Questions[greylisting](server)

In all the information on the internet I could find about greylisting I find the information that the following tripplet is used to uniquely distinguish an incoming e-mail:

1. Source IP
2. Source e-mail address
3. Destination e-mail address

Now the source IP can make problems because large mail services use multiple IP addresses (possibly from complete different IP ranges) to re-send blocked e-mails.

Question

Why is it at all relevant to consider the source IP address? Why not just use source and destination e-mail address as the key to identify a given e-mail (sender-receiver link)?

Why not instead using the subject to more uniquely identify a specific e-mail?

Reasoning

Even after doing quite some thinking about what kind of problems could arise when just ignore the source IP I didn't find any reason where the source IP could be relevant.

• When the same IP sends two times from the same source to the same destination e-mail address (and wait the required time), the e-mail is delivered
• When two different IPs send from the same source to the same destination e-mail address, the e-mail also should be delivered (e.g. large mail services)
• Some greylisting solutions allow for a subnet mask for the source IP. But this is very unsharp and does not accommodate for all situations - especially not for ultra-large mail services with MTAs standing in completely different subnets.
• What about a legitimate mail-sender who sends 2 different e-mails within the "try later time period" to the same destination e-mail address the first time?
• Using the tripplet: Source and destination e-mail address and subject should theoretically more accurately treat each individual e-mail with the greylisting - even when coming from the same sender to the same receipient.

But my main question is: Why at all include the source IP in the tripplet? (The chance that 2 different external entities will send with the same source e-mail address to the same destination e-mail address seems extremely unlikely to me)

I"m a bit confused about the activity in my mail server logs (addresses and destination redacted for privacy):

Nov  1 21:00:03 mail postfix/smtp[745742]: Trusted TLS connection established to mx.example.com[192.0.2.1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  1 21:00:10 mail postfix/smtp[745742]: 0C1551DC073: to=<[email protected]>, relay=mx.example.com[192.0.2.1]:25, delay=7.3, delays=0.01/0.01/0.42/6.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7E42A921A9A25)
Nov  1 21:00:11 mail postfix/smtp[745829]: Trusted TLS connection established to mx.example.com[192.0.2.1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  1 21:00:18 mail postfix/smtp[745829]: 903371DC08B: host mx.example.com[192.0.2.1] said: 451 4.7.1 Greylisting in action, please come back later (in reply to end of DATA command)
Nov  1 21:00:18 mail postfix/smtp[745829]: Trusted TLS connection established to mx.example.net[192.0.2.2]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  1 21:00:25 mail postfix/smtp[745829]: 903371DC08B: to=<[email protected]>, relay=mx.example.net[192.0.2.2]:25, delay=16, delays=0.01/1.4/7.7/7.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BB99F922EC625)

It appears postfix got a greylist response on the second mail to the domain in question but then immediately re-attempted delivery to a different MX record ip (@21:00:18)? Am I misunderstanding what's going on here?

All settings are more or less default with these exceptions:

minimal_backoff_time = 180s
maximal_backoff_time = 3h

I want to make sure we are respecting the recipient provider's response but it doesn't appear that postfix waited 180 seconds before reattempting delivery as I would have expected.

I inherited admin duties of a postfix server despite having no postfix experience. It's running a service called sqlgrey that is causing all emails from google.com to be greylisted for 30 minutes. I have added *.google.com to /etc/sqlgrey/clients_fqdn_whitelist.local but I am not sure how to force sqlgrey to reload its whitelist. The documentation shows how to kill sqlgrey and how to start it as a daemon, but I don't know if that is safe or whether sqlgrey needs to be started as a specific user, etc. Any ideas?

The postgrey manual sais:

--auto-whitelist-clients=N whitelist host after first successful delivery N is the minimal count of mails before a client is whitelisted (turned on by default with value 5) specify N=0 to disable.

As I understand, this would for example automatically whitelist gmail.com completely, whenever I get 5 emails from different gmail users. Isn't that dangerous?, because there are a lot of spammers sending from that host.

I have been using Sendmail together with milter-greylist for many years at several sites.

milter-greylist has support for defining greylisting rules based on GeoIP database lookups. This is very convenient for companies who do not do business internationally. Almost all spam is sent from foreign IP addresses. It does not matter if legitimate (ham) e-mail from foreign addresses is slightly delayed. Local e-mail must arrive without delays, thus greylisting is skipped for a couple of country codes. Also if SPF record matches or the IP is on a whitelist the greylisting is skipped. This is very simple to implement in greylist.conf with the milter hook in sendmail.cf. It is also good for the mail server's resources because most spam is dropped before it ever arrives on the server and thus the system load caused by spamassassin and/or dspam based filtering solutions further down the delivery path is much lower.

Now to the real question:

How can I implement similar (i.e. GeoIP based) greylisting with Exim?

I have a new responsibility to take care of yet another mail server which happens to run Exim and receives a high volume of spam. I do not feel like re-implementing their e-mail delivery system from scratch but I definitely need to do something about the load caused by their spam volumes. Unfortunately Exim does not seem to have milter interface. Also I was unable to locate greylisting solutions with GeoIP support for Exim. I am a complete noob with Exim (I can do everything with sendmail.cf and sendmail m4 macros).

I would be happy if implementing this feature was possible by using just exim configuration file syntax. In that case I would take the effort of learning it and possibly starting to use exim at other sites as well.