Email ???

James Wilkinson fedora at aprilcottage.co.uk
Tue May 1 12:20:33 UTC 2007


Tony Nelson wrote:
> Well, don't forget that greylisting will delay each new legitimate mail
> sender by a while (maybe a few hours), requires maintaining whitelists for
> the server farms of large email providers (AOL, etc.) or email from them
> may take much more than 4 hours to get through, and the mail must be
> handled twice by your server rather than just once.

Ed Greshko wrote:
> You are incorrect on several counts.
> 
> 1.  The time to delay is configurable in a good greylist milter.  Mine is
> set to 15 minutes since this is pretty much the default retry interval of
> most MTAs.

Really? The standard says
   The sender MUST delay retrying a particular destination after one
   attempt has failed.  In general, the retry interval SHOULD be at
   least 30 minutes;
(RFC 2821 section 4.5.4.1)

Calling half an hour "a while" seems reasonable to me...

I'd argue that your first sentence is misleading, too -- the delay is a
result of the configuration of both sending and receiving MTAs.

> 2.  No whitelist maintaining is needed.  The sending system either tries
> again or it doesn't.  If it is a legitimate sender, it will retry.  Also,
> when a sender/system is allowed it will be cached.  So, even if you have
> multiple servers from AOL, etc. they will eventually be cached.

Tony calling it a "whitelist" may be misleading.

But you are missing a detail here, and confusing "sending system",
"computer", and "IP address". For major providers, the sending system
may involve lots of computers, with lots of IP addresses. Retries may
come from any of those computers -- this is perfectly legitimate under
SMTP. So it may take a while (especially if they use an "exponential
back-off") before the same server retries the same e-mail. With enough
sending IP addresses, it's possible that the e-mail might never be
retried from the same IP address.

There are two ways around this -- either you can (as Tony said) maintain
a list of senders which use this sort of system, or hope that the
senders put their sending MTAs in no more than a few /24 subnets. You
then get the greylist to consider that one sending attempt from
127.36.5.1[1] and a retry from 127.36.5.2 is Good Enough.

> 3.  The email itself will only be handled once.  When a server to be delayed
> first contacts your server the milter will check the cache with the initial
> information supplied and simply close the connection and not allow the DATA
> portion to be sent.

This is true, but possibly not the best response to Tony's post. The
*real* point is that although the server has to "think about" the
message twice, the first time takes up nearly no bandwidth and nearly no
processor time.

But you're missing another point -- the more people use greylisting, the
less reliable it becomes (because spammers start retrying on any error).
If Tony and I choose not to use greylisting, that makes it more usable
for you!

James.

[1] Yes, I know there's a slight problem with that IP address!

-- 
E-mail:     james@ | For every complex problem, there is a solution that is
aprilcottage.co.uk | simple, neat, and wrong.




More information about the fedora-list mailing list