OT: Sendmail REJECT or DISCARD preference

Koopmann, Jan-Peter jan-peter at koopmann.eu
Tue Apr 1 07:48:47 IST 2008


this will probably be my last comment to this as well since it really
makes no sense any more. If (!) I understood Peters setup correctly -
which due to some later comments is only a 90% fact - I totally agree
with Matt, Glenn, Stephen etc. 

> Well I guess that it all comes down to what works best for you,  I
> being on this list because we can all share stuff together and some
> really good stuff comes up quite alot....

Good to here. But if your setup under any circumstances produces
backscatter (and I am pretty sure there are joe-job attacks that your
scenario will not DISCARD) it is not only your problem and your network
anymore. However, since no backscatter will ever reach my clients or my
mailserver I do not really care about that so much personally. So yes:
Please continue whatever you are doing.

> ~For me I like very much *not* to know about what my clients do with
> their email servers which are all not MailScanners of any kind.   I
> like
> very much to filter their email very effectively, without having to
> even
> go to their site or configure any of their servers.

All of us agree to this point. And all solutions we presented fulfill
this requirement 100%. And most of us here are not talking about small
mail installations with a few thousand mails per day. I am pretty sure
that Julians implementations scale far higher than that. And Stephen is
actually living from a mail-filtering product that is doing exactly what
you want and doing it so efficiently that even a very small box can
filter millions of mails per day and do that for thousand of domains and
backend servers.

> For the avoidance of doubt my clients are the ones who pay my
> this way works supremely well for me and those clients.

I still think some of the magic of your implementation did not reach us.
What if I send a mail to one of your clients and do get the address
wrong? I am not a spammer. I would expect to receive a valid NDR for

- Is the message going to be discarded? If yes: by whom?
- If being rejected: By whom?
- Who/what is making the decision whether to accept, reject, discard,
deliver the message (coming from a valid sender going to an invalid
recipient) based on what?
- Is my mail then finally going to your (not the client's) postmaster
mailbox? If so, bare in mind that this is very unexpected behavior and
in some countries even on the verge of being illegal. If you rejected at
the correct level I would receive a NDR and the only person having to
deal with it is the person who made the mistake in the first place: I.
Not your clients, not you.

In your explanation (which I am honestly looking forward to) please
humor me and assume that there is no such thing as a reliable list of
spammers (neither IP nor address based), since as Stephen pointed out,
there is none. IPs keep changing every few days, even if you block all
dial-in networks. Addresses of spammers are fluctuating as well and in
many cases are perfectly valid due to spoofing. So how do you make that

> There might be one day where I might want to use a REJECT, but 3
> million+ messages a month and I still haven't found a use for it yet
> over a discard.

See my example above. And please try to answer to some of the points
others made. If you accept a mail that you later have to discard/reject
you are either wasting your mailscanner resources, lose information (or
send it to someones postmaster box where it does not belong) or produce

> Things get messy real quick with this type of volume of mail,
> especially
> when you don't hold any mailboxes on any of your own machines.  

That is completely irrelevant. If you do a smart recipient verification
with caching (using postfix, milter-ahead, exim, barricade mx) this will
cost you very little. Even millions of mails a day will not bring this
particular system down. A really DDossy joe-job might influence your
system but from what I understand it will do so much more in your
current setup. You only gain. And no: You do not need to know anything
about the client's system. That is the beauty. Even if you encounter a
dumb smarthost: Some implementation (exim for sure) will discover this
and interpret the answer so that it will not ask that smarthost (let's
call it proxy!) again since it would make no sense.

>> It actually doesn't. Work better, that is:-). But I'm pretty certain 
>> I'll bnever convince you of that...;-).
>> And the beuty of the call-ahead... is that you needn't care onewhit 
>> about smarthosts or anything. Because when that host accept the mail,

>> you are out of the DSN-loop... it is their problem;-).

>>you are out of the DSN-loop... it is their problem;-).

>--I'm their postmaster--- remember---  my clients don't want it to be
"their problem"..

If they accept the mail (for whatever reason): How is it not their
problem? The only point where the actual decision whether the recipient
is correct or not can be determined is the final host with the mailboxes
on it (this does not mean that the front-end MX could not automatically
learn valid/invalid recipients and do the rejection where it should take
place which is at the earliest possible time/position): The client's
machine. Every installation I know (and I have seen quite a few) is
capable of rejecting invalid recipients. Even Exchange 5.5 with proper
tools is. And besides the obvious case of a deliberate spam-trap there
is absolutely no point whatsoever in accepting mail for nonexistent
recipients on the final machines since this will most definitely result
in wasting of resources (theirs and ours). Even if you - with yet to be
described magic - manage to discard all their unnecessary NDRs: They
have to send it. Now if this is a small client with a small box and I
would start a joe-job with about a million mails to them, this would
really mean trouble for their MTA and their connectivity. :-)

Therefore: Either their system is setup correctly and only accepts mails
for valid recipients or they are doing something wrong. If you are their
smarthost for outgoing mails as well I would demand that their system
only accepts mails for valid recipients. Otherwise you have a totally
unnecessary problem on your machine. We are not talking about rocket
science. In most MTAs we are talking about either the default
configuration or very few very well documented config-lines. In Exchange
we are talking about two checkboxes (if I remember correctly)  that need
to be checked. If they fail to do this it is their problem.

And yes: You have every right to do it differently and create problems
you would not have with other solutions. As long as it stays your
problem I am totally fine with that. And thanks to Stephen (and his
crew) I could not care less about backscatter... :-)

Kind regards,

More information about the MailScanner mailing list