DevHeads.net

Greylisting?

I  was just taking a look through my postfix configuration and noticed
that I have a "check_policy_service" for postgrey a greylisting service.

I greylisting still considered worthwhile or should I drop it?

TIA

John A

Comments

Re: Greylisting?

By John at 03/13/2018 - 08:15

Thanks.

On 2018-03-11 10:39 PM, john wrote:

Re: Greylisting?

By LuKreme at 03/12/2018 - 07:40

On 2018-03-11 (20:39 MDT), john < ... at klam dot ca> wrote:
It is not worthwhile because two many mailers will use different servers to send mail, which will hit the greylist all over again. This means a lot of maintenance for those (and we're talking mailers like google, amazon, PayPal, fleabay, etc).

Also, there is very little upside.

I used it years ago and found it too burdensome.

Re: Greylisting?

By LuKreme at 03/12/2018 - 07:43

On 2018-03-12 (06:40 MDT), "@lbutlr" < ... at kreme dot com> wrote:
One other thing, some (idiot) companies, especially banks, will only sent an email once and treat any temporary failure as a rejection/bounce.

Re: Greylisting?

By allenc at 03/12/2018 - 04:59

Late last year I tried the Postscreen "deep protocol tests" as a
primitive form of greylisting; It was a high-maintenance exercise for
minimal benefit and I have since stopped using it.

Google and the like, use a different mail server for each connect
attempt. You need an actively maintained whitelist to bypass the
grey-list process.

Also, (in my case) I was plagued by Ukrainian spamming mail servers;
they just retried and got through.

The experiment DID stop a few zombies, but not many.

Allen C

On 12/03/18 02:39, john wrote:

Re: Greylisting?

By dev rob0 at 03/12/2018 - 09:03

On Mon, Mar 12, 2018 at 09:59:27AM +0000, Allen Coates wrote:
Postfix 2.11+ (which is to say, all supported versions of Postfix at
this time) supports DNS whitelists via
postscreen_dnsbl_whitelist_threshold, and this is a very good and
low-maintenance solution to that problem. Large senders such as
Google are all listed at dnswl.org. What few smaller senders you
encounter typically retry from the same IP address.

We get the potential benefit of greylisting without much pain.

Of course. The only potential benefit of greylisting a real MTA is
that DNSBLs might have listed a spamming one by the time it retries
delivery.

Every little bit helps, in such a hostile protocol as SMTP.

Re: Greylisting?

By Matus UHLAR - f... at 03/12/2018 - 06:12

On 12.03.18 09:59, Allen Coates wrote:
I use postscreen's pre-220 tests as primitive form of greylisting.
I have removed the former (real) greylisting when switching to postscreen.

I didn't want to risk remporaty rejection that must happen with deep
protocol tests and any problems resulting from that.

while it's of course advisable to use whitelists for caces like google and
hotmail, it's usually not necessary with pre-220 tests.

you will of course need whitelisting when communicating with other broken
server, but that applies to any type of mail rejection or spam detection.

this (and the above) applies to all types of greylistings.
they are designed to get rid of spambots, not of spam sent through real mail
servers.