hej
On Mar 20, 2008, at 3:43 PM, Magnus Holmgren wrote:
> On måndagen den 17 mars 2008, Chad Leigh -- Shire.Net LLC wrote:
>> my mail server mail.shire.net (currently 4.51) is a secondary MX for
>> another customer of mine who has his own smtp server running (which I
>> also run for him) which is mail.object.com. mail.object.com does
>> greylisting with the Marc Merlin spamassassin greylist stuff.
>>
>> Once in a while the following happens:
>>
>> incoming mail goes to mail.object.com and is deferred with a 451 due
>> to greylisting
>> incoming mail is retried to secondary MX, mail.shire.net, which
>> accepts it and tries to deliver it. mail.object.com defers it due to
>> greylisting with a 451
>>
>> mail.shire.net never tries again do to he "retry not reached"
>> condition. It seems enough real crap come through or something that
>> the retry time is never reached due to it constantly being "reset"
>> from real rejections of real crap. Does that make sense?
>
> Hmmm. Since SA-Exim defers after end of DATA, Exim doesn't tie the
> retry
> record to any specific address, only to the host. Yes, I think that
> makes
> sense. Exim should probably handle deferrals after DATA on a per-
> message
> level. I saw that was mentioned in another thread.
>
> What can you do about it? First, secondary MXes should generally be
> at least
> as strict as the primary MX when deciding what to accept. Otherwise
> they are
> going to swallow all the junk, try to deliver it (helping the
> spammers) and
> send backscatter bounces.
In general, yes, and the config is as strict. Most of the config is
actually identical since I run both servers. The problem is that they
do not share spam assassin rules and databases and since this is tied
to SA it is possible for one to accept it and not the other...
> Spammers like to target secondaries, knowing that
> they often have worse or no anti-spam measures installed. So it
> seems that
> you should do something in that area.
In this case I do not see what I can do in that regard.
>
>
> Second, the primary MX should recognise its secondary MXes and not
> greylist
> them.
Not in this case as that would allow the spammers to target the
secondary and escape the greylist and since I cannot guarantee that SA
will be the same "strictness" on each due to different learn
databases, etc it opens up a hole. The SA configs started out the
same on both but the user on the primary has whitelisted a bunch of
people and the bayesian DBs are different.
>
>
> Third, you could add a retry rule specifically for 45x errors after
> DATA, with
> an even shorter retry time.
>
I actually added a 1m retry for all errors for now just as a test .
I should probably just make it for the 45x errors. <doing it now>
Ok, I set the 45x receipt retry to be 14 and all others to be 29 min
for this domain. We'll see if that helps for now
Thanks
Chad
> --
> Magnus Holmgren holmgren@???
> (No Cc of list mail needed, thanks)
>
> "Exim is better at being younger, whereas sendmail is better for
> Scrabble (50 point bonus for clearing your rack)" -- Dave Evans
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net