On 2007/05/22 15:50, Renaud Allard wrote: > Stuart Henderson wrote: > > > > They are broken then... Workaround: use different mailer instances on > > different IP addresses for incoming and outgoing mail (this is often a > > good idea anyway). > > This workaround only works if the checker connects to your MX, not to > the host sending the mail. I know they are somewhat broken but there is > no point in contacting the sender domain server if you want to check for > an openrelay as the from header is more than likely a fake.
You wouldn't need spamd on the address of a send-only instance.. (if mail's only submitted on 587/465 or from known address ranges, it could just RST port 25 to the rest of the world). > Also, MS exchange servers don't like 4xx errors at DATA time and may > forbid the mail from being delivered until the exchange instance is > restarted. I know this is also a bug in Exchange, but many people use it. Yeuch... I didn't know about that. Found it here (needs user-agent: googlebot) - http://www.windowsitpro.com/Article/ArticleID/95332/95332.html When Exchange 2003 sends a message to a server using greylisting, it gets back a 4xx "try again later" code. Instead of waiting a reasonable interval, Exchange tries again after only a few seconds. This attempt generally fails too, and Exchange doesn't try again. ... The message isn't delivered, and it doesn't appear in any queues. Exchange won't try to redeliver it again until you restart the SMTP service. The message just disappears, except from the sender's Sent Items folder. > > that's exactly why it changed from rejecting at rcpt to: stage. > > http://www.openbsd.org/cgi-bin/cvsweb.cgi/src/libexec/spamd/spamd.c#rev1.85 > > Yes, but that means callouts that should not succeed will (at least the > first time). Unless you teach spamd the valid usernames, the alternative is to have *no* callout succeeding unless the sender is already grey/whitelisted. Either way, that doesn't help the MSexchange problem, and callout is broken by design anyway (DoS problem), it's not worth burning extra cpu cycles to help people who continue to use it. > I know no scheme is perfect, so the point is it could be handy to have a > flag to determine when the mail should be greylisted and let people choose. How about: --i-dont-want-to-receive-mail-from-people-using-exchange-2003 and --i-dont-want-to-receive-mail-from-people-using-callout-verification I think a better solution would be for *more* people to use greylisting implementations which do this, so that more MSexchange users will either bother Microsoft to fix their bug, or script 'net stop smtpsvc;net start smtpsvc' to run a few times a day so they can send mail to others too. You can always revert r1.85 manually and recompile if you need...
