Community discussions

MikroTik App
 
meshnet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 01, 2004 6:57 pm

changeip : Greylisting ?

Tue Aug 14, 2007 6:08 pm

Sam,

Can you post how you do your greylisting on the MT?

Thanks,
Richard
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: changeip : Greylisting ?

Tue Aug 14, 2007 6:50 pm

Oh you noticed eh : )

populate "greylist-mxservers" address-list with your smtp servers that accept inbound mail.

/ ip firewall mangle
add chain=prerouting action=return connection-state=new dst-port=25 \
protocol=tcp src-address-list=greylist-level1 \
dst-address-list=greylist-mxservers comment="GREYLISTING - \
Bypass certain connections" disabled=no
add chain=prerouting action=add-src-to-address-list \
connection-state=new dst-port=25 protocol=tcp \
src-address-list=!greylist-level2 \
dst-address-list=greylist-mxservers \
address-list=greylist-level1 address-list-timeout=3m \
comment="GREYLISTING - Add to level1 if not in level2" \
disabled=no
add chain=prerouting action=add-src-to-address-list \
connection-state=new dst-port=25 protocol=tcp \
src-address-list=greylist-level1 \
dst-address-list=greylist-mxservers \
address-list=greylist-level2 address-list-timeout=8h \
comment="GREYLISTING - Add to level2" disabled=no

--> optional below if you can spit out a specific string from your mail server when it tells someone they are XBL listed.

add chain=forward action=add-dst-to-address-list tcp-flags=psh \
in-interface=cip src-address=yoursmtpserver/32 src-port=25 \
protocol=tcp content=B12CAFA1-myguid-you-can-use-whatever--FE4 \
address-list=xbl address-list-timeout=15m comment="Temp XBL \
testing" disabled=no

Then ...

/ ip firewall nat
add chain=dstnat action=dst-nat to-addresses=yoursmallsmtpserverip \
to-ports=2525 dst-port=25 protocol=tcp \
src-address-list=greylist-level1 \
dst-address-list=greylist-mxservers comment="GreyListing \
\(greylist-level1 users\)" disabled=no

This is the part where it's required for you to install my custom written SmallSMTPServer. You NAT connections to it and it basically logs and sends them away to come back later. This way the 100-200 connections per second aren't wasted on your smtp servers tcp queue. If you are interested in a copy of the smallsmtpserver let me know, I could probably clean it up enough to post.

Sidenote: I used a 3m TTL on the level1 list. If you want make that 5-10 minutes, however I think shorter is better. The TTL for level2 is also adjustable, however if you end up with 100,000 address-list entries just be careful.

Sam
 
meshnet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 01, 2004 6:57 pm

Re: changeip : Greylisting ?

Tue Aug 14, 2007 7:07 pm

Cool

I would be interested in the SmallSMTPServer. I'm having to deal with allowing SMTP
AUTH through, so I've been attempting to just block limit overages right now.

What is it written in? I'd be interested in extending it to proxy SMTP AUTH connections,
on top of the greylist..

Richard
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: changeip : Greylisting ?

Tue Aug 14, 2007 7:51 pm

It's written in vb.net 2.0. I am using the Dart.com components so that I can expand it and parse email messages, etc down the road. I can redistribute source / binary but you would need the dart license to recompile and modify for your needs. Or you can send me the code you've modified and have me recompile it : )

Here's the entire visual studio package.
http://h1x.com/SmallSmtpServer.zip

I found one customers mail server that didn't like us hanging up on them
right after EHLO so I figured I'd at least let them tell us who they are and
who they want to send to before killing them.

Greylist_After_EHLO = False
Greylist_After_RCPT = True

There is a 'user.config' file that should be created under the users
profile that will override things in the .config if you wish to do it that
way.

Sam

Who is online

Users browsing this forum: No registered users and 30 guests