This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why do I want Greylisting? Why does the UTM Greylist everything not rejected?

I am fully aware of what Greylisting is, but I am asking myself why would I want to use it and MOST IMPORTANTLY does the Sophos UTM SMTP Proxy use it by default or is it due to something I failed to setup correctly on the UTM or even another problem like Sender Verification failing and triggering Greylisting as a slow alternate method of sender verification??? While a great idea in principle, it caused at least a 7 minute delay in delivery to valid recipients and is not something I think I should have to live with as a default action.

I can bypass Greylisting by unchecking it in the profile since I am using profiles for more granularity. As an alternative, I can add all valid recipients to an exception rule Skipping: Greylisting FOR these recipient addresses. Can someone suggest a better way?

My question is: Is Greylisting everything a default action for all mail handled by the SMTP proxy or is there something that needs to be configured in the UTM to keep it from happening?

Finally, what is the consequence of disabling it?

Any help appreciated.


This thread was automatically locked due to age.
Parents
  • Bruce, same question as vilic - when's the last time you ran a test (I realize that there's no statistic kept concerning the number of greylisted emails that weren't resent).

    I think the greylisting triad is sender/sending-IP/recipient.  After a successful delivery, the result is kept in what you have called a whitelist for a week (I think) after the last successful delivery.

    I haven't had anyone using greylisting for years since I saw no change in blocking percentages after de-selecting it experimentally in two sites.  Maybe I didn't do a good enough test and Bruce will explain.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Bruce, same question as vilic - when's the last time you ran a test (I realize that there's no statistic kept concerning the number of greylisted emails that weren't resent).

    I think the greylisting triad is sender/sending-IP/recipient.  After a successful delivery, the result is kept in what you have called a whitelist for a week (I think) after the last successful delivery.

    I haven't had anyone using greylisting for years since I saw no change in blocking percentages after de-selecting it experimentally in two sites.  Maybe I didn't do a good enough test and Bruce will explain.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Nothing to explain, really...  I'm not saying we're catching a LOT of spam with Greylisting, but several a day (especially ones carrying 0-day payloads) is enough for me to enable it.  I don't see a negative (a real one) with having it enabled.  To each his own.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • After a successful delivery, the result is kept in what you have called a whitelist for a week (I think) after the last successful delivery.

    Bob, I spoke with someone at Astaro / Sophos a few years ago, and they said then that Greylisting's retained memory of previous senders had been enhanced to a year. And though I haven't specifically tested, in my experience, I believe that to be correct.

    The only time I hear from a client about delays that I can pin on Greylisting, it's always about the initial receipt of emails from a new sender.  So, in other words, not very frequent at all.

    Incidentally, wouldn't the corollary of a Greylist "whitelist" would be to add the sender to an exception list?
  • ...Greylisting's retained memory of previous senders had been enhanced to a year...

    From the exim.conf file
    Maintainer: Micha Lenk 
    
    Maybe Micha can clue us in[[:D]]

    GREYLIST_RETRY_HOST_CLEANUP = ${lookup pgsql{DELETE FROM greylist_retry_hosts \
                                  WHERE (($tod_epoch - stamp) > (60*60*24*30))}{1}{1}}
    seems like its 30 days

    I haven't used greylisting since way back when we were still using spamassassin as our spam engine[[:D]] I mostly rely on country blocking now but that can be difficult to implement in certain environments.
  • Bruce, a new thread in the German Forum got me to thinking about this conversation over four years ago, so I did some more research and testing.  They all speak English and it's easier for me to respond in English.  I posted the following there:

    I haven't recommend greylisting for years, but others whom I respect do, so I'm experimenting with it again.  I saw a 2018 study where roughly 2/3 of greylisted emails were finally delivered, with 1/3 not retried - one assumes those were from spammers.  One of my clients that uses greylisting saw only 56% retried successfully so far in June.

    I had thought that the SMTP Proxy used only the triad of sending IP, sender and recipient, but I realize now that it also uses the subject.  This means that greylisting occurs after DATA, so that's after rejections for RBL, rDNS/HELO, local Blacklists, Recipient verification and SPF.  I also see ctasd reports 'unknown' in the line above the greylisted message, so we know that the temporary rejection occurs after the anti-spam tests that would result in rejection have been passed.  The advantage is that malware scans, which are expensive, are skipped unless the message is resent and accepted.

    There are situations where Exceptions for greylisting should be made such as addresses to which orders are sent where there's a cut-off time.  Also, mailing services like Constant Contact will use a different IP virtually every time a greylisted email is resent. 

    I would appreciate your comments/corrections here or on the German thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA