Milter-greylist

manu@... wrote:
> Oliver Fromme <olli@...> wrote:
> 
>> Can milter-greylist be interfaced with hashcash?  (*)
>> I would like to whitelist (i.e. not delay) mails that
>> contain a valid hashcash header line.
> 
> That could only fit in a DATA stage ACL, so you will not be able to
> avoid greylisting decided at RCPT stage. 
> 

It's things like this that make you wish SMTP had a "HEADER" phase.. but it 
doesn't, and there's nothing that can be done now to change that. Oh well, 
hindsight on protocol design is always 20/20, right?


As a further clarification to Oliver, when it comes to greylisting you're pretty 
much limited to information that can be obtained from 4 sources: the connection 
itself (ie: source IP address), and the following commands: HELO, RCPT TO: and 
MAIL FROM:, and various DNS lookups or other operations based on the data 
obtained from those 4 sources.

Any other aspect of the message all comes as one big lump in the DATA phase, and 
  milter-greylist can only respond to such things after it has all been 
transfered. While that might not sound so bad, attempting to greylist at the end 
of the DATA stage is self-DoSing.

Every time a server tries to deliver a message, the whole message will have to 
be transfered before a 450 can be issued. Then when it retries, the whole 
message will be transfered before it can be 450'ed again.. Repeat as many times 
as it takes until the greylist timeout expires, and you could have just blown a 
lot of bandwidth transfering the same message hundreds or in case of a 
misbehaving server even tens of thousands of times before actually accepting it. 
Multiply that by a few hundred or thousand messages that are currently being 
greylisted and you'll raise your mailserver's bandwidth needs to really absurd 
levels.  (i.e.: could you handle a sustained 10000 fold increase in mailserver 
bandwidth usage?)