Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] Re: Some features for future releases...

2008-01-22 by Benoit Branciard

Michael Menge a \ufffdcrit :
> Quoting ondrej_v0 <ondrej_v0@...>:
> 
>> But speaking about the documentation - it should be stated there what
>> actually blacklisting means. Does it mean that instead of 451
>> temperror the sender receives 550 harderror?
> 
> Yes blacklisting is a 5xx harderror. But we don't use it in milter-greylist

Yes you can use blacklisting in milter-greylist (at least 4.0):

acl blacklist addr aa.bb.cc.dd msg "I don't like you"

> We had some problems with spf, as
> 
> 1. there are more spammes that have spf records then regular users

The "good way" is to combine greylisting, SPF and "reputation", by means 
of DNSRBLs and DNSWLs. Milter-greylist 4.0 can do that:

- whitelist "local" clients (those who are expected to use your SMTP 
server anyway)
- whitelist "known good" clients who are listed in DNSWLs or 
locally-crafted whitelist (including ISP server farms which do not pass 
greylisting)
- blacklist "unwanted" clients whith DNSRBL (DUL and otherwise dynamic 
ISP clients)
- "heavy" greylist (long delay) "suspicious" clients (those listed in 
exploits DNSRBL lists, or whose DNS name matches a locally-defined 
regexp list)
- whitelist SPF-pass clients (except those who have a fake "+all" record)
- "light" greylist (short delay) all other clients

you can also blacklist SPF-fail clients, and heavy greylist SPF-softfail 
clients, catching a few % more spam, but exposing to block legitimate 
but badly configured mail (non SRS-compliant forwarding...).

The idea is that only unknown clients should hit the last-resort 
greylist ACL.

In that order, MX validity and MX-as-SPF (poor man SPF) tests would be 
great to help reduce the hit rate of this last-resort ACL.

> 2. forwarding breakes spf for some forwarder, and i have found no easy way
>    for our users to whitelist the forwarding mailserver as they normaly
>    don't know the ip

Forwarders shoud use SRS. But if you combine with DNS whitelists, 
chances are forwarders are already whitelisted.

-- 
Ce message a ete verifie par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ete trouve.

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.