[CentOS] Centos 6 Sendmail backup MX Config

Sun Feb 15 21:39:16 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

On Fri, February 13, 2015 12:52, Les Mikesell wrote:
> On Fri, Feb 13, 2015 at 11:39 AM, Valeri Galtsev
> <galtsev at kicp.uchicago.edu> wrote:
>>
>>>   Otherwise it accept junk that your primary rejects
>>
>> Not exactly. If greylisting on primary is set, but on backup MX
>> is not, still what is killed by greylisting by primary MX,
>> almost never will come through backup MX. This is due to the
>> same reason why greylisting is efficient: it trows off all that
>> doesn't behave as mail server (thus never comes for re-delivery,
>> and definitely doesn't try backup MX which real servers always
>> do even before attempt of re-delivery).
>
> I'm not convinced. Spam is big business and trying a 2nd MX is cheap.
>

Much spam/ucem is deliberately sent directly to the lower priority MX
host from the outset on the assumptions that: 1.) the secondaries will
be less well configured to detect SPAM to begin with; and 2.) once
mail is routed though an officially recognized secondary host then the
primary is less likely to treat such traffic as SPAM.


We run grey listing and amavisd (clamd/spamd) on all of our MX servers
because of this practice.  We also list several non-existent MX
secondaries at the lowest priority to cheaply pick off the really
stupid points of origin.

Yes we do get rejects for real correspondents.  A notable recent
victim, if such is the right word to describe a self-inflicted injury,
was ibm.com. Who, in contravention of rfcs 7208 and 7372, both
configured eleven MX hosts for their domain AND enabled SPF. This
causes an immediate permerr with anyone checking SPF as the maximum
number of MX hosts allowed with an SPF enabled domain is ten.

But, who am I to tell IBM how to configure a computer?

On the other hand, we also have large organizations who use smtp pools
and with these grey-listing simply does not work.  Each subsequent
attempt to connect can occur from any of the IPs in that pool and the
mail either never gets through or is seriously delayed.  For those
cases we are constrained to use white-listing.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3