Milter-greylist

Is there a "max" setting for the number of ACL's in greylist.conf?  I  
run a very busy site and we currently have over 6k whitelist ACL's.   
I am seeing ACL's be ignored that are close to the bottom of the list.
--
Michael Osten

On Wed, Aug 30, 2006 at 09:15:09AM -0500, Michael Osten wrote:
> Is there a "max" setting for the number of ACL's in greylist.conf?  I  
> run a very busy site and we currently have over 6k whitelist ACL's.   
> I am seeing ACL's be ignored that are close to the bottom of the list.

There is no hardwired limit.

-- 
Emmanuel Dreyfus
manu@...

At the risk of sounding stupid, if you have 6000 exceptions to your greylist, 
it does not seem to me that greylisting is really in your best interests. We 
get something on the order of 2 million messages a day for a paltry 2000 
users, and have only 32 rules total, which includes our internal 
whitelisting. What kind of rules are you using to pad out your acls that 
large?

On Wednesday 30 August 2006 10:33 am, Emmanuel Dreyfus wrote:
> On Wed, Aug 30, 2006 at 09:15:09AM -0500, Michael Osten wrote:
> > Is there a "max" setting for the number of ACL's in greylist.conf?  I
> > run a very busy site and we currently have over 6k whitelist ACL's.
> > I am seeing ACL's be ignored that are close to the bottom of the list.
>
> There is no hardwired limit.

On Wed, Aug 30, 2006 at 10:40:51AM -0400, eclark wrote:
> At the risk of sounding stupid, if you have 6000 exceptions to your greylist, 
> it does not seem to me that greylisting is really in your best interests. We 
> get something on the order of 2 million messages a day for a paltry 2000 
> users, and have only 32 rules total, which includes our internal 
> whitelisting. What kind of rules are you using to pad out your acls that 
> large?

My greylist.conf has 2500 lines. I have 3 levels of filtering, with 
various delays and DNSRBL usage. The config file contains the list of 
users for each of the levels.

-- 
Emmanuel Dreyfus
manu@...

How much mail are you processing? From what we have seen using this, even half 
as many rules (and use of dnsrbl at all) would have taken the greylist down 
within minutes (please refer to max children issue submitted this month). 
Thats us running at 2250 messages a second, so maybe our environment isnt a 
very realistic comparision.

On Wednesday 30 August 2006 10:48 am, Emmanuel Dreyfus wrote:
> My greylist.conf has 2500 lines. I have 3 levels of filtering, with
> various delays and DNSRBL usage.

On Aug 30, 2006, at 9:40 AM, eclark wrote:

> At the risk of sounding stupid, if you have 6000 exceptions to your  
> greylist,
> it does not seem to me that greylisting is really in your best  
> interests. We
> get something on the order of 2 million messages a day for a paltry  
> 2000
> users, and have only 32 rules total, which includes our internal
> whitelisting. What kind of rules are you using to pad out your acls  
> that
> large?
>
> On Wednesday 30 August 2006 10:33 am, Emmanuel Dreyfus wrote:
>> On Wed, Aug 30, 2006 at 09:15:09AM -0500, Michael Osten wrote:
>>> Is there a "max" setting for the number of ACL's in  
>>> greylist.conf?  I
>>> run a very busy site and we currently have over 6k whitelist ACL's.
>>> I am seeing ACL's be ignored that are close to the bottom of the  
>>> list.
>>
>> There is no hardwired limit.

in excess of 8+ million messages a day.  The problem with greylisting  
for us is that there are large amounts of broken MTA's out there  
(groupwise, misconfigured Postfix, Postini, yahoo groups) that we  
really can't just not take mail from (because they do not respect  
temp errors).
--
Michael Osten

On Aug 30, 2006, at 9:56 AM, eclark wrote:

> How much mail are you processing? From what we have seen using  
> this, even half
> as many rules (and use of dnsrbl at all) would have taken the  
> greylist down
> within minutes (please refer to max children issue submitted this  
> month).
> Thats us running at 2250 messages a second, so maybe our  
> environment isnt a
> very realistic comparision.


We're not doing 2250 messages a second :).  We also use commercial  
and internal RBL's.
--
Michael Osten

eclark <eclark@...> wrote:

> How much mail are you processing? From what we have seen using this, even half
> as many rules (and use of dnsrbl at all) would have taken the greylist down
> within minutes (please refer to max children issue submitted this month).
> Thats us running at 2250 messages a second, so maybe our environment isnt a
> very realistic comparision.

Yes, you have much more messages per second than I do. However, the big
ACL just means that you need enough CPU power to walk the ACL. And you
can share the load by having multiple MX. 

But it seems your problem is more a thread limit from the OS than CPU
being too slow. That's OS specific, and that's why I could not answer. I
guess the only answer I have is that sharing the load on multiple MX
will solve your problem.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Michael Osten <mosten@...> wrote:

> in excess of 8+ million messages a day.  The problem with greylisting
> for us is that there are large amounts of broken MTA's out there  
> (groupwise, misconfigured Postfix, Postini, yahoo groups) that we  
> really can't just not take mail from (because they do not respect  
> temp errors).

Maybe it's time to use a DNSRBL of broken MTA that are legitimate
senders? Such a source could be used as a whitelist source. Does it
already exists, or should we start doing it? 

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...