-
-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Postgrey - Old insecure Greylisting Whitelists #869
Comments
I'm not sure we would want to purge those lists by default, as presumably they are based on hard-won knowledge of what domains can handle greylisting and which cannot ? |
I think one is Alibaba, they old and knackered. I can post this list here for you to have a quick scan at. They are awful. Also the list should be empty as they are not my whitelist choices. There are all irrelevant and the emails that are whitelisted, should not be as these are legacy emails none uses because of spam. |
The client/domains listhttps://github.com/schweikert/postgrey/blob/master/postgrey_whitelist_clients a couple of examples, look at the dates.
|
This feels like something the owners of the postgrey package should fix! |
I understand, but I don't think it is maintained that much. One small patch 5 months ago. Even if it was updated, the upstream package should not be adding their own list, it is like DNS poisoning and is a clear security issue. I will add to my notes (not every one reads though) to purge this list, but I 100% feel these lists should be empty at the point of use whether this is done upstream or by Virtualmin. It was mentioned that you guys were looking at the spam handling system at somepoint in the future, maybe to remove |
Long-term we do plan to switch to milter-greylist which hopefully had a more up-to-date list of exceptions... |
Confirmed - there's recently been a big increase in phishing emails addressed to |
Oh that does seem like something we should remove - exceptions for specific domains are fine, but email addresses in all domains seems risky! |
@jcameron can I just get you to also relook at the domain list, it is completely bonkers and is also a straight security risk apart from that both these lists should be unpopulated. But is is your call, I have added into my instructions to delete these as the should never of been added 😀 Just included 2 blank templates that either overwrite the ones there or remove the default config file copy command and place the blanks there instead. If any of those domains do not have SPF or dkim setup I can bypass grey filtering with a simple email spoof. Anyway I will now get off my soapbox. 😀 |
I suppose we could add an option when greylisting is being setup initially to clear that list. Unless there are some domains for which entries are legitimately needed? |
if this requires the user to select the option to clear, I am not for that. The reason is, a new admin might not understand why he has to do that so won't bother and secondly there should not nbe anything in the list If you know that the list needs purging you can use
As far as I am concerned, there are no valid options here. I whitelisted non of them 😄 |
As far as I know, the whitelist is for well known mail domains that do not retry 30 min later after getting the greylist "busy now, try again later" response intended to frustrate bulk spam senders. Because they're not running a standard mail sender e.g. Postfix, Exim, etc. Some universities, airlines, open source mailing lists, who DIY their own SMTP mail sender. |
This is an issue with the package and not directly with Virtualmin
the background
Whitelisted clients
andWhitelisted recipients
.Whitelisted clients
is filled with lots and lots on unwanted domains to be whitelisitedWhitelisted recipients
haspostmaster@
andabuse@
white listedthe issue
proposed solution
On new Virtualmin installs, these lists should be purged of all entries
additional
milter
as I think this is part of Virtualmin for mail rate limiting and has greylisiting capabilitiesmilter-greylist
but this is just of the top of my head.The text was updated successfully, but these errors were encountered: