New Centos 7 server, migration complete - but greylisting seems not to be working!

I've migrated to a new centos 7 server, and mail is flowing, but i'm getting a bunch of spam and it seems greylist is not working as well...
now the greylist daemon is running:
61768 ? Ss 0:00 /usr/sbin/postgrey --unix=/var/spool/postfix/postgrey/socket --pidfile=/var/run/postgrey.pid --group=postgrey --user=postgrey --greylist-text=Greylisted for %s seconds --daemonize --delay=6

but I see NO 'Greylisting in effect' messages in maillog (and there were these on the old server). conclusion its not talking to postfix or amavis...
postfix main.cf:
--snip--
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client b.barracudacentral.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_security_level = may
--snip--

but it seems clearly that greylisting is not being used at all. how can I check to see if the socket is working? and in another tutorial it said to add
check_policy_service unix:/var/spool/postfix/postgrey/socket
to the end of the smtpd_recipient restrictions - which I've done and am experimenting currently!

any thoughts?
cdb.

 

netstat -tap shows nothing listening on port 10023
but greylist is running. anything else maybe blocking?

greylisting WAS not checked on my mailbox, but the system IS greylisting now when I added check_policy_service unix:/var/spool/postfix/postgrey/socket to the end of the smtpd_recipient_restrictions
seems things are getting greylisted now.

does this then now greylist universally? I saw some greylisting activity before I checked it on my mailbox

 

confirmed - in /etc/sysconfig/postgrey the options line is only:
POSTGREY_OPTS="--delay=60"

I changed to
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60"
and systemctl restart postgrey
and now:
tcp 0 0 localhost:10023 0.0.0.0:* LISTEN 50753/postgrey.pid

can I remove the socket entry from main.cf?

 

actually I changed the socket text to:
check_policy_service inet:127.0.0.1:10023
and all seems to work properly!

any new techniques to fight spam? its only getting worse!

 

another cutie issue from migration - I reinstalled pygor, razor and dcc. bayes is there but seems not working. but I have set ALL messages to be tagged, but quite a few get no X-Spam header (even though > -999 should get them tagged!)
for example: a message:
--snip--
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
by ns9.cdbsystems.com (Postfix) with ESMTP id A38B91000F91CE;
Wed, 30 May 2018 13:49:05 -0400 (EDT)
Authentication-Results: ns9.cdbsystems.com (amavisd-new);
dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
header.d=mandalaresearch.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
mandalaresearch.com; h=content-type:content-type:mime-version
:x-mailer:message-id:reply-to:from:from:date:date:subject
:subject; s=default; t=1527702540; x=1529516941; bh=lAfOBN0nhYHc
Qtp4VS+rwqpN4k8nS4u6LHfzEVSyNUE=; b=WNaFBTJtGF0Xa9euwiF2k4cDkF33
4vNOwDulgONsUsHOigd9Foxa9DL/UOtMO89OUxrnTj7mUAsajccusd8X68iI7IAo
RGWCNnwrT+lidQgqOrmCb+ZXLjeWzyfUs5fX84E1JUAKrsQZkQ2QwnNzTrXWSQks
J4+18Kf+Bh6xyE8=
X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com
Received: from ns9.cdbsystems.com ([127.0.0.1])
by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id bTdzirzzdq4N; Wed, 30 May 2018 13:49:00 -0400 (EDT)
Received: by ns9.cdbsystems.com (Postfix, from userid 5030)
id DA3D6100156544; Wed, 30 May 2018 13:49:00 -0400 (EDT)
To: [email protected], [email protected]
--snip--

see has NO X-Spam header. but -
/etc/amavisd/amavisd.conf contains:
--snip--
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 20; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 100; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 100; # spam level beyond which a DSN is not sent
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam

$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
--snip--

so it SHOULD add spam info headers to all emails right??

but above got no spam header though it did say scanned by amavisd.

from another message:
--snip--
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
by ns9.cdbsystems.com (Postfix) with ESMTP id BF97410014B959
for <[email protected]>; Wed, 30 May 2018 14:15:58 -0400 (EDT)
X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com
X-Spam-Flag: YES
X-Spam-Score: 13.017
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.017 tagged_above=1 required=4 tests=[DCC_CHECK=4,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, KAM_HTMLNOISE=1,
KAM_SOMETLD_ARE_BAD_TLD=5, MIME_HTML_ONLY=1.105,
MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001,
MPART_ALT_DIFF=0.724, RDNS_NONE=1.274, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Authentication-Results: ns9.cdbsystems.com (amavisd-new);
dkim=pass (1024-bit key) header.d=besthtmltech.stream;
domainkeys=pass (1024-bit key)
[email protected]
header.d=besthtmltech.stream
Received: from ns9.cdbsystems.com ([127.0.0.1])
by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id iTRXvqVefra0 for <[email protected]>;
Wed, 30 May 2018 14:15:57 -0400 (EDT)
Received: from mail.besthtmltech.stream (unknown [172.93.195.122])
by ns9.cdbsystems.com (Postfix) with ESMTP id 8E88E10014B958
for <[email protected]>; Wed, 30 May 2018 14:15:57 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=besthtmltech.stream;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; [email protected];
bh=3QqyeePf4f3RL01ebAv4ZmIc5LM=;
b=dYwkHNwMqCfr2uAWNedXAdxVYdfWdIhHSf13424G6USoNQztf1IdEkHOJEgSNjpYXxnfZnfkHi94
JHfOnKdptR/R6eNfO0NaBg07yrD6cD6eljdLRf3Vva2M056JmcIT6/x2jxr2A3d//6eVZRAXtMnT
6S+PFcM8MUDMDDqtMjE=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=besthtmltech.stream;
b=FHrJJsLWRAtGQmMAjnQpi2F7bIvQCnfrZacB0uDGqn19pblxUkV4A3v+I6ciakaBQuTCK6KXwRo4
pp6Rg7Aa7UObrQk5uisEYehhRgLk4Rc+kvCbHBVJ/YPAbUUPHg13XH9VT70CbDz3uJu1XRY5uYbP
+ya/5W1ckINcxMc2IvE=;
Received: by mail.besthtmltech.stream id h1s36g0001g8 for <[email protected]>; Wed, 30 May 2018 16:11:31 -0400 (envelope-from <[email protected]>)
Date: Wed, 30 May 2018 16:11:31 -0400
From: "Keto Masters" <[email protected]>
To: <[email protected]>
Subject: ***SPAM***How to Get Abs
--snip--

this second message (almost same time) DOES get headers - and is marked as spam.
what gives? how do I find out why headers are not added to top one (which is probably also spam)

thanks
cdb.

 

That makes ENTIRELY too much sense!! lol. sure would be nice (suggestion) if ispconfig might have either a 'global' function. (set spam policy for all these selected boxes) OR an anomalous scan! 'box XXX has policy set but domain yyy does not!) then I dont tear as much of my hair out!

all anti-spam appears to be working (when its applied) - apart from bayes - i'm not seeing any messages being added to the database. probably something is broken along the way!

 

hmm spoke too soon. made sure all boxes and domains had 'Normal' policy set, and then this came in:
--snip--
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
by ns9.cdbsystems.com (Postfix) with ESMTP id 2347D1008D66CF
for <[email protected]>; Wed, 30 May 2018 14:53:59 -0400 (EDT)
X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com
Authentication-Results: ns9.cdbsystems.com (amavisd-new);
dkim=pass (1024-bit key) header.d=tiranbro.com;
domainkeys=pass (1024-bit key) [email protected]
header.d=tiranbro.com
Received: from ns9.cdbsystems.com ([127.0.0.1])
by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 0CMmLui9NGAK for <[email protected]>;
Wed, 30 May 2018 14:53:57 -0400 (EDT)
X-Greylist: delayed 49903 seconds by postgrey-1.34 at ns9.cdbsystems.com; Wed, 30 May 2018 14:53:57 EDT
Received: from mail8.tiranbro.com (mail8.tiranbro.com [46.161.42.5])
by ns9.cdbsystems.com (Postfix) with ESMTPS id 1FA07100096173
for <[email protected]>; Wed, 30 May 2018 14:53:56 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=tiranbro.com;
h=Date:Subject:Message-ID:From:To:MIME-Version:Content-Type;
[email protected];
bh=Gev+X3m1Qd2Qta0mmuQcR8yk6Zo=;
b=kNyH0RbTXIuaD3oz66vwHXxJMEwCpVJ0VzGKHrkoIw48iFwLFgm6t3fz6FuAITbToRANHUZg8GCs
lf94k0GE7LWHdCHPjDIuhOc3qgVHmaqqSlxkNJC89yQjKiBk3zihKlRXVTIru4iaa+rHbGXHgZG3
7GI/eVVbVX7eLN75+dk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=tiranbro.com;
b=jDF7D50OLxSxUTrkR7j/DHwgz42e3YWQeRfL/00pLLtIqf6/uYU1khzE45PpIkCatuTaS+f2eOXh
EcEdbZRsdEnKoamE48DwE+0u/imTNe61UIG1cE13JGQGJ3y+2TxRRmTEzLlyQhxR4mwcsidLdy+E
+0ImmMZ/S97gBk06Rjo=;
Date: Wed, 30 May 2018 20:53:55 +0200
Subject: Regarding a career?
Message-ID: <[email protected]>
From: Charla Berke =?UTF-8?B?wqA=?= <[email protected]>
To: [email protected]
--snip--
this was directly to [email protected] and both mailbox and domain have spam policy 'normal'
any other ideas?

 

I also struck this issue upgrading from CentOS 7.3 to 7.5

 

Thanks Till, yes I should have indicated the solution worked for me as well.

 

one more question about greylisting -- and ispconfig whitelist. does a whitelisted email address (not under postix, under ispconfig's whitelist0 get delayed? or does it pass straight through?