Bob Beck wrote: > >> just deduced from trial and error. Also greylisting should happen at >> RCPT TO, and probably not at DATA as there are some widely used MTAs >> that are buggy and choke when a 4xx error is sent in the DATA phase. > > I've been running this at DATA for months, and not seen any > issues with it. > > anyone here got hard evidence of such bugs - please show > me. Or is this just uninformed speculation?
I got issues with both Mdaemon (multiple versions treating 4xx errors at DATA as permanent errors) and with 3 servers running MS exchange 2003 (hiding messages from the queue and not retrying them until the service was restarted). I must admit it is quite hard to prove it as it is very hard to notice, especially in the MS case as mails are not shown anymore in the queue and exchange is not known for having some kind of useful logs. Also, it is not always easy to get someone on the other side of the phone and ask them to do some tests on their server when you are not managing it and while they think *you* have problems, not them as they don't have anything in their queue. If you really wish some hard proof, I will have to install an MS exchange server, although, as I said, exchange hides the mail in the queue and doesn't log the failure, so I don't know what you would be able to see. I manage about 30 mail servers, all using greylisting for years (not OpenBSD spamd, but a version running in the MTA). But as I greylist at RCPT TO, I only noticed the problem it when clamav did go down and the server was producing a 4xx error at DATA when it should have scanned the mail. Also, as an idea, I found it quite useful to whitelist only with a triplet (from, to, IP), and not just the IP. Why? Because some people are behind a firewall which allows them to go out with the same IP as their mail server (yes, IPs are expensive in Europe), so windows spamware is going out with the same IP than their mailserver and so bypasses the filter. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
