greylist-milter configuration is questionable on servers that send mail at any significant volume

In this forum conversation, it sounds like our default greylist configuration is misbehaving for servers that send even a moderate amount of email.

https://www.virtualmin.com/node/32872

I don't understand the problem well enough to make recommendations at the moment.

Status: 
Active

Comments

I believe this is referring to greylist-milter, which is used for email rate limiting, rather than just greylisting. But yes that can certainly be looked into.

the "milter-greylist" is the issue, setup to throttle excessive mail traffic. "Mail Rate Limiting" option on the menu. The default of 1000 in a hour seems fine, and generally doesn't get hit, but occasionally (on my system) someone will do a mass mailer. This dumps less than 1000 emails alone, but combined with the regular traffic, bounces things very high.
It appears that these settings in around line 64 of greylist.conf do it all for us.:

ratelimit "virtualmin_limit" rcpt 30 / 30m key "%f"
racl greylist from /.*/ ratelimit "virtualmin_limit" delay 31m autowhite 0m msg "Message quota exceeded"
racl whitelist default

Work Perfectly, and actually accomplish what we are after, they have been running here since a few days ago, without incident. And the mass mailer guy is excluded by name and that works too.

The issue is once the limit has been reached by a particular virtual server, all virtual servers are throttled not just the offending domain.

Is it possible to work around this by sending email via the sendmail command, rather than an SMTP connection?

I triggered a failure, gobs of fail2ban to root message. Here are the maillog entries, this is what appears to be happening with the settings above (except its set at 60 not 30 per 1/2 hour). Note, its filtering on the sender, not the IP address. This is a good thing. With the defaults, it filters on 127.0.0.1 so all mail stops. Currently the deferred mail is sitting in the queue and will get delivered eventually. Doesn't this show sendmail being used by fail2ban to send its mail?

Aug 7 12:08:25 webhost04 milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Aug 7 12:08:26 webhost04 postfix/pickup[4163]: 2758A403D244: uid=0 from=
Aug 7 12:08:26 webhost04 milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
Aug 7 12:08:26 webhost04 milter-greylist: ratelimit overflow for class virtualmin_limit: 2099, limit is 60 recipients / 1800 sec, key = fail2ban@webhost04.syix.com"
Aug 7 12:08:26 webhost04 milter-greylist: 2758A403D244: addr localhost[127.0.0.1] from fail2ban@webhost04.syix.com to root@localhost.syix.com delayed for 00:09:00 (ACL 65)
Aug 7 12:08:26 webhost04 postfix/cleanup[25935]: 2758A403D244: milter-reject: RCPT from localhost[127.0.0.1]: 4.7.1 Message quota exceeded; from=fail2ban@webhost04.syix.com to=root@localhost.syix.com
Aug 7 12:08:26 webhost04 postfix/cleanup[25935]: warning: 2758A403D244: milter configuration error: can't reject recipient in non-smtpd(8) submission
Aug 7 12:08:26 webhost04 postfix/cleanup[25935]: warning: 2758A403D244: deferring delivery of this message

That first error is because postfix is too old already in Centos7, after that it all makes sense.

Joe's picture
Submitted by Joe on Sun, 08/07/2016 - 14:38 Pro Licensee

Title: Greylist configuration is questionable on servers that send mail at any significant volume ยป greylist-milter configuration is questionable on servers that send mail at any significant volume