On Fri, February 13, 2015 12:52, Les Mikesell wrote:
On Fri, Feb 13, 2015 at 11:39 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
Otherwise it accept junk that your primary rejects
Not exactly. If greylisting on primary is set, but on backup MX is not, still what is killed by greylisting by primary MX, almost never will come through backup MX. This is due to the same reason why greylisting is efficient: it trows off all that doesn't behave as mail server (thus never comes for re-delivery, and definitely doesn't try backup MX which real servers always do even before attempt of re-delivery).
I'm not convinced. Spam is big business and trying a 2nd MX is cheap.
Much spam/ucem is deliberately sent directly to the lower priority MX host from the outset on the assumptions that: 1.) the secondaries will be less well configured to detect SPAM to begin with; and 2.) once mail is routed though an officially recognized secondary host then the primary is less likely to treat such traffic as SPAM.
We run grey listing and amavisd (clamd/spamd) on all of our MX servers because of this practice. We also list several non-existent MX secondaries at the lowest priority to cheaply pick off the really stupid points of origin.
Yes we do get rejects for real correspondents. A notable recent victim, if such is the right word to describe a self-inflicted injury, was ibm.com. Who, in contravention of rfcs 7208 and 7372, both configured eleven MX hosts for their domain AND enabled SPF. This causes an immediate permerr with anyone checking SPF as the maximum number of MX hosts allowed with an SPF enabled domain is ten.
But, who am I to tell IBM how to configure a computer?
On the other hand, we also have large organizations who use smtp pools and with these grey-listing simply does not work. Each subsequent attempt to connect can occur from any of the IPs in that pool and the mail either never gets through or is seriously delayed. For those cases we are constrained to use white-listing.