Re: [exim] Issues with greylisting - NEW IMPLEMENTATION

Góra strony
Delete this message
Reply to this message
Autor: Richard Clayton
Data:  
Dla: Alain Williams
CC: exim-users
Temat: Re: [exim] Issues with greylisting - NEW IMPLEMENTATION
In message <20100128155532.GD542@???>, Alain Williams
<addw@???> writes

>Notes for discussion:
>
>* It stores sending-domain & IP address of sender.


I've seen combining the IP address with sending (or receiving) domain
work very badly indeed with ISP smarthosts (ie the machines that
millions of customers use...)

What happens is that the sending machine tries one email, which is then
greylisted. The sending machine then marks the destination as
unresponsive -- but eventually gets around to trying again. However, a
different email is at the front of the queue, with a different customer
domain and so that is also greylisted. The sending machine then marks
the destination as unresponsive -- but eventually gets around to trying
again. However, a different email is at the front of the queue...

... rinse and repeat until 4xx has been seen far too often, and all
queued email is then marked undeliverable and returned to the senders.

I don't understand why you feel that the property "will try again after
a 4xx response" would not be associated solely with the IP address ??

If your concern is dynamic IP addresses (and you might do better to
subscribe to a service that allows you to block those wholesale) then
just age your database entries a bit more aggressively.

Configuring Exim to have the retry behaviour mentioned above is left as
an exercise for the reader [hint: install it!] -- albeit it might be
helpful to tweak it to not to work quite that way (so as to deal with
excitable greylist algebras).

Note also that the bad effect discussed above is often hidden on Exim
systems because an attempt will be made to deliver any new emails
whatever the retry state and if one of them works then all the contents
of the queue will be promptly retried... but when queues build up then
nothing gets retried for hours and then aggressive aging of greylist
entries will seriously hurt you!

... recipients can of course improve matters considerably by not
applying greylisting to the major sources of incoming email (ie: all the
reputable local ISPs).

- -- 
richard                                                   Richard Clayton


Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755