From: Mike Horwath
Date: 2007-01-20 16:02:23 -0500
Subject: Re: Enabling milter-gris for only a single domain?
More information..: http://www.milter.info/#Support
On Thu, Jan 18, 2007 at 04:45:31PM -0500, Dan Mahoney, System Admin wrote:
> On Thu, 18 Jan 2007, Mike Horwath wrote:
> > On Fri, Jan 19, 2007 at 12:32:26AM +1100, Richard McLean wrote:
> >> We have considered doing the same, but on the trial servers we
> >> enabled greylisting on for all we were finding too many servers that
> >> didn't play well with it (because they function poorly, not because
> >> there's anything wrong with greylisting itself) that we had to
> >> abandon doing it that way. Anthony, if it helps to know, I'm allow
> >> very interested in being able to implement milter-gris in the same
> >> way as Dan.
> > What servers don't play nicely?
> I've heard reports of AOL and Ebay, for starters.
Most greylisting servers have listings for servers that should be
http://greylisting.org/ is your
friend and has info with links to
decent whitelist/bypass IPs for dealing with far more than AOL and
Ebay (and Amazon, Southwest Airlines, securityfocus.org, etc).
> > BUT!
> > I only use 10 second greylisting timeouts for reconnection.
> I don't understand this. The timeout you use does not affect how
> often a sending mail server will retry. There's nothing in the
> protocol (although some milters specify it as the error message --
> this is for humans, not mail servers to read) that specifies
> allowing the receiver to specify a retry delay.
Right, but there are a ton of servers that retry at 30s or
thereabouts, or a minute. Most dorky greylisting systems only talk in
'minutes' - which seems kind of silly.
But I am in the minority with that thought.
> On a fairly default BSD system sendmail runs as -bd -q30m, which
> means even though you only reject for ten seconds, that email's not
> coming for another 30.
Uhuh, and has *nothing* to do with what I said.
Are you just trying to have an argument? I am not interested, today,
> I've recently discovered http://hcpnet.free.fr/milter-greylist/ which has
> (in my mind) a few advantages over milter-gris
> 1) It lets you use DNSRBLs as one of the definitions for if you
> should greylist, which means "sure, go ahead, use every
> high-collateral-damage blacklist you like (spews comes to mind).
A very very interesting approach. We are looking at doing the same
thing with a copy of sqlgrey for Postfix and moving down the path of
only doing greylisting for servers on DNSBLs (and still using the
whitelist portion just in case).
> 2) It's actually in FreeBSD's ports (Snert's stuff isn't).
THe Snert stuff is not necessarily 'free' ;)
> 3) There's no complicated builds (I've found building Snert milters
> to be a pain because of berkeleyDB version conflicts which have
> forced me to have to recompile my stock sendmail).
Well, so far, the Snert milters I am using work great under Postfix,
perhaps it is time to move on from sendmail...
> 4) As above, it allows one to only greylist a few domains (I'm doing
> three out of several hundred. It can also tailor that based on a
sqlgrey has a full opt-in/opt-out mechinism in place. No hackery
And as a super special bonus, you can use one MySQL/PostgreSQL
database to share amonst your cluster (if you have one).
> However, there's at least one major disadvantage: The DB format it uses is
> a flat text file, and it keeps its whole DB in main memory. This could
> potentially make it a pig (hence my logic in only doing a few domains --
> those which have been overunning my spamd).
Or cut over to Postfix, use sqlgrey, and don't worry about it.
I have over 1000 domains running with this kind of config.
> I may speak to the author about adding a link against BDB, although
> the FAQ says he might be considering SQLITE.
Ick, but just my opinion as my needs are vastly different.
Mike Horwath, reachable via drechsau@Geeks.ORG
Copyright 2009, 2012 by SnertSoft. All rights reserved.