Stuart Henderson wrote: > > They are broken then... Workaround: use different mailer instances on > different IP addresses for incoming and outgoing mail (this is often a > good idea anyway).
This workaround only works if the checker connects to your MX, not to the host sending the mail. I know they are somewhat broken but there is no point in contacting the sender domain server if you want to check for an openrelay as the from header is more than likely a fake. Also, MS exchange servers don't like 4xx errors at DATA time and may forbid the mail from being delivered until the exchange instance is restarted. I know this is also a bug in Exchange, but many people use it. > >> As a secondary effect, sender callouts made from a remote server will >> also be accepted > > that's exactly why it changed from rejecting at rcpt to: stage. > http://www.openbsd.org/cgi-bin/cvsweb.cgi/src/libexec/spamd/spamd.c#rev1.85 > Yes, but that means callouts that should not succeed will (at least the first time). I know no scheme is perfect, so the point is it could be handy to have a flag to determine when the mail should be greylisted and let people choose. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
