We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Greylisting for Exim
Greylisting for Exim
I noticed a couple of posts in the Russian language forums about greylisting, from two years ago or so. I wondered if anyone had recently tried to implement this. I've done it before on Postfix, and the postgrey package seems to do it OK. However support for Exim doesn't seem to be as good, and many of the attempts are not current. I thought I'd check here to see if anyone had had any success, and what package they used.
Here's the greylisting.org reference page: http://www.greylisting.org/implementations/exim.php
Bley seems to be a reasonably up-to-date package, but it repeats a bit of existing blocklist functionality. https://github.com/evgeni/bley
Here's the greylisting.org reference page: http://www.greylisting.org/implementations/exim.php
Bley seems to be a reasonably up-to-date package, but it repeats a bit of existing blocklist functionality. https://github.com/evgeni/bley
Re: Greylisting for Exim
In case anyone else is interested, I got postgrey working, by following the instructions here.
https://github.com/schweikert/postgrey/ ... EADME.exim
Installation is simple: apt install postgrey
This sets up the daemon, and enables it with systemctl.
Next step, you need to edit /etc/default/postgrey and add --exim as an option to start the daemon. ie.
POSTGREY_OPTS="--inet=10023 --exim "
(plus whatever other options you want to add here). Then restart with systemctl restart postgrey.service
You can check that the right commandline was issued with systemctl status postgrey.service
OK now to edit the exim config. I followed the VestaCP convention and put a line at the top of the config which lets you turn greylisting on and off easily by commenting out a single line.
GREYLIST = yes
Then go down to the ACL section. Find the section labeled acl_check_rcpt (which corresponds to acl_smtp_rcpt mentioned in the docs)
You can put this code anywhere between acl_check_rcpt and the following "accept". The higher up the list, the sooner the check is processed, so you might choose to do it before other checks or after.
Note that as per the documentation, I had to use $acl_m3 instead of $acl_m0 as m0, m1 and m2 were already in use.
Also note that I had to change the socket from /var/run/postgrey to inet:127.0.0.1:10023 to match the configuration as installed by apt.
Restart with systemctl restart exim4.service
And then tail -f /var/log/exim4/mainlog to monitor your incoming mail queue.
Just to explain greylisting very quickly, the server will now reject anyone's email when they first try to connect, and will record their IP, From, and To addresses. After a short interval (300 sec), if the same IP, To, and From tries again, it will let it through (and continue to for the next month). This works because spammers never try twice, and proper email servers will retry after minutes or hours, and keep going up to 5 days.
https://github.com/schweikert/postgrey/ ... EADME.exim
Installation is simple: apt install postgrey
This sets up the daemon, and enables it with systemctl.
Next step, you need to edit /etc/default/postgrey and add --exim as an option to start the daemon. ie.
POSTGREY_OPTS="--inet=10023 --exim "
(plus whatever other options you want to add here). Then restart with systemctl restart postgrey.service
You can check that the right commandline was issued with systemctl status postgrey.service
OK now to edit the exim config. I followed the VestaCP convention and put a line at the top of the config which lets you turn greylisting on and off easily by commenting out a single line.
GREYLIST = yes
Then go down to the ACL section. Find the section labeled acl_check_rcpt (which corresponds to acl_smtp_rcpt mentioned in the docs)
You can put this code anywhere between acl_check_rcpt and the following "accept". The higher up the list, the sooner the check is processed, so you might choose to do it before other checks or after.
Code: Select all
.ifdef GREYLIST
defer log_message = greylisted host $sender_host_address
set acl_m3 = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_h
ost_name\nsender=$sender_address\nrecipient=$local_part@$domain\n\n
set acl_m3 = ${sg{${readsocket{inet:127.0.0.1:10023}{$acl_m3}{5s}{}{action=DUNNO}}}{action=}{}}
message = ${sg{$acl_m3}{^\\w+\\s*}{}}
condition = ${if eq{${uc:${substr{0}{5}{$acl_m3}}}}{DEFER}{true}{false}}
warn message = ${sg{$acl_m3}{^\\w+\\s*}{}}
condition = ${if eq{${uc:${substr{0}{7}{$acl_m3}}}}{PREPEND}{true}{false}}
.endif
Also note that I had to change the socket from /var/run/postgrey to inet:127.0.0.1:10023 to match the configuration as installed by apt.
Restart with systemctl restart exim4.service
And then tail -f /var/log/exim4/mainlog to monitor your incoming mail queue.
Just to explain greylisting very quickly, the server will now reject anyone's email when they first try to connect, and will record their IP, From, and To addresses. After a short interval (300 sec), if the same IP, To, and From tries again, it will let it through (and continue to for the next month). This works because spammers never try twice, and proper email servers will retry after minutes or hours, and keep going up to 5 days.
Re: Greylisting for Exim
I have currently disabled this config, as it was greylisting my OUTGOING emails as well!! I'll post an updated version when I've figured it out. NB. Config disabled by putting a # in front of #GREYLIST = yes