help with cbpolicyd, problem with greylisting, internal posts

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
jefft@iri.columbia.edu
Advanced member
Advanced member
Posts: 62
Joined: Fri Sep 12, 2014 10:41 pm
Location: Palisades, NY
ZCS/ZD Version: Release 8.7.1_GA_1670.RHEL6_64_2016
Contact:

help with cbpolicyd, problem with greylisting, internal posts

Postby jefft@iri.columbia.edu » Fri Aug 15, 2014 11:38 am

Release 7.2.7_GA_2942.RHEL5_64_20140314190109 RHEL5_64 NETWORK edition.

---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle


jefft@iri.columbia.edu
Advanced member
Advanced member
Posts: 62
Joined: Fri Sep 12, 2014 10:41 pm
Location: Palisades, NY
ZCS/ZD Version: Release 8.7.1_GA_1670.RHEL6_64_2016
Contact:

help with cbpolicyd, problem with greylisting, internal posts

Postby jefft@iri.columbia.edu » Sun Aug 24, 2014 4:00 pm

So, has anyone got greylisting on 7.2 to work? Maybe you can tell me how you allow Authenticated SASL users to bypass greylisting.
I tried addiing

5|Sender:$*|Whitelist authenticated users|0

to the greylisting_whitelist but that made no difference.
Anyone?
Thanks,
Jeff
[quote user="jefft@iri.columbia.edu"]Release 7.2.7_GA_2942.RHEL5_64_20140314190109 RHEL5_64 NETWORK edition.

---------------
Dear Forum,
I've enabled cbpolicyd, following the directions using the fine wiki page: Postfix Policyd - Zimbra :: Wiki
I've set our internal mail server IP address (in fact, the whole subnet) to be whitelisted, but when users authenticate remotely through SMTP to deliver mail they are being greylisted. All else seems to work as designed.
Can someone tell me how to stop this "internal" greylisting? Can I bypass greylisting for "authenticated" users?
Thanks in advance for any help,
Jeff Turmelle[/QUOTE]
6233maxxer
Outstanding Member
Outstanding Member
Posts: 391
Joined: Sat Sep 13, 2014 12:06 am

help with cbpolicyd, problem with greylisting, internal posts

Postby 6233maxxer » Thu Nov 27, 2014 4:11 am

I'm interested in the same, how to skip greylisting for authenticated users? Should I just "move" them to send thru port 587?
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 684
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

help with cbpolicyd, problem with greylisting, internal posts

Postby pup_seba » Thu Nov 27, 2014 4:32 am

Hi,



I'll try to give you an answer tomorrow (lab enviroment not accesible right now). What I'll do is to create the rule in my enviroment (8.5) and give you the result sqlite entry just to see if it is the same as yours.
pixelplumber
Advanced member
Advanced member
Posts: 50
Joined: Fri Sep 12, 2014 10:27 pm

help with cbpolicyd, problem with greylisting, internal posts

Postby pixelplumber » Fri Dec 12, 2014 5:12 am

I think I have the same problem as you. Used to use postgrey, switched to policyd to have greylisting method that didn't require modifications each upgrade but discovered the internal SASL sender issues.

Ended up turning it off while waiting for fixes that are probably not coming until 9.x.

http://forums.zimbra.com/showthread.php?t=70193&highlight=

https://bugzilla.zimbra.com/show_bug.cgi?id=83968

User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 684
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

help with cbpolicyd, problem with greylisting, internal posts

Postby pup_seba » Wed Dec 17, 2014 5:23 am

Hi,



Sorry for the delay, I completly forgot about this.



Only option that I see is for "source" is "Sender IP". So at this point, only options I can think of are:

- Have your users to use Web client. As you already added your stores to the whitelist, this should do it.

- Use autowhitelisting so you temporaly add sender IPs from senders that retry a certain number of mails.



Do you need help with any of these? I could create the rules for AWL if you want and share them with you if you need them.
User avatar
maxxer
Advanced member
Advanced member
Posts: 143
Joined: Fri Oct 04, 2013 2:12 am
Contact:

help with cbpolicyd, problem with greylisting, internal posts

Postby maxxer » Thu Dec 18, 2014 4:58 am

Whitelisting is not possible, since the user may be on a dialup connection or in a bar. AWL could temporary go, if the user's client retries after some minutes it will work, but still it's not a solution. The best would be to disable GL for authenticated users.
pixelplumber
Advanced member
Advanced member
Posts: 50
Joined: Fri Sep 12, 2014 10:27 pm

help with cbpolicyd, problem with greylisting, internal posts

Postby pixelplumber » Thu Dec 18, 2014 5:07 am

Yeah, that's what I would like to do. Quanah mentioned in the linked thread and bug report there apparently needs to be a redesign to allow us to do what we want to do with SASL users. I admit I don't know enough about cbpolicyd rules to know if there's a workaround until those fixes are in, but the indication from Quanah in that thread was it wasn't possible yet.



We can't force everyone to use the web interface (IMAP and mobile clients) so I disabled greylisting for now.
snakeat3r
Posts: 1
Joined: Thu Dec 18, 2014 6:14 pm

help with cbpolicyd, problem with greylisting, internal posts

Postby snakeat3r » Thu Dec 18, 2014 6:25 pm

Has someone tried to move the permit_sasl_authenticated line in /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf one line before the policyd service? Postifx reload and changes should be applied.

If anyone test this before the weekend please post back resuts! :)



edit: I just found out that ZCS 8.6.0 is out, but i don't see the bug in the fixed issues.



Edit2: I just tested it. I don't know why I thought that I need to change the smtpd_recipient_restrictions.cf . It is obviously smtpd_sender_restrictions.cf. That solved it for me. My smtpd_sender_restrictions.cf now looks like this:



%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
permit_sasl_authenticated
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re%%
permit_mynetworks
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%



Reload postfix and Outlook authenticated users are now not greylisted!



Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 11 guests