Re: greylisting on debian.org?

To: debian-devel@lists.debian.org
Subject: Re: greylisting on debian.org?
From: Stephen Gran <sgran@debian.org>
Date: Mon, 10 Jul 2006 17:41:20 +0100
Message-id: <[🔎] 20060710164120.GA26641@www.lobefin.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] u1hr70ugwcp.fsf@kempis.becket.net>
References: <[🔎] 44ABBC63.70709@lonien.de> <[🔎] 20060705144552.GC14984@piper.madduck.net> <[🔎] u1hodvzig6m.fsf@kempis.becket.net> <[🔎] 20060709133920.GB15503@piper.madduck.net> <[🔎] u1hr70ugwcp.fsf@kempis.becket.net>

This one time, at band camp, Thomas Bushnell BSG said:
> martin f krafft <madduck@debian.org> writes:
> 
> > Anyway, I'll be interested to hear a summary of their arguments, as
> > Christian Perrier requested. I find it hard to imagine how properly
> > configured greylisting should cause any problems.
> 
> It's a violation of the standard.  It is especially problematic,
> because it is a violation against the spirit of being liberal in what
> you accept, and conservative in what you require.

Sadly, those days may be coming to an end.

> It assumes, for example, that the remote MTA will use the same IP
> address each time it sends the message. If the remote MTA is a big
> server farm, with a lot of different hosts that could be processing
> the mail, what is your strategy for preventing essentially infinite
> delay?

I use a greylist implementation that autowhitelists after a configurable
number of successful retries for a tuple.  Assuming you mean places like
yahoo or aol, the essentially infinite delay you speak of has never been
an issue so far.  They all end up whitelisted after a while, and then
mail from them proceeds without delay.  Assuming the number of users
debian has, it shouldn't take very long to record hits for all of their
outbound servers.
 
> Another problem is with hosts that do not accept a message from an MTA
> unless that MTA is willing to accept replies.  This is a common spam
> prevention measure.  The graylisting host cannot then send mail to
> such sites until they've been whitelisted, because when they try the
> reverse connection out, it always gets a 4xx error.  I've been bitten
> by this one before.

That is an odd implementation of sender callouts designed by someone who
doesn't understand SMTP, and is not really an issue for the conversation
at hand.  Normal sender callouts, which route the message to the public
MX, have their pros and cons, but it's not under discussion at the
moment.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- greylisting on debian.org?
  - From: Wolfgang Lonien <wolfgang@lonien.de>
- Re: greylisting on debian.org?
  - From: martin f krafft <madduck@debian.org>
- Re: greylisting on debian.org?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: greylisting on debian.org?
  - From: martin f krafft <madduck@debian.org>
- Re: greylisting on debian.org?
  - From: Thomas Bushnell BSG <tb@becket.net>

Prev by Date: Re: greylisting on debian.org?
Next by Date: Re: greylisting on debian.org?
Previous by thread: Re: greylisting on debian.org?
Next by thread: Re: greylisting on debian.org?
Index(es):
- Date
- Thread