Milter-greylist

On 2014-02-28 16:59, Bruncsak, Attila wrote:
> On the other hand it isn't very expensive to have
> the milter-greylist always hooked in
> and at the top of the RACL and DACL list
> to have a whitelist statement
> with the appropriate condition.

In fact, it is expensive :) Not too much, but still: we
now use p0f fingerprinting, and the daemon was configured
to exclude the LAN subnets. Presence of "p0fsock" keyword
in greylist.conf currently causes the p0f client to request
the information from the daemon, regardless of presence of
any p0f ACLs. This causes delays while the milter retries
the requests for the case that p0f might come up with a
result a bit later than the first query (per my recent
patch, I'm not sure if Manu integrated it into the common
repository).

Also, if we choose to tempfail or reject in case of milter
unavailability, this is okay for messages incoming from the
internet, but not okay for generation of messages from the
LAN (some hardware monitoring etc. submits mails to the
same relays as mailhosts).

So skipping the milter for LAN sources altogether would be
preferred for at least a couple of good reasons :) And the
LAN for this case might be defined as the hosts allowed to
relay per sendmail's access database configuration. Gotta
read up on macros, I guess...

//Jim