On måndagen den 17 mars 2008, Chad Leigh -- Shire.Net LLC wrote:
> my mail server mail.shire.net (currently 4.51) is a secondary MX for
> another customer of mine who has his own smtp server running (which I
> also run for him) which is mail.object.com. mail.object.com does
> greylisting with the Marc Merlin spamassassin greylist stuff.
>
> Once in a while the following happens:
>
> incoming mail goes to mail.object.com and is deferred with a 451 due
> to greylisting
> incoming mail is retried to secondary MX, mail.shire.net, which
> accepts it and tries to deliver it. mail.object.com defers it due to
> greylisting with a 451
>
> mail.shire.net never tries again do to he "retry not reached"
> condition. It seems enough real crap come through or something that
> the retry time is never reached due to it constantly being "reset"
> from real rejections of real crap. Does that make sense?
Hmmm. Since SA-Exim defers after end of DATA, Exim doesn't tie the retry
record to any specific address, only to the host. Yes, I think that makes
sense. Exim should probably handle deferrals after DATA on a per-message
level. I saw that was mentioned in another thread.
What can you do about it? First, secondary MXes should generally be at least
as strict as the primary MX when deciding what to accept. Otherwise they are
going to swallow all the junk, try to deliver it (helping the spammers) and
send backscatter bounces. Spammers like to target secondaries, knowing that
they often have worse or no anti-spam measures installed. So it seems that
you should do something in that area.
Second, the primary MX should recognise its secondary MXes and not greylist
them.
Third, you could add a retry rule specifically for 45x errors after DATA, with
an even shorter retry time.
--
Magnus Holmgren holmgren@???
(No Cc of list mail needed, thanks)
"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans