On Fri, Feb 13, 2015 at 12:32 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > I stated pure observation on at least two pairs of primary - backup MX I > maintain. Still I made backup MXes with greylisting as well (they are > separately hit by same bad spammers scripts, at a rate about 10 times > smaller than primary MXes are and absolutely independently). I think that's unusual - spammers often target the secondaries as a preference on the premise that they are likely to not be as well-configured as the primary. But it has been a while since I ran one so maybe things have changed. >>> Still, it is good >>> to have the same greylisting on backup MX. And all other blows and >>> whistles. >> >> Greylisting would be kind of hard to do right. You'd have to keep the >> known-good senders in sync across the receivers. But my bigger worry >> would be a dictionary-type attack on user names as recipients if you >> don't have access to the real user list on the secondary. > > With standard backup MX based on postix (with rather trivial > configuration) you always do have list of legitimate recipients of primary > MX on the secondary MX. Doing greylisting right means you also have to keep the table of already-known senders up to date and that may be very dynamic. -- Les Mikesell lesmikesell at gmail.com