From: Anthony Howe
Date: 2005-05-02 04:08:13 -0400
Subject: Re: new feature request
More information..: http://www.milter.info/#Support
Taylor, Grant wrote:
>> Our server (LOCALMX) is mx for our own dialup clients and a few
>> other networks. Dialup clients are whitelisted in access.db because
>> they are local. Let's say a dialup client (MISTERX) sends an email
>> through our server to a server outside our netwerk (EXTERNMX). This
>> EXTERNMX has a mailfilter like milter-sender installed. EXTERNMX's
>> milter-sender will now try to connect to LOCALMX in order to check
>> if MISTERX exists on LOCALMX. However LOCALMX rejects the recipient
>> adres saying "Greylisting activated". Which causes EXTERNMX's
>> milter-sender to give an error, and mail is stalled in the
> When "...EXTERNMX's milter-sender will now try to connect to LOCALMX
> in order to check if MISTERX exists on LOCALMX..." what email address
> is EXTERNMX using in the "MAIL FROM:" command? As I understand it
> milter-sender uses the null return path email address of "<>" which
> is to be accepted by ALL MXs to be RFC compliant. I don't know if
> milter-gris is possibly handling this improperly, if the server that
> is doing the call back (EXTERNMX) to LOCALMX is attempting to send
> with an email address other than null reverse path, or if something
> else is messing with things. I'd say that it's time to either turn
> up logging or start a traffic dump to look at thge SMTP conversation.
In milter-gris, treating the null address <> specially was not
warranted. Some spammers use MAIL FROM:<> to send spam or for address
harvesting. milter-gris grey lists everything, espcially if you use MAIL
as part of the grey list key. Grey listing the null address is not
wrong, since real DSN messages will be queued and arrive a little later
instead of sooner. However it will affect call-back schemes like
milter-sender and cause some delays, which are also not wrong, just less
Based on this I've just added a new option, -n, to not grey list the
However, auto white listing just the RCPT as a future sender of a reply
would certainly be a worth while enhancement, but in the case of
call-backs its problematic. You would have to auto white list the IPs of
all the MXes of each RCPT domain in the off chance that they perform a
Now consider the following example:
Assume that AOL used call-backs (will never happen as a call-back
probably doesn't scale to AOL's size). They use 4 MX entries and
multihome each MX. See dig output below. Thats at least another DNS
lookup and 18 machines to white list just for one RCPT. If your
localuser sends to several people at once (consider an MLM), then your
doing a lot of extra work to white list the remote MX.
White listing MX machines by domain name doesn't work either, because
too many machines do not correctly specify a reverse DNS entry, so you
need work with the IP address.
What you really want to do here, is white list the null address from SPF
machines. BUT lots of spammers use SPF records, so this would be no
better than the new -n option.
root@mx# dig aol.com mx
; <<>> DiG 9.2.3 <<>> aol.com mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 18
;; QUESTION SECTION:
;aol.com. IN MX
;; ANSWER SECTION:
aol.com. 3600 IN MX 15 mailin-03.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-04.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-01.mx.aol.com.
aol.com. 3600 IN MX 15 mailin-02.mx.aol.com.
;; AUTHORITY SECTION:
aol.com. 3600 IN NS dns-01.ns.aol.com.
aol.com. 3600 IN NS dns-02.ns.aol.com.
aol.com. 3600 IN NS dns-06.ns.aol.com.
aol.com. 3600 IN NS dns-07.ns.aol.com.
;; ADDITIONAL SECTION:
mailin-01.mx.aol.com. 300 IN A 126.96.36.199
mailin-01.mx.aol.com. 300 IN A 188.8.131.52
mailin-01.mx.aol.com. 300 IN A 184.108.40.206
mailin-01.mx.aol.com. 300 IN A 220.127.116.11
mailin-01.mx.aol.com. 300 IN A 18.104.22.168
mailin-02.mx.aol.com. 300 IN A 22.214.171.124
mailin-02.mx.aol.com. 300 IN A 126.96.36.199
mailin-02.mx.aol.com. 300 IN A 188.8.131.52
mailin-02.mx.aol.com. 300 IN A 184.108.40.206
mailin-03.mx.aol.com. 300 IN A 220.127.116.11
mailin-03.mx.aol.com. 300 IN A 18.104.22.168
mailin-03.mx.aol.com. 300 IN A 22.214.171.124
mailin-03.mx.aol.com. 300 IN A 126.96.36.199
mailin-04.mx.aol.com. 300 IN A 188.8.131.52
mailin-04.mx.aol.com. 300 IN A 184.108.40.206
mailin-04.mx.aol.com. 300 IN A 220.127.116.11
mailin-04.mx.aol.com. 300 IN A 18.104.22.168
dns-01.ns.aol.com. 3600 IN A 22.214.171.124
;; Query time: 112 msec
;; SERVER: 126.96.36.199#53(188.8.131.52)
;; WHEN: Mon May 2 09:52:18 2005
;; MSG SIZE rcvd: 507
Anthony C Howe +33 6 11 89 73 78
7116561 AIM: Sir Wumpus
"held in my arms / his sun washed face / eyes closed" - Anthony
Copyright 2009, 2012 by SnertSoft. All rights reserved.