On Oct 26, 2005, at 11:54 AM, Graham Toal wrote:
My experience is that greylisting requires at least 2 failed
attempts.
Maybe my pf.conf isn't setup properly. But, there's always 1
'extra' failure
that seems to me should pass through.
James is right, it's a design flaw of spamd that two failed attempts
are required. This is what happens:
1) first attempt, goes to spamd, is logged.
2) second attempt, goes to spamd, is marked as good ... *BUT* it
still went to spamd. spamd is not an application relay, so it
has no way of passing that currently-active second attempt through
to the true MTA, so ...
3) third attempt, redirected to true MTA
I agree this is how things work. I disagree that this is a design
flaw. Instead this is the fundamental thing that makes spamd so
great at what it does. Maybe I'm a little too RFC biased, but if
the standards say XYZ MUST be done, then if the sending MTA is not
playing by the rules, I don't want their mail. Though I'm happy to
talk and work with them to get their servers fixed. The side effect
being that all those spammer zombie machines don't get a message into
my servers. :)
spamd is ensuring that MTAs are following the standards. The
standards say that a sending MTA must wait 30 minutes before
attempting a retry, thus the default passtime for spamd is 25
minutes, which I think is a good buffer. If MTAs should retry in say
15 minutes, I don't know what spamd does, I've not tested that
scenario. I would hope that maybe spamd would update the initial
time to the most recent attempt and wait to put the IP in the
whitelist pool until passtime has passed between retries.
I often see delays of either an hour or two when first getting a
message via a new MTA. Which makes sense to me, and I think is
tolerable. Email is not instant messaging. If it absolutely has to
be there NOW, then use something else. :)
00:00 -- first connection attempted
00:30 -- second connection attempted
00:31 -- IP now whitelisted
I've found that some MTAs will try make a 3rd attempt 60 minutes from
the first attempt, while others seem to wait 60 minutes or more from
the 2nd attempt.
-Chad
