Whitelisting in OS X Server (pass greylisting without disabling it)

Tried this and got;

mail:postfix = _empty_dictionary

??

Well, it does appear on main.cf,

Can we add more than one entry so we can whitelist multiple doamins and IP's

Seems you can :-)

sudo serveradmin settings

mail:postfix:add_whitelist_domain = "example.com","example2.com,"1.2.3.4"

Darn, this does not work in 10.9 Server.

I do not use greylisting and I recommend against it. It's a "nice idea" that *will* cause you to lose legitimate email at some point, and at the very least cause delays in delivery (at your end) that can be undesirable.

You can achieve far far far far better rejection of spam - without intentionally delaying delivery as greylisting will do - via the other very fine capabilities of Postfix. It does mean having to work in the command-line but it's extremely worthwhile to learn how to do so, and you're already doing so in your efforts with "improving" greylisting.

Also updating Spamassassin and installing Razor2 (& moreso than) Pyzor. A write-up of this is on my list of things to do.

In the meantime have a look at http://www.postfix.org/docs.html specifically the UCE/Virus section -
in particular,

http://www.mengwong.com/misc/postfix-uce-guide.txt

and
http://webcache.googleusercontent.com/search?q=cache:T2cOYcVuGucJ:https://poslun s.com/guides/classes/+&cd=1&hl=en&ct=clnk&gl=usj

Give that last one a while to load (the original site seems down just now)
Change only one thing at a time, issue
postfix reload
and wait & watch the result(s).

Thanks for the help davidh.

I turned off greylisting and email is delivered much faster, but spam has increased by a lot. What of the restictions from the links you listed did you implement on your postfix configuration?

There's a lot to be done, and it's important to know the impact of the changes you/one will make.

Have a look at:

http://topicdesk.com/downloads/tutorials/38-frontline-spam-defense-for-mac-os-x- server

I have no official connection with TopicDesk, just some pleasant correspondence(s) with Athanasios. His PDF is an excellent place to start.

Also have a look at http://www.postfix.org/SMTPD_ACCESS_README.html

Also beware of rbls - use them sparingly and more is NOT better.

As you're getting into the real nitty-gritty of administering Postfix, a must-have for your bookshelf is The Book of Postfix,
http://www.postfix-book.com
http://www.amazon.com/The-Book-Postfix-State-Art/dp/1593270011

Oh yeah, the topicdesk stuff is great. I've been using their tutorials for years. I even donated! I had checked them out after upgrading from 10.6 Server to 10.9 Server, but I thought that I'd leave the apple defaults and see what happened (if it ain't broke, don't fix it - not that the mail server was working out of the box with my migrated users - but thats a topic for a different thread). The apple defaults are too loose for sure.

Yeah, I was bitten by using too many rbl a few years back. Now I only use zen.spamhaus.org.

I've started by implementing the topicdesk recomendations (using /Library/Server/Mail/Config/postfix instead of /etc/postfix). I think I'm going to tighten up my anti-spam configs based on the topicdesk recomendations too.

<http://downloads.topicdesk.com/docs/Updating_amavisd_new_on_OS_X_Server_10_5_Leo pard.pdf>

I'm going to it at leave those changes for a little while to make sure that legit email can still get through. Unless you think there's something big I'm missing, please let me know.

Thanks again for your help davidh!

Good stuff. I did not update amavisd on 10.9 Server, there's I suspect comparitively little gain, vs. updating to the latest spamassassin.

I'm working on a write-up of that, but don't have another 10.9 server-based mailserver on which to replicate my first run. I could spin up a VM but the extra leg-work on my own time, is not something I can spare these days 🙂

Oh yeah, I'm not updating the software (other than apple software updates) either. I'm just using their recomendations for the amavis conf settings - lowering the bar for spam.

I'm not super pleased that I had to install macports in order to fix my freshly installed 10.9 mail server config to get it to work in the first place. The mail server wasn't starting and somewhere in the logs, it was complaining that something (I don't remember if it was a part of amavis, spamassassin, or clamav) wasn't configured. "So-and-so isn't configured, do you need to run xyz-pdq?"

And when I tried to run the configuration, a dependency was missing (gpg I think). I always wish that I wrote down every step that I took, so I could repeat the process, or to help other people.

Well, I'll be looking out for your writeups!

I am using Mac OS X 10.8.5 with Server 2.2.2, but I think the same will probably apply in Mavericks. I have in the past been trying these same commands but they were not always reliable in passing on the settings to the greylisting system. So, I found out where they write by analyzing /usr/libexec/postfix/greylist.pl and now maintain these by by hand. The unexpected thing is that this is not maintained in the Config directory tree but in the Data directory tree of Mail.

Go to the directory /Library/Server/Mail/Data/gldb

(gldb = greylisting database). Here, the greylisting script maintains the database of sending systems that have past the greylisting trick. Here I have added info to two files:

whitelist_domain

and

whitelist_host

These are static data files that are read by the greylisting script.

For instance, if you want to whitelist all servers from facebook.com (because their myriad of file servers defeats the greylisting assumptions) you add a line to whitelist_domain that says facebook.com and one that says facebookmail.com. The domains to add, you can find by analyzing mail.log and look for the greylisting 'error' messages.

Some obvious entries are:

amazon.com

facebook.com

facebookmail.com

messagelabs.com

I also tried that and it did not work in 10.9 Mavericks Server. For some reason, 10.9 Server ignores whitelisting for postfix.

Ther are two kinds of whitelisting:

- Whitelisting at the postfix level. There are several ways to whitelist clients/senders and these methods are part of postfix's standard functionality and I can hardly imagine Apple could change postfix in such a way that whitelisting became impossible.

- Whitelisting as part of greylisting. This is governed by the greylist perl script. It could be that Mavericks contains a different/adapted greylisting program/script. If this is the case, one could either setup greylisting differently or adapt the script.

Does /usr/libexec/postfix/greylist.pl still exist in 10.9 and is it still used by postscript? Does /Library/Server/Mail/Data/gldb still exist and if so, what files can be found in it?

Thanks for answering, but I'm still a bit baffled. Is whitelisting in postfix the same as whitelisting the RTBLs to allow listed IPs/domains through?

I'm trying to do this on two servers, one is SL and the ML, which I'm betting are both different from mavericks. Thanks!