greylisting and dynamic host IPs, was: Default MTA for Fedora 7

[David Woodhouse]

On Mon, 2007-02-05 at 15:54 +0100, Nils Philippsen wrote:
> Note that you should probably only pass at greylisting if an IP is not
> from one of the "known" ranges of dynamic IPs.

Well, as with everything else it's a trade-off. If you receive mail from
the same IP address again, you don't know whether it's actually the same
host or not. Do you delay it just in case, or do you accept it? That's a
local policy decision.

These days, people tend to hold on to "dynamic" IP addresses for quite a
long time, so I think it's probably worth avoiding greylisting for known
resenders even in dynamic ranges. I make no special case for dynamic IP
addresses.

Actually, one thing which came up on conversation elsewhere quite
recently was the idea that we should use a {HELO, IP} tuple to keep
track of 'known resenders' instead of _just_ the IP address. That tends
to mean that a new host taking over a dynamic IP address will tend not
to get the benefit of the historical "known resender" status of that IP.
It actually came up in the context of NAT -- it means that you can
record _one_ host behind NAT as a 'known resender' but not necessarily
grant the same status to the host of compromised Windows machines which
may reside behind the same NAT box.

You could also expire known resender status for dynamic ranges (or
indeed _all_ ranges), if they don't send you mail for a period of time.

There's a whole bunch of things you might want to do, and they're all
fairly simple variations on the basic implementation. That's one of the
reasons why an open-coded implementation in a capable MTA is preferable,
in my opinion, to a more opaque 'plugin' to something less flexible.

-- 
dwmw2