KBA-01898

Configuring greylisting options in SecurityGateway

This article explains how to configure SecurityGateway to use greylisting on incoming messages, how long to delay messages before they are allowed, and to exclude certain domains from being greylisted. Note that due to its controversial nature, it is disabled by default.

From the Dashboard, after logging in:

  1. Click on Security in the bottom-left corner
  2. Locate the Anti-Spam section 
  3. Click on Greylisting

You may then configure the following options:

  • Enable greylisting

    Enabling this will turn on greylisting for incoming messages, which will cause messages to be delayed from being delivered for a specified amount of time before they are allowed, and send the connecting host a non-fatal (STMP 4xx) error in the meantime. As noted above, this is disabled by default, and enabling this will cause all messages not excluded to be delayed in delivery.

  • Defer initial delivery attempt with temporary error for xx minutes

    This is the amount of time that messages will be refused for delivery; this is set to 15 minutes by default. After this amount of time has passed, the message will be allowed for delivery if another attempt to send it is made, and any further messages from that connecting IP address, sender address, and recipient address (saved together as a 'triplet'), will be allowed with no further delay.

  • Expire unused greylisting database records after xx days

    This is how long triplet entries in SecurityGateway's database exist before they are removed if no messages are sent with matching information during that time. Any messages sent after they have expired will be subjected to another delay, as stated above. By default, this is set to 10 days.

  • Ignore IP address when greylisting (use only MAIL & RCPT values)

    Enabling this will cause SecurityGateway to not record the connecting IP address of messages that are delayed due to greylisting, and instead use the sending and receiving email address. This is useful for messages sent from domains with multiple outgoing servers. This is disabled by default.

  • Ignore IP address for connections that pass SPF processing

    Enabling this will cause SecurityGateway to not greylist connections if they pass a SPF (Sender Policy Framework) check, which by default is performed before greylisting is done. This is disabled by default.

  • Exclude messages from whitelisted senders

    If the sending email address, domain, or IP address is on the server's whitelist, or on the recipient's personal whitelist, then SecurityGateway will not greylist the message. By default, this is enabled.

  • Exclude messages from authenticated sessions

    If the connecting user authenticates their session using a username and password on the SecurityGateway server before sending the message, SecurityGateway will not greylist the message. By default, this is enabled.

  • Exclude messages from domain mail servers

    If the message is bound for a remote address, SecurityGateway will not greylist the message. If you enable this, make sure SecurityGateway can check that the sending user can be verified as valid, to avoid an open-relay situation. By default, this is disabled.

    Additional Comments

    These settings can be configured for individual domains, or for the entire server, if you so wish.