[milters] Archive

Lists Index Date Thread Search

Article: 1401
From: Dan Mahoney, System Admin
Date: 2007-01-18 16:45:31 -0500
Subject: Re: Enabling milter-gris for only a single domain?

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

On Thu, 18 Jan 2007, Mike Horwath wrote:

> On Fri, Jan 19, 2007 at 12:32:26AM +1100, Richard McLean wrote:
>> We have considered doing the same, but on the trial servers we
>> enabled greylisting on for all we were finding too many servers that
>> didn't play well with it (because they function poorly, not because
>> there's anything wrong with greylisting itself) that we had to
>> abandon doing it that way. Anthony, if it helps to know, I'm allow
>> very interested in being able to implement milter-gris in the same
>> way as Dan.
>
> What servers don't play nicely?

I've heard reports of AOL and Ebay, for starters.

> BUT!
>
> I only use 10 second greylisting timeouts for reconnection.

I don't understand this.  The timeout you use does not affect how often a 
sending mail server will retry.  There's nothing in the protocol (although 
some milters specify it as the error message -- this is for humans, not 
mail servers to read) that specifies allowing the receiver to specify a 
retry delay.

On a fairly default BSD system sendmail runs as -bd -q30m, which means 
even though you only reject for ten seconds, that email's not coming for 
another 30.

This is analagous (both in theory and in how often you'd be surprised it's 
true) to taking a TEN MINUTE shower (with a note on your door) when you've 
had to be home ALL DAY waiting for a repair person, because you don't 
figure they'll show up in that ten minute period.  You (the receiver) have 
no real control over when they'll try again (if at all).

I've recently discovered http://hcpnet.free.fr/milter-greylist/ which has 
(in my mind) a few advantages over milter-gris

1) It lets you use DNSRBLs as one of the definitions for if you should 
greylist, which means "sure, go ahead, use every high-collateral-damage 
blacklist you like (spews comes to mind).

2) It's actually in FreeBSD's ports (Snert's stuff isn't).

3) There's no complicated builds (I've found building Snert milters to be 
a pain because of berkeleyDB version conflicts which have forced me to 
have to recompile my stock sendmail).

4) As above, it allows one to only greylist a few domains (I'm doing three 
out of several hundred.  It can also tailor that based on a regex.

It also claims the ability to check SPF as a feature.  I don't understand 
what this means, since SPF is not and never was intended to be a mail 
accreditation system (like habeas or the other sender-guarantee systems).

However, there's at least one major disadvantage: The DB format it uses is 
a flat text file, and it keeps its whole DB in main memory.  This could 
potentially make it a pig (hence my logic in only doing a few domains -- 
those which have been overunning my spamd).

I may speak to the author about adding a link against BDB, although the 
FAQ says he might be considering SQLITE.

-Dan

--

"Little tramp sits in her room all day, sewing dolls!  Children
misbehaving in the basement, and one in the walls, doing his business God
knows where!  You children will be the death of me, *sniff*."

'Mommy', The People Under The Stairs


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------


Lists Index Date Thread Search