The solution is in the changes in the bug report mentioned by Quanah, you'll have to wait for ZCS 8.5.

[minhhoang]

Many thanks phoenix for information. Currently I change to training mode and wait for ZCS 8.5 as you suggest. Can we configure outlook to automatically resend the email because with ipad everything is OK?
Regards,

Minh.

[pixelplumber]

[quote user="minhhoang"]Many thanks phoenix for information. Currently I change to training mode and wait for ZCS 8.5 as you suggest. Can we configure outlook to automatically resend the email because with ipad everything is OK?
Regards,

Minh.[/QUOTE]

I see there's a version of 8.5 in beta now. I'd love it if someone could roadtest it and tell us if it's fixed the issue. I'm overseas for a few weeks so can't try it until I get back.

[essential_mix]

This bug made policyd greylisting almost completely unusable. From which version this appear? Because it was working on 8.0.3