Re: [exim] Greylisting - how do you implement?

Pàgina inicial
Aquest missatge és part del següent fil:
M+++\l'arbre de fils complet ordenat per data
MMMMMMar Matthias Darin en <-
MMMJohann Spies en ->
Delete this message
Reply to this message
Autor: Mike Cardwell
Data:  
A: exim-users
Assumpte: Re: [exim] Greylisting - how do you implement?
Mar Matthias Darin wrote:

>> Any drawbacks?
> There is only one major drawback that I'm aware of - delayed mail. The best
> approach I have found is to keep the time that a message is gray listed very
> low and keep a good sized cache to mitigate the delay for well behaving
> systems. Also, a whitelist is a way to skip the process altogether for
> trusted systems.

I agree. I keep mine as low as 3 minutes, with a cache of 60 days. I
also don't greylist email coming over SSL encrypted connections. It is
also a good idea to have a dynamically generated whitelist for mail sent
from your server. If someone sends an email to a remote address 'a' from
your server, why would you greylist an email that originates from
address 'a' on the way back?

I also have a $sender_host_name whitelist file which I don't bother
apply greylisting to as I *know* they're real mail servers, containing
lots of entries like *.hotmail.com, *.yahoo.com, *.google.com,
*.lastminute.com, *.paypal.com etc etc.

It's also a good idea to apply the greylisting to a /24 rather than an
individual IP address. I noticed facebook emails weren't getting through
to my server as they retry from different IPs a couple of times and then
give up. First thing I did when I noticed this was update the whitelist
with: *.tfbnw.net

This is a personal preference, but I don't apply greylisting to
ip+sender+recipient in the rcpt acl like most, but I apply it in the
data acl, and I apply it to /24+sender+${md5:$message_body}. I then do a
control=fakedefer and have a router which stores the greylisted message
locally in a cache that is purged every few days, and which blackholes
the message if it's already been stored but not passed the 3 minute
retry time. This is so I can quickly grab a copy of an email that hasn't
passed greylisting, if I need to.

Oh. One other thing I do. I greylist null senders also but artificially
set the sender address to nullsender@remoteip. I have a different min
retry time for these emails, of 30 minutes. This doesn't mess with
peoples sender callouts as sender callouts don't reach the data phase.
This is the same reason I perform sender callouts in the predata acl
rather than earlier in the transaction. (On the extremely rare occasions
sender callouts are performed)

Mike


Aquest missatge es va enviar a les següents llistes de correu:
Exim-users
Informació sobre la llista de correu | Missatges propers		<-Re: [exim] Greylisting - using Exim new features - ratelimit with noupdateRe: [exim] Greylisting - using Exim new features - ratelimit withnoupdate->
Tahini and Hummus and Cumin Development Archives administrat per cumin AdminsLurker (versió 2.3)