How to enable greylisting on your Qmail server

Greylisting is very useful to avoid most of the incoming spam on your mail server. The Qmail packages shipped on Dotdeb have built-in MySQL-based greylisting. Here is how to enable it…

Installation

First of all, be sure to have Qmail installed from Dotdeb with a version number greater than 1.03-37.dotdeb.1.
Then, since we’ll use a MySQL backend to share the greylisting database between several servers, be sure to have MySQL installed somewhere on your boxes.

In our example, we’ll create the database (we’ll name it relaydelay) and grant access to user@host with the password “password“. You’re free to change these values to fit your needs…

CREATE DATABASE relaydelay;
GRANT ALL PRIVILEGES ON `relaydelay`.* TO 'user'@'localhost' IDENTIFIED BY 'password';

Then, we create the needed tables :

CREATE TABLE relaytofrom
(
  id              bigint          NOT NULL        auto_increment,
  relay_ip        char(16),
  mail_from       varchar(255),
  rcpt_to         varchar(255),
  block_expires   datetime        NOT NULL,
 
  record_expires  datetime        NOT NULL,
  blocked_count   bigint          default 0 NOT NULL,
  passed_count    bigint          default 0 NOT NULL,
  aborted_count   bigint          default 0 NOT NULL,
  origin_type     enum("MANUAL","AUTO") NOT NULL,
  create_time     datetime        NOT NULL,
  last_update     timestamp       NOT NULL,
 
  primary key(id),
  key(relay_ip),
  key(mail_from(20)),
  key(rcpt_to(20))
);
 
CREATE TABLE dns_name
(
  relay_ip      varchar(18)       NOT NULL,
  relay_name    varchar(255)      NOT NULL,
  last_update   timestamp         NOT NULL,
  primary key(relay_ip),
  key(relay_name(20))
);
 
CREATE TABLE mail_log
(
  id              bigint          NOT NULL        auto_increment,
  relay_ip        varchar(16)     NOT NULL,
  relay_name      varchar(255),
  dns_mismatch    bool            NOT NULL,
  mail_from       varchar(255)    NOT NULL,
  rcpt_to         varchar(255)    NOT NULL,
  rcpt_host       varchar(80)     NOT NULL,
  create_time     datetime        NOT NULL,
 
  primary key(id),
  key(relay_ip),
  key(mail_from(20)),
  key(rcpt_to(20))
);

We now have to put the appropriate settings in the /etc/init.d/qmail init script…

export MYSQLHOST="localhost"
export MYSQLUSER="user"
export MYSQLPASS="password"
export MYSQLDB="relaydelay"
export BLOCK_EXPIRE=5           # minutes until email is accepted
export RECORD_EXPIRE=600        # minutes until record expires
export RECORD_EXPIRE_GOOD=36
export LOCAL_SCAN_DEBUG=0

and in the /usr/sbin/greylisting-delete-expired :

MYSQLHOST="localhost"
MYSQLUSER="user"
MYSQLPASS="password"
MYSQLDB="relaydelay"

We can now relaunch Qmail and enable or disable the greylisting with a simple symbolic link :

/etc/init.d/qmail
ln -s /usr/bin/qmail-envelope-scanner /usr/sbin/qmail-envelope-scanner

Usage

Example wildcard whitelists for subnets :

INSERT INTO relaytofrom VALUES (0,"127.0.0.1"   ,NULL,NULL,"0000-00-00 00:00:00","9999-12-31 23:59:59",0,0,0,"MANUAL",NOW(),NOW());
INSERT INTO relaytofrom VALUES (0,"192.168"     ,NULL,NULL,"0000-00-00 00:00:00","9999-12-31 23:59:59",0,0,0,"MANUAL",NOW(),NOW());

Example wildcard whitelist entry for a recieved domain or subdomain

INSERT INTO relaytofrom VALUES (0,NULL,NULL,"sub.domain.com","0000-00-00 00:00:00","9999-12-31 23:59:59",0,0,0,"MANUAL",NOW(),NOW());

7 replies on “How to enable greylisting on your Qmail server”

Is it possible to describe ip ranges in relay_ip char(16) like 216.239.32.0/19 ?

We need to whitelist/update with IP addresses that Google Mail, Hotmail etc. uses to send mail.

With 16 char field that isn’t possible, but can we change this?

Thanks.

According to the documentation of the patch, the correct syntax is :

# Example wildcard whitelists for subnets
insert into relaytofrom values (0,”127.0.0.1″ ,NULL,NULL,”0000-00-00 00:00:00″,”9999-12-31 23:59:59″,0,0,0,”MANUAL”,NOW(),NOW());
insert into relaytofrom values (0,”192.168″ ,NULL,NULL,”0000-00-00 00:00:00″,”9999-12-31 23:59:59″,0,0,0,”MANUAL”,NOW(),NOW());

Then we’ll have to add entries for 216.239.32 up to 216.239.63 for 216.239.32.0/19.

Would be easier to just add 216.239.32.0/19, but we’ll survive.

Thanks 🙂

Sorry for the wrong comment section.

My box has been reportet to spamcop as “Misdirected bouncer”, using the dotdeb-qmail.
http://www.spamcop.net/fom-serve/cache/329.html
Does dotdeb-qmail have any of these patches applied?

@A.J. : qmail from Dotdeb includes chukuser and it’s enabled by default.

mh, so any clues why i could be reported? i am only running 3 domains. they are in rcpthosts and local.

e.g from the log:

Nov 2 11:30:26 **CHANGED** qmail: 1288693826.606898 CHKUSER accepted rcpt: from remote rcpt : found existing recipient

the user ocflhmgnpc is not a valid user and the recipient domain is local (**CHANGED**)

qmail-qstat shows me 10k messages in queue. all of them are spam-bounces.

Comments are closed.