I don't like greylisting..
Blog Category:
Earlier today when I was configuring my brothers new laptop, I decided to send him a test message. I sent the message to his motd.be email account (which is currently forwarded to his kuleuven address) so I knew it would be delayed by the greylisting which is currently enabled on this server. But after more than half an hour the message still hadn't arrived. Maybe I messed up the postfix config of motd.be? Lets check..
The configuration was OK, the message was still queued. It just had a run of bad luck:
- The message was sent through an outbound relay which has two IP addresses which it uses in a loadbalancing fasion. Greylisting delayed the (me, brother, IP1) tripple but at the time it would accept the message, the outbound relay used its second IP which started the greylisting all over.
- The initial retry time of these relays was set to a little over 25 minutes (ouch).
- When the message arrived on the motd.be server, it was forwarded to kuleuven which uses greylisting as well.
- After 16minutes my server retried and the message got delivered.
So the message was delayed 25*2+16 minutes. A little over an hour for a simple test message! Thats it, no more greylisting on this server ;)
About Me
My name is Bart Jansens.
I work as a network and security consultant and spend some of my spare time in the background of open source projects, working on system administration and security tasks.
Comments
Serge van Ginde...
Sat, 02/10/2007 - 22:09
Permalink
Greylisting
The problem is obviously with the destination mail servers: greylisting data should be shared when MX hosts use round robin.
So the issue is with this particular setup, not greylisting in general.
You might want to also check http://frank.be/articles/2006/12/26/selectief-greylisten-voor-mailservers for interesting info
Bart
Sun, 02/11/2007 - 12:10
Permalink
The destination mail servers
The destination mail servers have no way of knowing that the two IPs of the sending mailserver are related, they are in entirely different subnets. It is true however that when you have multiple MX records, those should share their data.
This was just a rather extreme example of how long mails can be delayed (though it could be even worse).
I remember selective greylisting, it is actually what I was working on since yesterday. The difference being that I'm using policyd-weight+postgrey instead of marbl. I also included some simple checks from http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
Now all that is left is tweaking all these variables..
Add new comment