Postgrey (Re: impersonating Juan, a quick test)

Greg Newby gbnewby at pglaf.org
Wed Jul 17 09:33:54 PDT 2019 

Sorry for my slow response. I purposely waited an extra day+ in case there are any other complaints or signs of trouble. Also, maybe you got a response back form cock.li already?

This is mostly just my response to Juan, but what's below might be of general interest for anyone who has had trouble getting messages to or from the list:

On Mon, Jul 15, 2019 at 08:07:48PM -0300, Punk wrote:
> On Mon, 15 Jul 2019 14:33:41 -0700
> Greg Newby <gbnewby at pglaf.org> wrote:
> 
> 
> > 
> > I found lots of log entries where your messages were accepted:
> > 
> > Jul 12 13:13:31 mail postgrey[2135]: action=pass, reason=triplet found, client_name=mx1.cock.li, client_address=185.10.68.5, sender=punks at tfwno.gf, recipient=cypherpunks at lists.cpunks.org
> > 
> > (185.10.68.5 is mx1.cock.li)
> > 
> > The first time a message arrives, the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" had not been seen before within postgrey's memory. So, it sends a message back to try again later.
> > And then, a few minutes later, the MTA tries again and the message is delivered.
> 
> 
> 	I see. And how often are the entries in the list of accepted senders removed? How often does postgrey 'forget' about a triplet it had validated? Every few hours? 
> 

The man page says it is 35 days.

In your experience, this means that if a message is posted (same triplet of IP, sender, recipient) it should not be greylisted unless 35 days have passed since the prior message was sent.

One thing that happens a lot with big companies is that they use a bunch of different IP addresses. That creates problems for greylisting, since the triplet is not duplicated, so keeps getting greylisted. I did not see evidence that cock.li is doing this, though: they just have two MX servers, and the addresses seem static.

> 
> 
> > > > If you have a message that doesn't seem to get posted, please forward me the message and I'll mine the logs to see what happened. There are plenty of other possibilities that might cause this, but postgrey is one that we can investigate easily enough.
> > > 
> > > 	This one took five tries. 
> > > 
> > > 	https://lists.cpunks.org/pipermail/cypherpunks/2019-July/075571.html
> > > 
> > > 	(I'm sending you a copy of the original message to your pflag.org address) 
> > 
> > And I didn't get the copy you sent me directly:
> 
> 
> 	oh so the same postgrey rules are applied to pflag.org, I see. 

Yes, it's the exact same system, with the exact same software, configuration, etc.

I can provide you a GMail-type address to contact me, if your messages aren't getting through.

> > mail.log:Jul 15 12:19:38 mail postgrey[2135]: action=greylist, reason=new, client_name=unknown, client_address=xxxx, sender=punks at tfwno.gf, recipient=gbnewby at pglaf.org
> > 
> > the MTA didn't try again! (I.e., there was not a second entry for this triplet, as of 40+ minutes later).
> 
> 
> 	got it
> 
> 
> > 
> > 
> >  *** ALSO, and this is important: I see at least three different email address you are using. punk@ punks@ and another. All those from punks@ went through to cypherpunks at cpunks.org: none were delayed in the past few days of logs.
> 
> 
> 	cpunks@ is my only address. cpunk@ is an address somebody else registered and used to send the two messages I mistakenly regarded as 'spoofed'. I don't know what third address you're seeing, but it's not mine. 
> 

Actually, your address is: punks at tfwno.gf (I just confirmed that is what appears in the subscriber list, and that is the address you used).

The list configuration is that emails from unknown/unsubscribed addresses are rejected (i.e., bounced: you will get a copy back).

So, if you ever send from a different address, it will not be posted. And it will be bounced back. It's possible your email client or the cock.li MTA is not getting a bounce to you... to test this, try sending to cypherpunks at lists.cpunks.org from a non-subscribed address, and then chase down the bounce.

(Of course, it will get greylisted first! Even before Mailman sees + bounces it.)

I can check the logs for the non-subscribed address, if you experiment with this and don't get a bounce.


> > Bottom line: There is some evidence that the cock.li mail transport agents are not working correctly for greylisting, at least not all of the time. If you are in communication with those folks, perhaps you could raise some concerns. You can feel free to put me in touch, if that might help.
> 
> 
> 	I'll write to them.
> 
> 
> 
> > 
> > Other Bottom Line: Make sure you use your subscribed address, punks at tfwno.gf, to send to cypherpunks at cpunks.org
> 
> 
> 	I double checked and cypherpunks at cpunks.org is the address in my address book. However I've sent a lot of messages to cypherpunks at lists.cpunks.org as well. The @lists.cpunks.org address is the one my client picks when I write a reply. I'll try sending everything to @cpunks.org  and see if that makes a difference. 
> 

Either works. The DNS MX sends it to the same server.

> > 
> > And finally, I do see messages of this form in the logs:
> > 
> > Jul  8 08:28:14 mail postfix/smtp[29664]: 38E7411C603C: host mx1.cock.li[185.10.68.5] refused to talk to me: 421 4.7.0 cock.li Error: too many connections from 65.50.255.19
> > 
> 
> 
> 	So messages from the list to subscribers @ cock.li might get lost...

Maybe. You can check the archives to confirm.

Or maybe it's only addresses that are not actually deliverable. There are dozens of throwaway addresses that were created & subscribed, and now just bounce, in the subscriber list. Those are stuck in their own twilight zone, until Mailman eventually auto-unsubscribes them. This always takes at least a week (that is the Mailman list setting), and since cpunks@ is a busy list, that can result in many dozens of retries by the MTA.

> > This seems to be from when a message to cypherpunks@ is delivered to various addresses hosted there. They have many different domains, and postfix is not smart enough to bundle them all into a single delivery. Result can be a dozen or more connections within just a second or so, which could legitimately trigger some anti-abuse response. Although, again, these should either generate a bounce, or be retried.
> 
> 
> 	I don't think I've seen that problem though. I mean I'm more or less sure I'm getting all the messages _from_ the list. 
> 

Yes - my note just above.

> > 
> > Sorry for the trouble. It seems there might be some configuration problems (and it's certainly possible that my PGLAF server is not configured quite right!), and also that both cock.li and pglaf.org servers have some relatively unforgiving configurations.
> 
> 	Thanks a lot for looking into this =)

My pleasure.

Best,
 Greg

More information about the cypherpunks mailing list