Package: greylistd
Version: 0.8.6
Severity: normal

I suggest removing the callout from greylistd's recipient verification
in 30_exim4-config_check_rcpt because it allows spam to bypass
greylistd.

Background:

The greylistd defer and reject statements verify recipients with:

verify = recipient/callout=20s,use_sender,defer_ok

The logic, according to the comment, is that we don't want to do
greylisting if the recipient will be rejected anyway.  Makes sense.

But the later require statement says:

require
    verify = recipient

which isn't as strict as greylistd's callout and use_sender.

Problem:

I have a server that forwards a user's mail to a remote server.  The
remote server is very strict about rejecting spam and especially rejects
based on senders it doesn't like.

So the transaction works like this.  Spam is sent to the user.  My
server verifies the recipient for greylistd, which involves expanding
the user's alias and doing a callout, including sender, to the remote
server.  The remote server rejects the RCPT due to the sender and
greylistd is skipped.

When the later require statement verifies the recipient no callout is
done, only a DNS lookup.  This passes and the mail is accepted.  When
forwarded it is rejected due to the bad sender and I generate a bounce
(which can't be delivered so is frozen for 48 hours).  I get about 100
of these frozen bounces each day.

(Troubleshooting this was hard because the triplet for the message
causing the bounce wasn't in greylistd.  There were some similar
triplets so it took a while to figure out what the problem was.)

Solution:

Removing the callout from greylistd's acl has eliminated these frozen
bounces.  A patch is attached.

I considered removing use_sender from the callout.  It would work for me
but doesn't solve the general problem.

I also considered adding the callout and use_sender to the later require
statement.  I don't think that's as good a general solution either.

If I should provide additional explanation or a exim -bhc transcript let
me know.

Thanks for maintaining greylistd.  I'm very happy with it and hope this
helps others avoid the investigation that I had to do.

Dave

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages greylistd depends on:
ii  adduser                       3.105      add and remove users and groups
ii  debconf [debconf-2.0]         1.5.18     Debian configuration management sy
ii  python                        2.4.4-6    An interactive high-level object-o

Versions of packages greylistd recommends:
ii  exim4                         4.68-2     meta-package to ease Exim MTA (v4)

-- debconf information:
  greylistd/autoconfig_notdone:
* greylistd/autoconfig_notdone_exim4:
  greylistd/restartexim: true
--- /usr/sbin/greylistd-setup-exim4     2007-12-02 08:51:35.000000000 -0700
+++ greylistd-setup-exim4       2008-02-04 18:12:51.000000000 -0700
@@ -70,7 +70,7 @@
     !authenticated = *
     !acl           = acl_local_deny_exceptions
     domains        = +local_domains : +relay_to_domains
-    verify         = recipient/callout=20s,use_sender,defer_ok
+    verify         = recipient
     condition      = ${readsocket{/var/run/greylistd/socket}\\
                                  {--grey \\
                                   %s \\
@@ -85,7 +85,7 @@
    log_message = blacklisted.
    !senders        = :
    !authenticated = *
-   verify         = recipient/callout=20s,use_sender,defer_ok
+   verify         = recipient
    condition      = ${readsocket{/var/run/greylistd/socket}\\
                                  {--black \\
                                   $sender_host_address \\

Reply via email to