Re: [exim] Greylisting - how do you implement?

Etusivu
Poista viesti
Vastaa
Lähettäjä: Mike Cardwell
Päiväys:  
Vastaanottaja: exim-users
Aihe: Re: [exim] Greylisting - how do you implement?
Mar Matthias Darin wrote:

>> Any drawbacks?
> There is only one major drawback that I'm aware of - delayed mail. The best
> approach I have found is to keep the time that a message is gray listed very
> low and keep a good sized cache to mitigate the delay for well behaving
> systems. Also, a whitelist is a way to skip the process altogether for
> trusted systems.


I agree. I keep mine as low as 3 minutes, with a cache of 60 days. I
also don't greylist email coming over SSL encrypted connections. It is
also a good idea to have a dynamically generated whitelist for mail sent
from your server. If someone sends an email to a remote address 'a' from
your server, why would you greylist an email that originates from
address 'a' on the way back?

I also have a $sender_host_name whitelist file which I don't bother
apply greylisting to as I *know* they're real mail servers, containing
lots of entries like *.hotmail.com, *.yahoo.com, *.google.com,
*.lastminute.com, *.paypal.com etc etc.

It's also a good idea to apply the greylisting to a /24 rather than an
individual IP address. I noticed facebook emails weren't getting through
to my server as they retry from different IPs a couple of times and then
give up. First thing I did when I noticed this was update the whitelist
with: *.tfbnw.net

This is a personal preference, but I don't apply greylisting to
ip+sender+recipient in the rcpt acl like most, but I apply it in the
data acl, and I apply it to /24+sender+${md5:$message_body}. I then do a
control=fakedefer and have a router which stores the greylisted message
locally in a cache that is purged every few days, and which blackholes
the message if it's already been stored but not passed the 3 minute
retry time. This is so I can quickly grab a copy of an email that hasn't
passed greylisting, if I need to.

Oh. One other thing I do. I greylist null senders also but artificially
set the sender address to nullsender@remoteip. I have a different min
retry time for these emails, of 30 minutes. This doesn't mess with
peoples sender callouts as sender callouts don't reach the data phase.
This is the same reason I perform sender callouts in the predata acl
rather than earlier in the transaction. (On the extremely rare occasions
sender callouts are performed)

Mike