[CentOS] Milter-Greylist
Aleksandar Milivojevic
alex at milivojevic.org
Tue Feb 14 20:54:50 UTC 2006
Quoting Benjamin Smith <lists at benjamindsmith.com>:
> Greylisting + blacklists equals good performance, no false positives
Greylisting can have false positivies, or can introduce very long
delays. It can also have nasty side effects, esp. if other side has
brain dead MTA. So, before deploying greylisting and talking about it
as "best invention since sliced bread", couple of things to think about.
Some sites have farms of outgoing mail servers, so IP address will be
different on almost every re-delivery attempt. If greylisting is
matching IP address, sender, recipient triplet, obviosly such email
isn't going to be accepted (it will keep getting temporary failures).
This is usually solved by whitelisting domains that has such server
farms. Milter-greylist comes with such a list in default configuration
file. However, at one ocasion this resulted in one very important
email for my wife being delayed for several days (the site was not
known to milter-greylist as having outgoing mail server farm). I ended
up disabling IP address check after some time (just checking
sender-recipient pair). The effectivnes reduced slightly, but still
more than acceptable.
Email sent to multiple recipients. Depending on implementation of
greylisting used (don't remember how milter-greylist implements it), if
sender has passed greylisting only with some recipients, you'll get
people complaining that guy in cubicle next to his got this ultra high
important email, but they haven't. Of course, they will. A bit later.
But still, look at it from users perspective. They don't know
anything about greylisting and expect email to be like instant
messaging (which it is not, but they don't know that).
Delays... you can expect delays as long as one hour when email for
particular sender/recipient pair is seen by greylisting for the very
first time. Sometimes even longer (on very rare ocasions). In some
environments this might not be acceptable. When outside user sends
email to support email address with some data (while still on the
phone), he expects support person will get it in matter of seconds.
Not hours.
Some sites have several outgoing mail queues that implement backing off
strategy (to make running queue runs on large queues managable).
They'll try several delivery attempts during first couple of hours,
then move email to slower queue that tries maybe couple per day, then
move to even slower queue that runs maybe only once per day. Depending
on timeout values configured for greylisting in combinataion with your
(or their) server/network downtimes, this may make some mail not to be
delivered. I haven't seen this happen in real life, but there's
theoretical possibility.
Broken MTA software... Some real-life examples I encountered.
I had one client whose MTA would treat temporary failures like
permanent failures, no re-delivery attempts, bounce emails as
undeliverable to sender right away. Don't remember what they were
using. Solved that by whitelisting them. But you never know when you
are going to run to somebody else using same broken product.
Symantec antivirus for email gateways or something like that (not sure
if all versions of the product). There's some other products that do
this by default. It sends warning message back to sender on first
temporary failure. Users, the way they are, not reading what the
message says, either try to resend right away (and get another bounce,
since greylisting period wasn't yet reached), or start complaining that
their emails haven't made through. It's questinably broken MTA, since
there's nothing in the standards preventing MTA from doing so.
Non-technical people might even like the "feauture", being warned if
email is not delivered right-away -- the only thing it's unreliable and
can get you into making wrong conclusions (that email was delivered,
when it is still somewhere in transit).
And finally, seems some spammers are falling back to good old
exploiting of open relays. I'm seeing slight but constant increase of
those. While greylisting works wonders when other side uses
mass-mailing software, it is useless against real MTA.
In short, greylisting is "the best invention since sliced bread".
However it has some gotchas that those using it should be aware of.
And it's not 100% false positives free. More like around 99.99999%.
Enjoy using it while it is still effective.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the CentOS
mailing list