July 14, 2009

Plesk Grey Listing Problems

I recently debugged a mail delivery issue between a Plesk 9.2 server running Qmail and 3rd party ‘sending’ servers. In short, Qmail was not accepting email and was issuing a ” 451 qq trouble in home directory (#4.3.0) (in reply to end of DATA command)” error. Mail was then being diverted to a backup mx server (running Postfix) and being held until the Qmail server eventually accepted mail or the postqueue was forced.

The following is the receive error from the Plesk 9.2 server, running Qmail:

Jul 14 09:44:50 vh qmail-queue-handlers[20737]: call_handlers: call executable = '/usr/local/psa/handlers/info/05-grey-vvIjta/executable'
Jul 14 09:44:50 vh greylisting filter[20738]: Starting greylisting filter...Jul 14 09:44:50 vh qmail-queue-handlers[20737]: handlers_stderr: DEFER
Jul 14 09:44:50 vh qmail-queue-handlers[20737]: call_handlers: DEFER during call '/usr/local/psa/handlers/info/05-grey-vvIjta/executable' handler
Jul 14 09:44:50 vh qmail-queue-handlers[20737]: call_handlers: stop callhandlers from dir '/usr/local/psa/handlers/before-queue/global'

The backup MX server would list:

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
35412AE80F9     1252 Mon Jul 13 21:41:04  [email protected]
(host vh.myserver.net[51.52.53.54] said: 451 qq trouble in home directory (#4.3.0) (in reply to end of DATA command))
[email protected]

As the undeliverable error on mail being sent to the Plesk server.

After much research and testing, it became apparent that Plesk’s grey listing was incorrectly flagging the sending server as a spam source and was applying Grey Listing parameters to the inbound messages.

Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again and the email is accepted. If the mail is from a spammer it will probably not be retried since a spammer goes through thousands of email addresses and cannot afford the time delay to retry.

Whilst grey listing is a logical spam counter measure, it can cause major problems when a backup mail server is attempting to relay mail to a primary (or lower preferenced) server for a specific mail domain.

In our environment, the best solution was to disable Grey Listing completely as we already have a perimeter spam filtering solution in place.

This command will disable Plesk’s built in grey listing:

# /usr/local/psa/bin/grey_listing --update-server -status off

A detailed outline of Plesk’s Grey Listing implementation (grey_listing) can be found here.

Please Note: If you are utilizing Plesk’s build in spam filtering options, do not disable grey_listing. Instead, adjust expire and penalty options to better suit your configuration and, if n/usr/local/psa/bin/grey_listingecessary, white list mail from your backup MX server. See the Plesk technical documentation for specific configuration.