[milters] Archive

Lists Index Date Thread Search

Article: 565
From: Anthony Howe
Date: 2005-05-20 10:53:07 -0400
Subject: Re: Problem (mis-configuration?) with Milter-Sender

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Taylor, Grant wrote:
>> If you want to play with GreyListRejectCount, you have to adjust
>> your GreyListBlockTime too, but given the above situation I noted
>> from badly configured yet legitimate mail servers, its almost
>> impossible to get it right. Set GreyListRejectCount=0.
> 
> 
> I have attempted to disable GreyListRejectCount and all of its
> associated counterparts with out disabling the grey list period.
> However it looks like the number of "rejected, too many recent
> retries" has dropped significantly but is still happening.  I have
> attached my milter-sender.cf in hopes that you will see something
> that I have missed.  If you can offer any more help I would greatly
> appreciate it.

The error should NOT appear if GreyListRejectCount=0. You did remember 
to restart the milter? The code in two places looks like this. I don't 
cache the error message text.


if (0 < greyListRejectCount.value
&& greyListRejectCount.value < greyEntry.count) {
    rc = setReply(
	data, 550, "5.7.1",
	"from <%s> via [%s] rejected, too many recent retries",
	data->work.mail->address.string, data->client_addr
    );

    /* Avoid caching two different entries. */
    goto error1;
}


BUT if a previously "rejected, too many recent retries" was downgraded 
in the cache to a rejection, then you might continue to see rejects with 
another message until it expired from the cache. However, you've set 
CacheRejectTTL=0, which should purge those entries on the next 
CacheGcFrequency interval.

> CacheGcFrequency=3600 #   cache garbage collection frequency

Lower this to like 10 or 20 for half a day or simply throw out the cache 
and start with a fresh one (stop, remove cache, start). This is most 
likely the problem. The cache is not GC'd on a restart (hmmm, something 
to consider).

I don't know what your server load is on this machine, but 3600 might be 
a little high for a small to moderate load. For an ISP this might be 
suitable.  Remember, garbage collections happens after N client 
connections. On my server I doubt I would see 3600 connections in 36 
hours, while an ISP or a large business might see this in 30 minutes.

> CacheGreyListTTL=0 #   cache time-to-live in seconds for grey-list
> temporary entries, 0 = disable

Setting this to zero disables grey-listing entirely.

> CacheRejectTTL=0 #   cache time-to-live in seconds for rejected
> senders, 0 = disable

> GreyListBlockTime=0 #   grey list block time in seconds, must be less
> than CacheGreyListTTL

I'd recommend this be set to something none zero. At least 60s. I would 
not put it past a spammer to connect once, get tempfailed, and try again 
immediately in attempt to foil grey-listing.

> GreyListRejectCount=0 #   reject too many attempts during the grey
> list block time, 0 = disable

Setting this to zero is all you need to disable the reject counter and
its error message.

> SkipAuthenticatedSender=0 #   skip the milter if the sender
> successfully authenticated themselves

Huh? Not related to grey-listing but odd to see it disabled.


-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

in the mist of night / by the silent sea / a siren calls - Anthony

Lists Index Date Thread Search