On Sun, 2008-04-27 at 20:08 +0100, Chris Wilson wrote: > > You don't seem to be bypassing the greylist for hosts which are known to > > resend mail. So you're delaying a lot of mail for no benefit. Once a > > given host is observed to queue and retry, you know that there's no > > point in greylisting mail from that host again. > > That's the point of the GREYLIST_TEST, does it not work? There should be > an entry in the database for each host which passed greylisting (i.e. > retried the message more that 10 minutes after first contact) which lasts > for 28 days.
Sorry, yes. I missed that. It does look reasonable, now I look again. > Also, I think there can be a point in delaying some mail from a public IP > which has been seen to pass greylisting, if the source domain is > different, as the machine may suddenly start to relay spam or another > internal server with the same public IP may suddenly become a spam source. This is true -- and is actually why I started using a tuple of $sender_helo_name and $sender_host_address for the resenders database, instead of just $sender_host_address. > > You seem to defer the message in the case where MySQL goes AWOL, rather > > than accepting it. That's an interesting decision, since it will quite > > possibly lead to messages being deferred for ever. > > OK, I'll fix that, thanks. (It hasn't caused a problem for me yet, but > better safe than sorry). Yeah, I don't think it ever bit me either, but it's worth thinking about. > > You also seem to be greylisting mail even when it isn't at all > > suspicious. Some prefer only to greylist mail which looks dodgy, rather > > than just a blanket delay on _everything_. Obviously, you do it in the > > DATA ACL for that, so you can actually see the message. > > At the moment I don't have any system-wide spam filter that I could run in > the data ACL. And spammers have a habit of changing their messages to get > around such filters. Filters for 'suspicious mail worth greylisting' can be a _lot_ wider than filters for rejecting or filing into a spam folder. For example, criteria I use to trigger greylisting include "Is HTML", "Re: in Subject: header but no References:", "Host with no rDNS", etc. I also use 'has more than 0.0 SpamAssassin points". > In my case, the number of new domains and hosts seen > sending mail is quite small, so it works for me (on a small domain). > > > (Also, rejecting for SPF fail is particularly 'brave'. I'd recommend > > googling for 'sender address forgery' and reading the first link that > > Google shows up.) > > Surely I can't be the only person rejecting messages where the sender has > explicitly put "-all" in their SPF record, and the SPF check fails? At > least it's useful for allowing people to say that certain domains never > send mail, or that their users don't use mailing lists or forwarders? (if > nothing else) If the record is _just_ "-all" then that's fair enough -- and that can be done with a dnsdb lookup. But unless I misread your ACL, you'll alco be rejecting mail based on even the idiotic SPF records which list a few 'genuine' hosts followed by -all, with the fundamental misunderstanding of SMTP that that entails. -- dwmw2 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
