[Sqlgrey-users] couple new user questions

Discussion:

Jonathan Nichols

2016-06-27 00:07:54 UTC

Just a couple of questions that I didn’t see covered in the archives…

I see that there’s a list of pre-whitelisted servers. is this ever updated by the maintainers at any time? Is this something that we can should just do manually?

if t’s recommended to just deal with it manually, what web interface is recommended these days?

my setup is pretty straight forward, but there are a couple of different domains. manually adjusting the sql tables would be kind of a pain.

thanks!
—
jonathan

Karl O. Pinc

2016-06-27 00:21:09 UTC

Permalink

On Sun, 26 Jun 2016 19:07:54 -0500

Post by Jonathan Nichols
Just a couple of questions that I didn’t see covered in the archives…
I see that there’s a list of pre-whitelisted servers.
Is this something that we can
should just do manually?

I never do. The whole point is that it adjusts itself
once it receives incoming email.

Karl <***@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein

Lionel Bouton

2016-06-27 13:24:22 UTC

Permalink

Hi,

Post by Jonathan Nichols
Just a couple of questions that I didn’t see covered in the archives…
I see that there’s a list of pre-whitelisted servers. is this ever updated by the maintainers at any time?

Rarely. These pre-configured whitelists are under my direct control (the
script updating them fetch files on a web server that I maintain) and my
filter to allow new entries in is :
- they must be cases that auto-whitelisting doesn't handle efficiently,
- they must affect several users.

If this doesn't pass the first test this defeats the greylisting process
(greylisting is not whitelisting...).
If this doesn't pass the second test this might be a fluke or a
temporary situation.

Post by Jonathan Nichols
Is this something that we can should just do manually?

You can maintain whitelists yourself by creating files with ".local"
appended to the original name. These files are under your direct control
and won't ever be overwritten by SQLgrey.

Post by Jonathan Nichols
if t’s recommended to just deal with it manually, what web interface is recommended these days?
my setup is pretty straight forward, but there are a couple of different domains. manually adjusting the sql tables would be kind of a pain.

You should not have to adjust anything unless your users report delayed
emails from specific domains for an extended period (several days).

If there is a problem on some origin domains you can inspect the logs to
find our what is going on with these domains and if they don't behave
well enough for SQLgrey to auto-whitelist them add entries to
/etc/sqlgrey/clients_fqdn_whitelist.local or
/etc/sqlgrey/clients_ip_whitelist.local (see the original files for the
format used). You are then encouraged to report them here so that I can
keep track of domains which need whitelisting to perform well.

Best regards,

Lionel

Lionel Bouton

2016-06-27 14:49:59 UTC

Permalink

Hi,

[...] You are then encouraged to report them here so that I can
keep track of domains which need whitelisting to perform well.

Here is a small-time host my users have discovered somehow don't retry
and thus their e-mails don't come through, they may have fixed their
# Small L.A. Law Firm
assantilaw.com
*.assantilaw.com

For this and the following entries, is the domain name really the fqdn
of one of the sources ?
I ask because the less entries we add, the less CPU we use. So if none
of their servers resolves to "assantilaw.com" this is superfluous.

If anyone could confirm these entries that would speed up their inclusion.

Best regards,

Lionel

Lionel Bouton

2016-06-27 14:54:07 UTC

Permalink

Hi again,

Post by Lionel Bouton
[...]
If there is a problem on some origin domains you can inspect the logs to
find our what is going on with these domains and if they don't behave
well enough for SQLgrey to auto-whitelist them add entries to
/etc/sqlgrey/clients_fqdn_whitelist.local or
/etc/sqlgrey/clients_ip_whitelist.local (see the original files for the
format used). You are then encouraged to report them here so that I can
keep track of domains which need whitelisting to perform well.

One thing I forgot because it seemed obvious to me: you want to
whitelist the fqdn/ip of the very first servers trying to send emails.
So for best results you want to follow your logs back to the first mail
transfer attempt to find out the fqdn or the ip range used then.

Best regards,

Lionel

Karl O. Pinc

2016-06-27 14:55:01 UTC

Permalink

[...] You are then encouraged to report them here so that I can
keep track of domains which need whitelisting to perform well.

# StartSSL hates greylisting -- when verifying domain ownership
# via e-mail they expect you to receive an e-mailed code essentially
# immediately and will not retry without you restarting the process.

I confirm this, as of last year.

startcom.org
*.startcom.org
startssl.com
*.startssl.com
# Outlook.com users, retries do not come from the same server.
# [2016-03Mar-14]
outbound.protection.outlook.com
*.outbound.protection.outlook.com

I concur. outlook.com is a pain. They ignore RFC
recommendations, spat out several retries immediately,
and then do not retry again for 30 minutes. (This
seems to be something that the outlook software does.)

Karl <***@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein

Lionel Bouton

2016-06-27 15:07:20 UTC

Permalink

Hi,

Post by Karl O. Pinc

[...] You are then encouraged to report them here so that I can
keep track of domains which need whitelisting to perform well.

I confirm this, as of last year.

Thanks :

*.startcom.org
*.startssl.com
*.outbound.protection.outlook.com

Added to the public whitelists in the " Requested by MTA admins " section

If I have confirmation of the non-wildcard entries usefulness I'll add
them too.

All users running "update_sqlgrey_config" (either by crontab or manually
will get these new entries).

Best regards,

Lionel

Karl O. Pinc

2016-06-27 15:27:32 UTC

Permalink

Sorry Lionel, I'm confirming that these should
be whitelisted. But, while I recall the below as the
correct domains, I've not examined my logs and checked.

Hi,

Post by Karl O. Pinc

[...] You are then encouraged to report them here so that I can
keep track of domains which need whitelisting to perform well.

# StartSSL hates greylisting -- when verifying domain ownership
# via e-mail they expect you to receive an e-mailed code

essentially

Post by Karl O. Pinc

# immediately and will not retry without you restarting the

process.

Post by Karl O. Pinc
I confirm this, as of last year.

*.startcom.org
*.startssl.com
*.outbound.protection.outlook.com
Added to the public whitelists in the " Requested by MTA admins " section
If I have confirmation of the non-wildcard entries usefulness I'll add
them too.
All users running "update_sqlgrey_config" (either by crontab or manually
will get these new entries).
Best regards,
Lionel
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in
San
Francisco, CA to explore cutting-edge tech and listen to tech
luminaries
present their vision of the future. This family event has something
for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Sqlgrey-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlgrey-users

Karl <***@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein