OT: milter-greylist before rbls?

Paul Howarth paul at city-fan.org
Sun Aug 21 17:35:59 UTC 2005 

On Sun, 2005-08-21 at 06:47 -0700, Mike McMullen wrote:
> ----- Original Message ----- 
> From: "Paul Howarth" <paul at city-fan.org>
> To: "For users of Fedora Core releases" <fedora-list at redhat.com>
> Sent: Sunday, August 21, 2005 2:20 AM
> Subject: Re: OT: milter-greylist before rbls?
> 
> 
> >> Maybe I spoke too soon on this working. I added the delay_checks (actually uncommented it)
> >> in the sendmail.mc file. I then ran make on it. Saw that sendmail.cf was indeed created. I then
> >> restarted my MailScanner and saw greylisting happening first. However, I am still seeing
> >> 553 reject messages. If I go back and grep through the maillog on the IP or server name
> >> I don't see any greylisting entry.
> >>
> >> What am I missing here?
> >
> > The greylisting is presumably handling tuples of (sender, recipient,
> > source-IP). So the milter can't do the TEMPFAIL until RCPT TO: time. The
> > delay_checks feature also delays DNSBL checks until RCPT TO: time.
> > However, since the DNSBL checks are configured directly into sendmail's
> > configuration file, they're going to happen before the milter "sees" the
> > recipient address.
> >
> > Just curious; why would you want this the other way around anyway?
> >
> > Paul.
> > -- 
> 
> My impression of how greylisting works (in general) is that everything is rejected temporarily. 
> Those sites
> that resend after X period of time are whitelisted for Y period of time. The resend should then
> get the battery of tests I have set up after that; DNSBLs, MailScanner, ClamAV, SpamAssassin etc.
> 
> The reason I want greylisting to work first is to eliminate those zombie machines that attempt to
> send zillions of emails. Typically they get a reject and just move on. That way load is cut down
> on my system.

I doubt that the ordering of greylisting and DNSBLs makes much
difference load-wise. Both are fairly fast operations that don't involve
reaching the DATA phase of the SMTP transaction. Unless perhaps you've
got a slow network connection, so the DNS lookups take a long time.

If you're determined to have the greylisting take place first, you might
consider running the dnsbl milter from
http://www.five-ten-sg.com/dnsbl.html, which would enable you to remove
the DNSBLs from the sendmail configuration file and have them tested
later on in a milter. You can specify the order of milters any way you
like.

Paul.
-- 
Paul Howarth <paul at city-fan.org>

More information about the fedora-list mailing list