This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Greylisting issues in XG v18

I am trying greylisting again now that I have v18 installed. Kind of working, but ...

In the mail log I have noticed that there are up to 6 emails rejected in a row over 2-3 minutes for the same email message / sender before one 5-15 minutes later finally gets through.

10-20 minute delay is not a problem for most emails, except MFA requests and password resets. Annoying!

turning it off again unless someone can tell me why the IP database isn’t registering and allowing it more quickly.

running XG 18 as a hyper-v software appliance.

This thread was automatically locked due to age.

0 Keyur over 4 years ago

Hi NH1

Greylisting will prevent spam by rejecting a message the first time. It is presented to Sophos XG Firewall by notifying the sending server that it is currently busy. When the message is re-transmitted by the sending server, Sophos XG Firewall will recognize the combination of IP, sender e-mail address and receiver e-mail address and accept the mail.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel

0 NH1 over 4 years ago in reply to Keyur

Thanks, yes I understand that.

But it is rejecting the same email attempt up to 6 times BEFORE it then it finally lets it through. Not after the first rejection - creating an extra time delay.

Is there a time delay written into the logic, or does it just take a few minutes to register in a database before it is able to recognize the email as a previous attempt?

For example here is a redacted one from the mail log.

2020-03-02 20:05:57	Delivered	010001709a79d2fb-283 ...	me@aa.bbbbb.net	Reset Your Password	106 KB
2020-03-02 20:02:42	Rejected	010001709a79d2fb-283 ...	me@aa.bbbbb.net	Reset Your Password	0 Bytes
2020-03-02 20:02:21	Rejected	010001709a79d2fb-283 ...	me@aa.bbbbb.net	Reset Your Password	0 Bytes
2020-03-02 20:01:40	Rejected	010001709a79d2fb-283 ...	me@aa.bbbbb.net	Reset Your Password	0 Bytes
2020-03-02 20:01:17	Rejected	010001709a79d2fb-283 ...	me@aa.bbbbb.net	Reset Your Password	0 Bytes
2020-03-02 20:00:59	Rejected	010001709a79d2fb-283 ...	me@aa.bbbbb.net	Reset Your Password	0 Bytes
2020-03-02 20:00:45	Rejected	010001709a79d2fb-283 ...	me@aa.bbbbb.net	Reset Your Password	0 Bytes

+1 Keyur over 4 years ago in reply to NH1

Hi NH1

This data set is checked against the SMTP proxy's internal database; if the data set has not been seen before, a record is created in the database along with a special timestamp describing it. This data set causes the email to be rejected for a period of five minutes. After that time the data set is known to the proxy and the message will be accepted when it is sent again. Note that the data set will expire after 30 days if it is not updated within this period.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 NH1 over 4 years ago in reply to Keyur

Awesome, thanks for your reply.

Don't think the 5 minute delay is mentioned in any descriptions of greylisting - they all just say after the first.

But with that helpful knowledge of the functionality I will enable it again, as it does get rid of a lot of spam!
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to NH1

Hi NH1

Thank you for your feedback, I will forward this to concern team.

Please reach out to us for further assistance.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel