Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

Greylisting problems

Hey,

what is bothering me a lot is that Greylisting is not working. That feature does help with Spam but it is not helpful when the mails arrive sometimes half-a-day or even 4 days later. Also when any mail goes through exactly that constellation of sender and receipient should get listed in a database and the next mail should just go through. That also does not work!

Sophos Support told me that they are reworking the mail module completely. I saw a lot of changes in 17.1 GA regarding the mail module but it does not look like they rewrote it. And now with v17.1.2 there are no major changes in the mail module again and nothing about Greylisting can be seen in the changelog. I really hope that Sophos is about to do something in that direction!

Anyone else having problems with Greylisting?

  • In reply to Stuart James:

    V17.5 beta is released.

    Did you file a bug report for this? 

  • Using v17.5 and still greylisting is causing a lot of delay from the same known sender.

    With SG UTM I don't get this delay.

    So why greylisting in SG is better than XG?

  • In reply to AhmedMaher:

    Thanks for the update. So I'm not going to test greylisting again in 17.5. Still waiting for a fixed greylisting feature...

  • In reply to Jelle:

    Just came across this . almost 5 months later...

    Sophos help says: "Select Use greylisting if you want the firewall to temporarily reject inbound emails from IP addresses of unknown email servers. Legitimate servers retry sending the rejected emails at regular intervals and the firewall accepts these mails, greylisting the sender’s IP address for a specific period."

    So I wonder what are "unknown email servers" in this context. From my testing and as written in this thread every email server is unknown again and again as there ist no database in XG which remembers successful resenders.

    Has there been any update on this somewhere?

  • In reply to Charmacas:

    Hey,

    I have an update. After the update to 17.5 I activated it again at a customer who is very sensible about delayed mails and until now I did not here anything from him. So I suppose that the main problem may be solved with the new mail engine.

    But nonetheless you all should vote for "Soft Greylisting":

  • In reply to Charmacas:

    Well, at least the sender gets greylisted every time again. Just checked with 17.5.4-1

  • In reply to Jelle:

    And at the same time I see emails which are not greylisted, the first attempt just passes...

    can you give an explanation of how greylisting currently works in XG?

  • In reply to Jelle:

    Jelle
    can you give an explanation of how greylisting currently works in XG?

    I can.

     

    It doesn't.

  • In reply to Jelle:

    Hi  

    The current behavior of greylisting as you mentioned is outlined in the SFOS help.

    • Select Use greylisting if you want the firewall to temporarily reject inbound emails from IP addresses of unknown email servers. Legitimate servers retry sending the rejected emails at regular intervals and the firewall accepts these mails, greylisting the sender’s IP address for a specific period.

    After enabling the Greylisting feature, the Sophos XG Firewall first rejects all emails from unknown senders with SMTP status code 421 and send a response to the sender mail server with "Your email could not be delivered. Please try again later." If the sender is legitimate, the sending mail server will keep that rejected email in its delivery queue for next send attempt.

    The XG Firewall will then wait for the re-delivery of the same email by the sender mail server. Since the sender is legitimate, the sender mail server will re-send the same email which the XG Firewall will recognize. The XG Firewall will then accept the email and keep the sender mail server's IP address in the trusted mail server list.

    Regards,

  • In reply to FloSupport:

    Hi  

    So there IS a trusted mail server list? This is not in the documentation. Is it persistent or will entries be deleted after some time?

    If a mail server sending spam mails is on the trusted mail server list, will these mails still undergo other checks like SPF or RBL?

  • In reply to Jelle:

    Hi  

    The XG flushes the sender server IP from the trusted list after a month or a week of inactivity, whichever comes first. Yes, the XG still performs the normal checks for incoming mail, as the trusted list only affects greylisting.

    Hope that helps!

    Regards,

  • In reply to FloSupport:

    Hi all,

    I reactivated greylisting now that SFOS 17.5.4-1 is installed. So far I'm quite happy with it as it works until now without any issues. I don't know which changes have been made but it improved a lot. The first time I tried with an older firmware before 17.5 it was a mess. Still the soft greylisting option would be helpful.

    Thanks for the explanations.

  • In reply to FloSupport:

    Where is this "Trusted Mail Server List"? Is there a way to view this list to make sure the MTA is trusting legit email servers? I'd like to verify this feature works before I go whitelisting domains we do business with on a consistent basis. Just enabled greylisting last night. So far I am happy with how well it is working, minus the delays incurred for using. A functioning Trusted Mail Server List should help with those delays I would assume.

    Thanks,

    Andrew Kletke

  • there is a big issue with greylisting in XG, which renders the feature pretty much useless. In most cases, we even end up completely disable it. 

    we've noticed that big relay networks like office365, Trensmicro, gmail etc.  use different IP addresses for the retransmit, thus greylisting blockes the mails over and over again. (screenshot)

     

    the big flaw is, that you can only configure exceptions on host objects and not:

    - Network objects

    - IP range objects

    - FQDN objects like *.outbound.protection.outlook.com

     that would at least help to disable greylisting specifically for legit networks rather than deactivating the feature completely.