[SA-exim] Greylisting doesn't work anymore

Discussion:

Peter Thomassen

2007-05-10 20:21:31 UTC

Hi.

For some reason, greylisting doesn't work anymore for some time now.

I noticed in the rejectlog that the same e-mail (the same sender, recipient,
server) has been rejected several times in many cases. To find the reason, I
checked /var/spool/sa-exim/tuplets/ and found that this directory is empty
and last modified in February, even though the server processes several
thousand mails a day. (I now disabled the feature by setting SAtempreject to
some huge value. This lets more spam in, but I can't help it at present.)

I think that the tuplet saving doesn't work for some reason, so that e-mail is
unknown again at later tries and therefore to be temporarily rejected. The
tuplet directory belongs to nobody:Debian-exim, the mode is 771. Exim runs as
root:Debian-exim, so I can't see any problem related to the mode.

Marc proposed setting the tuplet directory to 777 which didn't help.

Marc also proposed to add some debug code in the Perl module, which is
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm, I think.
Unfortunately, I only know Perl from reading it a bit, but I tried to add

open (TEST, ">/tmp/debug");
print TEST time."\n";
close TEST;

to the beginning of the greylisting subroutine. I think this should create
a /tmp/debug file, which wasn't the case.

I don't know what to do. Do you have any ideas?

Thanks!

--
Â Â Â Peter Thomassen â¢ Steigerwaldstr. 4 â¢ 97076 WÃŒrzburg â¢ Germany
Â Â Â Â Â http://www.peter-thomassen.de/ â¢ ***@peter-thomassen.de
Â Â Â Â Â Â Â Â fon +49-931-2705351 â¢ mobil +49-176-63159879

Marc MERLIN

2007-05-10 20:37:32 UTC

Permalink

Post by Peter Thomassen
Hi.
For some reason, greylisting doesn't work anymore for some time now.
I noticed in the rejectlog that the same e-mail (the same sender, recipient,
server) has been rejected several times in many cases. To find the reason, I
checked /var/spool/sa-exim/tuplets/ and found that this directory is empty
and last modified in February, even though the server processes several
thousand mails a day. (I now disabled the feature by setting SAtempreject to
some huge value. This lets more spam in, but I can't help it at present.)
I think that the tuplet saving doesn't work for some reason, so that e-mail is
unknown again at later tries and therefore to be temporarily rejected. The
tuplet directory belongs to nobody:Debian-exim, the mode is 771. Exim runs as
root:Debian-exim, so I can't see any problem related to the mode.
Marc proposed setting the tuplet directory to 777 which didn't help.
Marc also proposed to add some debug code in the Perl module, which is
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm, I think.
Unfortunately, I only know Perl from reading it a bit, but I tried to add
open (TEST, ">/tmp/debug");
print TEST time."\n";
close TEST;
to the beginning of the greylisting subroutine. I think this should create
a /tmp/debug file, which wasn't the case.

Ah, that would explain it then, likely Greylisting.pm is not being run.

Did you change/break your SA config? Is the Greylisting module still being
called in your SA config?

Marc

--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/

Peter Thomassen

2007-05-10 20:49:52 UTC

Permalink

Post by Marc MERLIN

Post by Peter Thomassen
Marc also proposed to add some debug code in the Perl module, which is
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm, I think.
Unfortunately, I only know Perl from reading it a bit, but I tried to add
open (TEST, ">/tmp/debug");
print TEST time."\n";
close TEST;
to the beginning of the greylisting subroutine. I think this should
create a /tmp/debug file, which wasn't the case.

Ah, that would explain it then, likely Greylisting.pm is not being run.
Did you change/break your SA config? Is the Greylisting module still being
called in your SA config?

I think if the SA config were broken, there would occur some other error, or
SpamAssassin wouldn't work at all. So I assume the config is not broken.

It contains the following lines:

# greylistsecs: how long you greylist a tuplet because whitelisting it
# greylistnullfrom: set to 1 to also greylist mail with a null env from
# greylistfourthbyte: keep the 4 bytes of the connecting host instead of 3
loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
header GREYLIST_ISWHITE eval:greylisting("(
'dir' => '/var/spool/sa-exim/tuplets';
'method' => 'dir';
'greylistsecs' => '1800';
dontgreylistthreshold' => 12000000;
'connectiphdr' => 'X-SA-Exim-Connect-IP';
'envfromhdr' => 'X-SA-Exim-Mail-From';
'rcpttohdr' => 'X-SA-Exim-Rcpt-To';
'greylistnullfrom' => 1;
'greylistfourthbyte' => 0 )")
describe GREYLIST_ISWHITE The incoming server has been whitelisted for this recipient and sender
score GREYLIST_ISWHITE -1.5
# Run SpamAssassin last, after all other rules.
# (lets us not greylist a host that is sending spam, otherwise this rule might
# set a sufficiently negative score that the next spam would be allowed in)
priority GREYLIST_ISWHITE 99999

Looks like the module is still called. Or is there something wrong?

Thank you.

Peter Thomassen

2007-05-10 20:53:55 UTC

Permalink

Post by Peter Thomassen
GREYLIST_ISWHITE eval:greylisting("(
'dir' => '/var/spool/sa-exim/tuplets';
'method' => 'dir';
'greylistsecs' => '1800';
dontgreylistthreshold' => 12000000;

^ Of course, here also is an ' (it is in the file).

Marc MERLIN

2007-05-10 21:02:13 UTC

Permalink

Post by Peter Thomassen

Post by Peter Thomassen
GREYLIST_ISWHITE eval:greylisting("(
'dir' => '/var/spool/sa-exim/tuplets';
'method' => 'dir';
'greylistsecs' => '1800';
dontgreylistthreshold' => 12000000;

^ Of course, here also is an ' (it is in the file).

Ok, try this:
1) Check your syslog for possible error messages from spamd
2) ls -lu against you Greylisting.pm and see if the date changes
or not after you restart SA and receive mails
3) spamassassin -D -t < /tmp/some_email
check the debug output for 'dbg: GREYLISTING:'

Marc

Peter Thomassen

2007-05-10 21:24:32 UTC

Permalink

Post by Marc MERLIN
1) Check your syslog for possible error messages from spamd

No error messages (I check time intervals when the server received mail
without greylisting or rejected mail with greylisting).

Post by Marc MERLIN
2) ls -lu against you Greylisting.pm and see if the date changes
or not after you restart SA and receive mails

It is Jan 29, 23:46 and doesn't change. I don't know what I did at this date.

Post by Marc MERLIN
3) spamassassin -D -t < /tmp/some_email
check the debug output for 'dbg: GREYLISTING:'

I did: spamassassin | grep -i greylist

[19457] dbg: plugin: loading Greylisting from /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
[19457] dbg: plugin: registered Greylisting=HASH(0x8fe5634)
[19457] dbg: GREYLISTING: called function
[19457] dbg: GREYLISTING: running greylisting on <***@nsi-robo.tmag.de>, since score is too low (0.55) and you configured greylisting to greylist anything under 12000000
[19457] warn: Couldn't get Rcpt To header X-SA-Exim-Rcpt-To for message <***@nsi-robo.tmag.de>, skipping greylisting call

After looking around for X-SA-Exim-Rcpt-To, I found that SAmaxrcptlistlength
must not be 0 when using greylisting, but it was 0. On Jan 28, there was an
upgrade (compare the date above); I think it came with a new config file, and
I didn't change that line back. My fault, sorry.

Everything now works again. Thank you! Your support is great. :-))