On 2013-05-24 05:57, Andrew Burnette wrote: > On 05/23/2013 12:24 PM, Kristian Duus Østergaard wrote: >> Hi, >> >> My smtp server is currently using identlookup and I think it is one reason >> that >> I don't receive a ton of Spam. >> >> Unfortunately some of my users receive mails from a domain that has a very >> short >> timeout and drops identlookups at the firewall, instead of rejecting them. >> This >> results in no mails coming through to my users from the domain in question >> and >> me getting asked how many other domains does this happen from. My own >> approximate count indicates that only 1.6% of the failing connections are >> from >> legit servers. >> >> So my questions are really : >> What is your experience with identlookups ? >> Should I stop using it on my server and risk more Spam ? >> When you discover a problem with a server what do you do ? >> Do any of you have automated scripts to inform the postmaster in the >> other >> end that you do have a server and it actually can respond ? >> Does courier have any filtering function for this very special scenario ? >> >> Sorry for the long rant.. >> >> Regards >> Kristian Duus Østergaard > Consider it an effective orthogonal version of greylisting (which often > causes other greater problems unfortunately)? > > Enabled, it typically tends to hold the inbound smtp connection open ~30 > seconds before a "HELO" smtp conversation is allowed to begin. Turns out > numerous virus/malware bots drop their tcp connection right at the 30 > second mark. > > (yet another reason also why port 587 is a better choice for local > relaying end user clients/senders such they do not experience the hold > time, entirely a different issue though and not helpful to your experience) > > It's very effective in reducing spam in my system, testing with either > setting a couple years ago the effective cut rate of 2/3 or more. In > combo with good RBL selection, I see 90% of connection attempts > dropped/rejected/etc, and still my users receive their good mail. My > users complained more when it was disabled, and many have been shielded > for so long against spam they don't understand why users of other > systems complain about spam:-) > > It may be possible to manipulate your firewall to respond with a bogus > lovel affirmative indent for just the domain name of the impatient MTA. > Just a thought, but not terribly complicated depending upon what you > front your servers with (even a simple ufw rule might do the trick?) > Many variables in that idea only you might be able to decide if it's > feasible or not. In the same respect, it would be nice to have a simple > BGP feed to block various known "bad neighborhoods" out there on the > Internet........ > > Good luck, > andy I think your take on this is closer to my own sentiments - using ident lookups as an accepted greylisting technique and I think this is what Matus is also doing.
As for whether or not to provide valid ident lookups my take is that all you really need is to reject the connection. Courier will then accept the reject and continue immediately as far as I understand/have tested. I totally agree with Sam's and Jan's comment that ident lookups as a verifying technique probably is a thing of the past. As for Jan's comment on dropping instead of rejecting - I think the idea behind dropping used to work. But for servers connected directly to the internet I don't think it makes much sense any more as it's relatively easy to identify all the open ports anyway. So to sum it up - I think I'll leave my server the way it is and try to politely tell the admin of the server that even though the specification says SHOULD be 300 seconds it's probably a good idea not to lower it, even if it makes your queues empty faster. Regards Kristian ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
