Description Michael Grandjean 2020-11-11 10:46:46 CET

# univention-app info
UCS: 4.4-6 errata796
Installed: mailserver=12.0

With "univention-postgrey" we do have an optional method for greylisting emails. 

postgrey remembers a triplet of:
- IP address of sender mailserver
- sender email address
- recipient email address

The first occurance of a triplet will be rejected, the second and all following occurances will be allowed.

Unfortunately larger email providers seem to use multiple "mail-out" servers and choose one of these randomly when re-sending an email that was rejected beforehand. Because of this, the IP address of the sending mailserver is different each time and counts as a new triplet, so the email will be rejected again.

As an example:
Nov 10 08:32:16 1   212.227.17.20 mout.gmx.net foobar@gmx.de sekretariat@schulen.example.org
Nov 10 08:37:18 1   212.227.17.22 mout.gmx.net foobar@gmx.de sekretariat@schulen.example.org
Nov 10 08:44:51 1   212.227.17.21 mout.gmx.net foobar@gmx.de sekretariat@schulen.example.org

-> GMX tried to send this email three times, but it got rejected every single time, because the IP of "mout.gmx.net" changed.

Workaround:
ucr set mail/postfix/greylisting/lookup=subnet

This will use the whole subnet (/24?) of the IP address of the mailserver for the triplet. 
We should make this the default.