Re: [exim] Greylisting - using Exim new features - ratelimit…

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: Ian Eiloart
CC: exim-users
Subject: Re: [exim] Greylisting - using Exim new features - ratelimit with noupdate


Ian Eiloart wrote:
>
>
> --On 11 July 2007 09:29:44 +0100 Philip Hazel <ph10@???>
> wrote:
>
>> On Tue, 10 Jul 2007, Marc Perkel wrote:
>>
>>> OK - if the second message were from a different IP then it would also
>>> have to try twice.
>>
>> Well, there are certain configurations where it won't. At least, not in
>> the order that you require.
>>
>>> Tell me about this virtual server feature with shared data. What
>>> feature
>>> is that?
>>
>> The feature is the ability to select which IP you send from when your
>> box has more than one. The Exim option is the "interface" option in the
>> smtp transport, and also the helo_data option, which allows you to
>> change HELO data.
>
> There's another configuration that might lead to a similar problem.
>
> We have four physical hosts, with different IP addresses, but serving
> email for the same set of domains.
>
> Currently, the hosts don't share their retry databases, but we're
> considering doing that.
>
> Even though they don't share retry databases, we have an IP failover
> mechanism which can move an IP address from one host to another in
> less than a second. In that case, the IP address that moves
> effectively picks up the retry hints from the new server. Now, there
> are conceivable configurations that would fall foul of Marc's scheme,
> where the virtual server that's moved apparently tries to go straight
> to his secondary. Admittedly, failover doesn't happen often, so this
> event would be rare.


I'm using a different failover system. I have a main server on the low
mx and several backup servers on the next highest mx.

dummy0.junkemailfilter.com - 10 - semi-dead IP
mx.junkemailfilter.com - 20 - main server
mx.junkemailfilter.net - 30 - multiple backup servers
mx.junkemailfilter.org - 40 - several IP where I log connect attempts
dummy1.junkemailfilter.com - 50 - several IP where I log connect attempts

I am still testing this. And what I have now works with my unique setup.
As I develop this I hope to have something more generic. The dummy IPs
are also on the main server so if it goes down email still works but
without some of the greylisting features. Except for what I call poor
man's greylisting which is:

mx1.example.com - dead ip
mx2.example.com - mail server
mx3.exanple.com - dead ip

The above does as good a job as a fancy greylisting system without the
delays and with no complex software to install. The only real advantage
I'm adding right now is if I get multiple hits on the high mx IPs and no
low hits I add it to my public blacklist, which has grown to 140,000 IP
addresses.