greylisting?

[Paul R. Ganci]

shuttlebox wrote:

>
>But you can't control how quick they will try to resend. Even if you
>set it to 1 second most MTA:s will wait a lot longer to retry, like 15
>minutes, and many users complain about that. Of course you can
>whitelist but only after having complaints. I try to make it smoother
>by checking the logs for the top domains we get mail from and put them
>in the whitelist right from the start.
>  
>
I have been using DCC to successfully greylist for nearly two years now. 
My experience has been that if anything many Email servers do not obey 
the RFCs and will try to resend a message immediately. When that doesn't 
work they will continue to resend more slowly until, on average, I do 
not seem to experience more than a 5-10 minutes delay which is a 
combination of the sending servers resend methodology and my greylist 
temporary reject interval.

It must be emphasized that this delay is only experienced on the first 
incoming message with a unique tuple of sender address, recipient 
address and sending server IP address. Any subsequent message with an 
identical tuple of a previously accepted message will be delivered with 
no delay. I have my server setup so that the automatic whitelist remains 
effective for 6 months before the greylist process has to be done again. 
The reality was that within 2 weeks to a month of running the greylister 
the majority of my subscribers had no issues with their incoming 
messages, in particular from those people who regularly send Email as 
they were automatically whitelisted.

Of a bigger concern is that there are RFC ignorant servers out there. 
These servers will do things like modify the headers on resend (e.g. 
change the msgid) so that the resent message appears to be different and 
never gets accepted by the greylister. Or they will not resend at all on 
a temporary 45x reject. Or they have a server farm and so they cycle IPs 
which of course changes the tuple. In these cases it can take days for a 
message to be accepted (or ultimately rejected). I have found these 
cases to be more troublesome as users may not find out a message was 
rejected for such a long time if they find out at all. And messages will 
continue to be rejected from those servers until something is done to 
correct the problem.

DCC provides controls to handle these cases. There is also a list of RFC 
broken servers which I used to seed my whitelist. Over the course of two 
years I have had to augment this list, but now everything pretty much 
runs smoothly with no complaints on a system which has 400 users and 
deals with ~10000 emails a day. Admittedly the first two weeks or so 
were difficult, but now it pretty much runs itself. I don't even 
remember the last time I had to even add a whitelist entry.

-- 
Paul (ganci at nurdog.com)