[milters] Archive

Lists Index Date Thread Search

Article: 1402
From: Mike Horwath
Date: 2007-01-20 16:02:23 -0500
Subject: Re: Enabling milter-gris for only a single domain?

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

On Thu, Jan 18, 2007 at 04:45:31PM -0500, Dan Mahoney, System Admin wrote:
> On Thu, 18 Jan 2007, Mike Horwath wrote:
> 
> > On Fri, Jan 19, 2007 at 12:32:26AM +1100, Richard McLean wrote:
> >> We have considered doing the same, but on the trial servers we
> >> enabled greylisting on for all we were finding too many servers that
> >> didn't play well with it (because they function poorly, not because
> >> there's anything wrong with greylisting itself) that we had to
> >> abandon doing it that way. Anthony, if it helps to know, I'm allow
> >> very interested in being able to implement milter-gris in the same
> >> way as Dan.
> >
> > What servers don't play nicely?
> 
> I've heard reports of AOL and Ebay, for starters.

Most greylisting servers have listings for servers that should be
whitelisted through.

http://greylisting.org/ is your
friend and has info with links to
decent whitelist/bypass IPs for dealing with far more than AOL and
Ebay (and Amazon, Southwest Airlines, securityfocus.org, etc).

> > BUT!
> >
> > I only use 10 second greylisting timeouts for reconnection.
> 
> I don't understand this.  The timeout you use does not affect how
> often a sending mail server will retry.  There's nothing in the
> protocol (although some milters specify it as the error message --
> this is for humans, not mail servers to read) that specifies
> allowing the receiver to specify a retry delay.

Right, but there are a ton of servers that retry at 30s or
thereabouts, or a minute.  Most dorky greylisting systems only talk in
'minutes' - which seems kind of silly.

But I am in the minority with that thought.

> On a fairly default BSD system sendmail runs as -bd -q30m, which
> means even though you only reject for ten seconds, that email's not
> coming for another 30.

Uhuh, and has *nothing* to do with what I said.

Are you just trying to have an argument?  I am not interested, today,
in one.

> I've recently discovered http://hcpnet.free.fr/milter-greylist/ which has 
> (in my mind) a few advantages over milter-gris
> 
> 1) It lets you use DNSRBLs as one of the definitions for if you
> should greylist, which means "sure, go ahead, use every
> high-collateral-damage blacklist you like (spews comes to mind).

A very very interesting approach.  We are looking at doing the same
thing with a copy of sqlgrey for Postfix and moving down the path of
only doing greylisting for servers on DNSBLs (and still using the
whitelist portion just in case).

> 2) It's actually in FreeBSD's ports (Snert's stuff isn't).

THe Snert stuff is not necessarily 'free' ;)

> 3) There's no complicated builds (I've found building Snert milters
> to be a pain because of berkeleyDB version conflicts which have
> forced me to have to recompile my stock sendmail).

Well, so far, the Snert milters I am using work great under Postfix,
perhaps it is time to move on from sendmail...

> 4) As above, it allows one to only greylist a few domains (I'm doing
> three out of several hundred.  It can also tailor that based on a
> regex.

sqlgrey has a full opt-in/opt-out mechinism in place.  No hackery
needed.

And as a super special bonus, you can use one MySQL/PostgreSQL
database to share amonst your cluster (if you have one).

> However, there's at least one major disadvantage: The DB format it uses is 
> a flat text file, and it keeps its whole DB in main memory.  This could 
> potentially make it a pig (hence my logic in only doing a few domains -- 
> those which have been overunning my spamd).

Or cut over to Postfix, use sqlgrey, and don't worry about it.

I have over 1000 domains running with this kind of config.

> I may speak to the author about adding a link against BDB, although
> the FAQ says he might be considering SQLITE.

Ick, but just my opinion as my needs are vastly different.

-- 
Mike Horwath, reachable via drechsau@Geeks.ORG

Lists Index Date Thread Search