Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Greylist priority - can custom filters take precedence?
  •  
McIrish

Messages: 236
Karma: 8
Send a private message to this user
I'd like to start using the Greylist, but I want to make sure I setup a filter to allow certain traffic from being touched by the greylist. I know I can use a whitelist, but some of our clients don't host their own mail, so I want to make sure they get through, without opening up everything from a catch-all server like google etc.
If I could whitelist the domain name and not the IP address of the mail server, that would be best.
Any thoughts on this?
  •  
McIrish

Messages: 236
Karma: 8
Send a private message to this user
To make this simpler, does anyone know the order in which the filters are applied? I figure if the custom rules are before the greylist filter, then I should be OK adding domains to the custom rules to bypass greylist filtering.
  •  
zebby

Messages: 234
Karma: 1
Send a private message to this user
I've asked my reseller the very same question this week...

I'm told that the order is: Greylist > Blacklists > Spam Assassin > Custom Rules

No mention of where Caller ID and SPF checks fit in though.
  •  
McIrish

Messages: 236
Karma: 8
Send a private message to this user
That's too bad. My idea obviously won't work. Thanks for the info. I wish that kind of technical information was all in one place. The manual is too brief.
  •  
freakinvibe

Messages: 1511
Karma: 58
Send a private message to this user
Greylisting, Blacklisting, Spam Repellent and SPF must be the first checks to happen as they are done before the actual mail body is received (or rejected).

Only if these tests are passed, the body of the mail is received and the other tests (Spamassisin, Bayes, Auto-Whitelist, Custom Rules) can be done as they act on the header/body of the mail.

So the only way to prevent certain mails from being greylist checked is to add the sending mail servers' IP address to the

"Do not apply greylisting on connections from"

list, which you can set on the Greylisting tab.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
McIrish wrote on Tue, 28 May 2013 17:29
If I could whitelist the domain name and not the IP address of the mail server, that would be best.
Greylisting cannot whitelist domain names of the senders as the domain could be spoofed. The only whitelist applying to Greylisting is in the Greylisting settings (Spam Filter -> Greylisting / Greylisting configuration -> Do not apply greylisting on connection from).

BTW, the order of checks before the message gets accepted by the SMTP server is: SPF, blacklists, Caller ID, Greylisting.

Best regards,
--
Lukas Petrlik
  •  
McIrish

Messages: 236
Karma: 8
Send a private message to this user
Thank you everyone for the info. Now that I understand it better, I realize my idea was kind of a bad one.
I'm finding the Greylisting feature to be working well in stopping some problem spam we had been getting. We still get some that I have trouble blocking but we are doing pretty well now.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
I'm confused as to why greylisting cannot be overridden by a custom rule. Although the entire message isn't downloaded, the "from" info is available. Here's the debug log for a greylist lookup:

[26/Aug/2013 12:41:18][4808130560] {greylist} Greylisting: testing mail from "bailey@soctti.com" to "moderator<_at_>ourhost.com" sent by 198.74.122.9.
[26/Aug/2013 12:41:18][4808130560] {greylist} Greylisting: Kerio Connect sent "GREYL 198.74.122.9 5biA19SF3tb2YNboT82RxQ==" over TLS.
[26/Aug/2013 12:41:18][4808130560] {greylist} Greylisting: service responded "210 Delay" over TLS.
[26/Aug/2013 12:41:18][4808130560] {greylist} Greylisting is delaying mail, query finished in 91 ms with result "DELAY".
[26/Aug/2013 12:41:18][4808130560] {greylist} Greylisting rejected mail after DATA: 450 4.7.1 Please try again later


Certainly, from addresses can be spoofed, but some users simply don't care and want to ensure they get everything from their customers. Frankly, I'd want the contents of a users address book to be honored at this level. So, user moderator@ourhost.com has bailey<_at_>soctti.com in their address book, and they've opted to allow all email from people in their AB, there's enough info available to simply deliver the message to that user (and only that user). This would be great to offset blacklist entries as well. (all optionally of course)

I'm sure the processing overhead would increase. But it would be worth it in our scenario. Especially as it would keep my dept from having to add so many custom rules.
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
To be honest I've found the greylist to be a complete waste of time. Because it's hosted by Kerio it has a far larger pool of allowed IPs and seems to let stuff through that a locally hosted greylist would probably stop.

None of our problem spam has been stopped by turning it on.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Matt S wrote on Mon, 24 March 2014 09:40
To be honest I've found the greylist to be a complete waste of time. Because it's hosted by Kerio it has a far larger pool of allowed IPs and seems to let stuff through that a locally hosted greylist would probably stop.


Do you have any debug log for proving this assumption?
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
Switching on the greylist didn't make a noticeable difference to the quantity of spam we were seeing, or how much ends up hitting the other spam filters. A quick look through the greylisting debug log shows spam from IPs that are passed first time and are not otherwise listed in our mail log for the past few months.

However thinking about it logically, as I should have done in the first place, this doesn't make any difference because a properly configured server would just retry the message and would get through a local greylist on retry.

What this does tell me is currently most of the spam we're receiving is coming from servers that retry as they should and therefore the greylist technique is ineffective.
Previous Topic: EWS errors
Next Topic: Rejecting attachment messages
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Aug 24 10:29:32 CEST 2017

Total time taken to generate the page: 0.00528 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.