[exim] How to solve the problem with multiple sender IPs and…

Top Page
Delete this message
Reply to this message
Author: Vincent C. Immler
Date:  
To: exim-users
Subject: [exim] How to solve the problem with multiple sender IPs and (selective) greylisting?!
Hello exim-users,

I would like to discuss the following idea:
Usually a greylisting triplet consists of:
(IP address of the connecting host || Envelope sender address || Envelope recipient address)
Once a message passes the greylisting, it is assumed that this (sender+host) can be "trusted" for a specific recipient. But with multiple sender IPs for the same sender address, the same sender will be greylisted again, when sending from a different IP (e.g. Google).

As far as I know, there is no solution for that problem.

What about this:
deny    spf = fail
deny    spf = softfail
deny    spf = err_perm
defer     spf = err_temp
...
# now we only have to deal with spf = pass or none
...
greylisting (on condition X) using quadtuple: (IP address of the connecting host || Envelope sender address || Envelope recipient address || SPF entry)
Whereas the SPF entry could be sth like: ${lookup dnsdb{>: txt=$sender_address_domain}}, or even better, give exim a new $spf_stored_record variable that stores the content of the txt/spf record after the check is done. (a more advanced lookup would be better too. Additionally, one should be able to look up spf records, not just txt! http://www.exim.org/lurker/message/20090715.100550.553ea233.en.html)


That way, we can ask:
"If spf=none, do lookup as usual", otherwise add to database ...
"If SPF/TXT record of new message is already in greylist database and passed it once with sender-address-from-db=new-message-sender-address, we accept", otherwise add to database ...

Because we denied failed spf checks earlier, we can be sure that the spf entries in our database are genuine. Using the above method, we reward senders that publish spf records and treat others just as usual.

Probably, the gain is very small and the loss in performance does not justify it. (Perhaps, it makes sense if we have a very selective greylisting and small greylisting database)

Just an idea ...

Cheers,
Vincent

PS: I assume a greylisting setup like this one, not a a separate greylisting daemon: http://wiki.exim.org/FastGrayListMiniTutorial
PPS: The referenced wiki entry does not implement greylisting as it is intended. It stores _only_ the sender's domain instead of the complete sender's address. Additionally, multiple IPs are not possible. IMHO this is not what most greylisting people want!