[CentOS] Milter-Greylist

Tue Feb 14 20:54:50 UTC 2006
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting Benjamin Smith <lists at benjamindsmith.com>:

> Greylisting + blacklists equals good performance, no false positives

Greylisting can have false positivies, or can introduce very long 
delays.  It can also have nasty side effects, esp. if other side has 
brain dead MTA.  So, before deploying greylisting and talking about it 
as "best invention since sliced bread", couple of things to think about.

Some sites have farms of outgoing mail servers, so IP address will be 
different on almost every re-delivery attempt.  If greylisting is 
matching IP address, sender, recipient triplet, obviosly such email 
isn't going to be accepted (it will keep getting temporary failures).  
This is usually solved by whitelisting domains that has such server 
farms.  Milter-greylist comes with such a list in default configuration 
file.  However, at one ocasion this resulted in one very important 
email for my wife being delayed for several days (the site was not 
known to milter-greylist as having outgoing mail server farm).  I ended 
up disabling IP address check after some time (just checking 
sender-recipient pair).  The effectivnes reduced slightly, but still 
more than acceptable.

Email sent to multiple recipients.  Depending on implementation of 
greylisting used (don't remember how milter-greylist implements it), if 
sender has passed greylisting only with some recipients, you'll get 
people complaining that guy in cubicle next to his got this ultra high 
important email, but they haven't.  Of course, they will.  A bit later. 
  But still, look at it from users perspective.  They don't know 
anything about greylisting and expect email to be like instant 
messaging (which it is not, but they don't know that).

Delays...  you can expect delays as long as one hour when email for 
particular sender/recipient pair is seen by greylisting for the very 
first time.  Sometimes even longer (on very rare ocasions).  In some 
environments this might not be acceptable.  When outside user sends 
email to support email address with some data (while still on the 
phone), he expects support person will get it in matter of seconds.  
Not hours.

Some sites have several outgoing mail queues that implement backing off 
strategy (to make running queue runs on large queues managable).  
They'll try several delivery attempts during first couple of hours, 
then move email to slower queue that tries maybe couple per day, then 
move to even slower queue that runs maybe only once per day.  Depending 
on timeout values configured for greylisting in combinataion with your 
(or their) server/network downtimes, this may make some mail not to be 
delivered.  I haven't seen this happen in real life, but there's 
theoretical possibility.

Broken MTA software...  Some real-life examples I encountered.

I had one client whose MTA would treat temporary failures like 
permanent failures, no re-delivery attempts, bounce emails as 
undeliverable to sender right away.  Don't remember what they were 
using.  Solved that by whitelisting them.  But you never know when you 
are going to run to somebody else using same broken product.

Symantec antivirus for email gateways or something like that (not sure 
if all versions of the product).  There's some other products that do 
this by default.  It sends warning message back to sender on first 
temporary failure.  Users, the way they are, not reading what the 
message says, either try to resend right away (and get another bounce, 
since greylisting period wasn't yet reached), or start complaining that 
their emails haven't made through.  It's questinably broken MTA, since 
there's nothing in the standards preventing MTA from doing so.  
Non-technical people might even like the "feauture", being warned if 
email is not delivered right-away -- the only thing it's unreliable and 
can get you into making wrong conclusions (that email was delivered, 
when it is still somewhere in transit).

And finally, seems some spammers are falling back to good old 
exploiting of open relays.  I'm seeing slight but constant increase of 
those.  While greylisting works wonders when other side uses 
mass-mailing software, it is useless against real MTA.

In short, greylisting is "the best invention since sliced bread".  
However it has some gotchas that those using it should be aware of.  
And it's not 100% false positives free.  More like around 99.99999%.  
Enjoy using it while it is still effective.

This message was sent using IMP, the Internet Messaging Program.