Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SPF-aware greylisting and filter-greylist #26

Open
poolpOrg opened this issue Dec 1, 2019 · 3 comments
Open

SPF-aware greylisting and filter-greylist #26

poolpOrg opened this issue Dec 1, 2019 · 3 comments
Assignees

Comments

@poolpOrg
Copy link
Owner

@poolpOrg poolpOrg commented Dec 1, 2019

No description provided.

@poolpOrg poolpOrg self-assigned this Dec 1, 2019
@jogness

This comment has been minimized.

Copy link

@jogness jogness commented Dec 12, 2019

I am happy to see you talk about SPF-aware greylisting. This seems like the natural solution.

Also, I am also happy to see you talk about tarpitting via laggy SMTP transactions. On my exim4 servers I do this using the delay control for the deny statement. I was a bit disappointed that opensmtpd doesn't have that. I was expecting something like:

match <options> delay 100s reject

... or maybe it does have something for that, but I haven't found it yet. I am new to opensmtpd but so far am quite happy with it. Thank you for your great work!

@poolpOrg

This comment has been minimized.

Copy link
Owner Author

@poolpOrg poolpOrg commented Dec 13, 2019

Thanks for your comment :-)

I have committed an additional change to filter-greylist today which whitelists the domain of RCPT addresses when the session originates from a unix socket or has been successfully authenticated. This automatically whitelisting domains that a trusted sender has emitted mail to.

For the tarpitting, we decided not to bring that in builtin filters because it is tricky to do there and it is trivial to do in proc filters. I have written filter-senderscore which looks the reputation of a client IP address in the SenderScore database and allows blocking or junking content if reputation falls below a certain threshold. In that filter, I have a -delayFactor option which introduces a delay inversely proportional to the reputation causing high reputation IP to have no delay and low reputation IP to be essentially tarpitted.

@estrogently

This comment has been minimized.

Copy link

@estrogently estrogently commented Dec 13, 2019

Thank you for your work on all these filters and on OpenSMTPd in general!

I've been noticing some connections from Google servers still getting greylisted by IP rather than domain, and thus never getting whitelisted. My guess is these are from G Suite domains which haven't (correctly) set up SPF. I'm not sure what to do about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.