Re: greylisting on debian.org?
On Mon, 10 Jul 2006, Henrique de Moraes Holschuh wrote:
> > Is there a way of doing this which doesn't require you to know in
> > advance the setup of remote networks and such? Does it scale?
> Yes. The most absurd way is to consider every non-stolen, valid for the
> public Internet IPv4 netblock as belonging to a single IP superset, and
> flushing the graylisted database often (but mind your outgoing email retry
> Another is to
Argh. I must have deleted part of the message by mistyping in vim and didn't
notice it before sending. Sorry about that.
Another way to avoid problems with clusters is to assume certain common
setup patterns for server farms, like a cheap netmask match. This does, in
a way, "require you to know in advance the setup of remote networks", in the
sense that you need to know the common patterns that will be used. At
least now you are dealing with patterns, and not specific instances.
It is not as bad as it sounds. Small clusters of less than five machines
are not supposed to be an issue (you will graylist-approve the entire
cluster before the retry limit is over for reasonable retry policies).
Large clusters are almost always made of a number of islands of nodes with
IPs close to each other, and graylist-approving different islands will also
work if you don't manage to match all islands as a single set).
Scaling is obviously a problem if you have many incoming SMTP hosts, as the
graylisting knowledge should be shared among all of them. Other scaling
issues depend on how you calculate the IP sets, but for IP distance like the
above example, it is pratically the same as for dumb graylisting.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot