Package: greylistd Version: 0.8.6 Severity: normal I suggest removing the callout from greylistd's recipient verification in 30_exim4-config_check_rcpt because it allows spam to bypass greylistd.
Background: The greylistd defer and reject statements verify recipients with: verify = recipient/callout=20s,use_sender,defer_ok The logic, according to the comment, is that we don't want to do greylisting if the recipient will be rejected anyway. Makes sense. But the later require statement says: require verify = recipient which isn't as strict as greylistd's callout and use_sender. Problem: I have a server that forwards a user's mail to a remote server. The remote server is very strict about rejecting spam and especially rejects based on senders it doesn't like. So the transaction works like this. Spam is sent to the user. My server verifies the recipient for greylistd, which involves expanding the user's alias and doing a callout, including sender, to the remote server. The remote server rejects the RCPT due to the sender and greylistd is skipped. When the later require statement verifies the recipient no callout is done, only a DNS lookup. This passes and the mail is accepted. When forwarded it is rejected due to the bad sender and I generate a bounce (which can't be delivered so is frozen for 48 hours). I get about 100 of these frozen bounces each day. (Troubleshooting this was hard because the triplet for the message causing the bounce wasn't in greylistd. There were some similar triplets so it took a while to figure out what the problem was.) Solution: Removing the callout from greylistd's acl has eliminated these frozen bounces. A patch is attached. I considered removing use_sender from the callout. It would work for me but doesn't solve the general problem. I also considered adding the callout and use_sender to the later require statement. I don't think that's as good a general solution either. If I should provide additional explanation or a exim -bhc transcript let me know. Thanks for maintaining greylistd. I'm very happy with it and hope this helps others avoid the investigation that I had to do. Dave -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages greylistd depends on: ii adduser 3.105 add and remove users and groups ii debconf [debconf-2.0] 1.5.18 Debian configuration management sy ii python 2.4.4-6 An interactive high-level object-o Versions of packages greylistd recommends: ii exim4 4.68-2 meta-package to ease Exim MTA (v4) -- debconf information: greylistd/autoconfig_notdone: * greylistd/autoconfig_notdone_exim4: greylistd/restartexim: true
--- /usr/sbin/greylistd-setup-exim4 2007-12-02 08:51:35.000000000 -0700 +++ greylistd-setup-exim4 2008-02-04 18:12:51.000000000 -0700 @@ -70,7 +70,7 @@ !authenticated = * !acl = acl_local_deny_exceptions domains = +local_domains : +relay_to_domains - verify = recipient/callout=20s,use_sender,defer_ok + verify = recipient condition = ${readsocket{/var/run/greylistd/socket}\\ {--grey \\ %s \\ @@ -85,7 +85,7 @@ log_message = blacklisted. !senders = : !authenticated = * - verify = recipient/callout=20s,use_sender,defer_ok + verify = recipient condition = ${readsocket{/var/run/greylistd/socket}\\ {--black \\ $sender_host_address \\