Open shoulders opened 1 month ago
I'm not sure we would want to purge those lists by default, as presumably they are based on hard-won knowledge of what domains can handle greylisting and which cannot ?
I think one is Alibaba, they old and knackered. I can post this list here for you to have a quick scan at. They are awful.
Also the list should be empty as they are not my whitelist choices.
There are all irrelevant and the emails that are whitelisted, should not be as these are legacy emails none uses because of spam.
https://github.com/schweikert/postgrey/blob/master/postgrey_whitelist_clients
# 2004-05-20: Linux kernel mailing-list (unique sender with letters)
vger.kernel.org
# 2004-06-02: karger.ch, no retry
karger.ch
# 2004-06-02: lilys.ch, (slow: 4 hours)
server-x001.hostpoint.ch
This feels like something the owners of the postgrey package should fix!
I understand, but I don't think it is maintained that much. One small patch 5 months ago. Even if it was updated, the upstream package should not be adding their own list, it is like DNS poisoning and is a clear security issue.
I will add to my notes (not every one reads though) to purge this list, but I 100% feel these lists should be empty at the point of use whether this is done upstream or by Virtualmin.
It was mentioned that you guys were looking at the spam handling system at somepoint in the future, maybe to remove spamassassain
it favour of something like Rspamd
, maybe at this point replace postgrey
. There is also milter-greylisting
(i think).
Long-term we do plan to switch to milter-greylist which hopefully had a more up-to-date list of exceptions...
Confirmed - there's recently been a big increase in phishing emails addressed to abuse@
and postmaster@
because the phishers know that those addresses are whitelisted so postfix
will deliver them immediately, bypassing the time consuming greylist delay.
Oh that does seem like something we should remove - exceptions for specific domains are fine, but email addresses in all domains seems risky!
@jcameron can I just get you to also relook at the domain list, it is completely bonkers and is also a straight security risk apart from that both these lists should be unpopulated.
But is is your call, I have added into my instructions to delete these as the should never of been added 😀
Just included 2 blank templates that either overwrite the ones there or remove the default config file copy command and place the blanks there instead.
If any of those domains do not have SPF or dkim setup I can bypass grey filtering with a simple email spoof.
Anyway I will now get off my soapbox. 😀
I suppose we could add an option when greylisting is being setup initially to clear that list. Unless there are some domains for which entries are legitimately needed?
I suppose we could add an option when greylisting is being setup initially to clear that list.
if this requires the user to select the option to clear, I am not for that.
The reason is, a new admin might not understand why he has to do that so won't bother and secondly there should not nbe anything in the list
If you know that the list needs purging you can use select all
and then hit purge 😄
Unless there are some domains for which entries are legitimately needed?
As far as I am concerned, there are no valid options here. I whitelisted non of them 😄
As far as I know, the whitelist is for well known mail domains that do not retry 30 min later after getting the greylist "busy now, try again later" response intended to frustrate bulk spam senders. Because they're not running a standard mail sender e.g. Postfix, Exim, etc. Some universities, airlines, open source mailing lists, who DIY their own SMTP mail sender.
This is an issue with the package and not directly with Virtualmin
the background
Whitelisted clients
andWhitelisted recipients
.Whitelisted clients
is filled with lots and lots on unwanted domains to be whitelisitedWhitelisted recipients
haspostmaster@
andabuse@
white listedthe issue
proposed solution
On new Virtualmin installs, these lists should be purged of all entries
additional
milter
as I think this is part of Virtualmin for mail rate limiting and has greylisiting capabilitiesmilter-greylist
but this is just of the top of my head.