Table of Contents
Welcome to the hermes wiki!
A few bits of information I found useful
Hermes logic (from src/Utils.cpp)
decide whether a triplet should be greylisted or not basically it follows this diagram:
+------------------------------------------+ | |yes | whitelisted?(IP or TO or DOMAIN or HOST) |----> don't greylist | | +------------------------------------------+ | | no | v +----------------------------------+ | |yes | blacklisted? (IP or FROM) |----> greylist | | +----------------------------------+ | | no | v +----------------------------------+ | |yes | greylisted? (triplet) |----> greylist | | +----------------------------------+ | | no | v don't greylist
The sqlitedb
Hermes only ever writes to the greylist table. All other tables are for the user to fine tune Hermes's behaviour.
For example, to allow all mail destined for your local example.com domain to pass through Hermes unhindered:
sudo sqlite3 /var/hermes/greylisting.db SQLite version 3.9.2 2015-11-02 18:31:45 Enter ".help" for usage hints. sqlite> .tables allowed_domains_per_ip blacklisted_tos whitelisted_ips blacklisted_froms greylist whitelisted_tos blacklisted_ips whitelisted_domains blacklisted_todomains whitelisted_hostnames sqlite> insert into whitelisted_domains values ('example.com'); sqlite> select domain from whitelisted_domains; example.com
Sqlitedb tables explained (taken from the Hermes mailinglist)
All the whitelisted* and blacklisted* tables have only one field that is the value that you want to blacklist or whitelist. The tables hold values for the following:
-
whitelisted_ips: List of IPs that can send you email without going through greylisting.
-
whitelisted_hostnames: List of remote hostnames that can send you email without being greylisted. The hostname is retrieved by Hermes from the reverse resolution of the IP. It basically allows you to whitelist big chunks of machines that you want to whitelist and that have a common domain. It will allow partial matches, so for example adding an entry for ".google.com" will whitelist all machines that send email for google. notice the dot before the domain, without it you would be allowing all domains ending in google.com to send you mail, so, for example, I could register spamgoogle.com and send you spam without going through greylisting.
-
whitelisted_tos: List of local email accounts that you don't want greylisting for. I use it for whitelisting specific accounts that need to receive email. For example alerts at domain.com. It can also be used if you receive an inordinate amount of spam on a particutar email address that has no account, and you don't want to bother greylisting it. It will be passed to your SMTP server (or the next part of your Mail Transport chain) for dropping (550: Invalid recipient)
-
whitelisted_domains: List of local domains that you don't want greylisting for I use it regularly for customers that complain about the email delay, usually because they receive email from many non-repeating different sources.
-
blacklisted_ips: IPs of hosts you want to blacklist. Keep in mind that we will ALWAYS return a temporary error, so if you later change your mind about the blacklist you will receive all the email that was previously rejected (if they are not very old, of course).
-
blacklisted_froms: Remote email accounts you don't want to receive mail from. The same caveat as on blacklisted_ips applies.
-
blacklisted_tos: Local email accounts that never receive mail and will always have their incoming mail greylisted.
There is no way to whitelist a specific "from" address, as that would mean that any spammer guessing it (not that difficult) could easily send you spam. Still, almost the same functionality can be achieved with whitelisted_hostnames and whitelisted_ips.
Greylist options explained:
# greylisting options. # initial expiry time. # when email is first recorded, it will expire after this time (in minutes). initial_expiry = 240 # initial period of time (in minutes) during which a retry on the spammer's side will FAIL. initial_blacklist = 5 # once we have whitelisted a triplet, how long it stays whitelisted (in days). # 36 is a magic number, is the maximum days between a day and the same day next month whitelist_expiry = 36
The above options can be translated as follows:
- Hermes will greylist an email based on IP address of sender, RCPT TO: and MAIL FROM:
- That triplet will be greylisted for 4 hours.
- If the triplet is seen within 5 minutes of initial connection, it will be greylisted again.
- If the triplet is seen again after 5 minutes of initial connection, it will pass unhindered, and will subsequently pass unhindered for the next 36 days.
Stats Submission (from src/hermes.cpp)
s.connect("stats.hermes-project.com",11125);
Hermes connects to remote host stats.hermes-project.com on port 11125, so make sure your proxy/firewall allows for that if you want Stats submission to work.
Blacklisting IP ranges (from 1.4 release notes)
To blacklist 192.168.1.0/24:
sqlite> insert into blacklisted_ips values ('192.168.1.');