Greylisting?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Greylisting?

John Allen
I  was just taking a look through my postfix configuration and noticed
that I have a "check_policy_service" for postgrey a greylisting service.

I greylisting still considered worthwhile or should I drop it?

TIA

John A


Reply | Threaded
Open this post in threaded view
|

Re: Greylisting?

allenc
Late last year I tried the Postscreen "deep protocol tests" as a
primitive form of greylisting; It was a high-maintenance exercise for
minimal benefit and I have since stopped using it.

Google and the like, use a different mail server for each connect
attempt.  You need an actively maintained whitelist to bypass the
grey-list process.

Also, (in my case) I was plagued by Ukrainian spamming mail servers;
they just retried and got through.

The experiment DID stop a few zombies, but not many.

Allen C



On 12/03/18 02:39, john wrote:

> I  was just taking a look through my postfix configuration and noticed
> that I have a "check_policy_service" for postgrey a greylisting service.
>
> I greylisting still considered worthwhile or should I drop it?
>
> TIA
>
> John A
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Greylisting?

Matus UHLAR - fantomas
>The experiment DID stop a few zombies, but not many.
>On 12/03/18 02:39, john wrote:
>> I  was just taking a look through my postfix configuration and noticed
>> that I have a "check_policy_service" for postgrey a greylisting service.
>>
>> I greylisting still considered worthwhile or should I drop it?

On 12.03.18 09:59, Allen Coates wrote:
>Late last year I tried the Postscreen "deep protocol tests" as a
>primitive form of greylisting; It was a high-maintenance exercise for
>minimal benefit and I have since stopped using it.

I use postscreen's pre-220 tests as primitive form of greylisting.
I have removed the former (real) greylisting when switching to postscreen.

I didn't want to risk remporaty rejection that must happen with deep
protocol tests and any problems resulting from that.

>Google and the like, use a different mail server for each connect
>attempt.  You need an actively maintained whitelist to bypass the
>grey-list process.

while it's of course advisable to use whitelists for caces like google and
hotmail, it's usually not necessary with pre-220 tests.

you will of course need whitelisting when communicating with other broken
server, but that applies to any type of mail rejection or spam detection.

>Also, (in my case) I was plagued by Ukrainian spamming mail servers;
>they just retried and got through.

this (and the above) applies to all types of greylistings.
they are designed to get rid of spambots, not of spam sent through real mail
servers.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
Reply | Threaded
Open this post in threaded view
|

Re: Greylisting?

@lbutlr
In reply to this post by John Allen
On 2018-03-11 (20:39 MDT), john <[hidden email]> wrote:
>
> I greylisting still considered worthwhile or should I drop it?

It is not worthwhile because two many mailers will use different servers to send mail, which will hit the greylist all over again. This means a lot of maintenance for those (and we're talking mailers like google, amazon, PayPal, fleabay, etc).

Also, there is very little upside.

I used it years ago and found it too burdensome.

--
Man is born free, but is everywhere in chains.
Reply | Threaded
Open this post in threaded view
|

Re: Greylisting?

@lbutlr
On 2018-03-12 (06:40 MDT), "@lbutlr" <[hidden email]> wrote:
>
> It is not worthwhile because two many mailers will use different servers to send mail, which will hit the greylist all over again. This means a lot of maintenance for those (and we're talking mailers like google, amazon, PayPal, fleabay, etc).

One other thing, some (idiot) companies, especially banks, will only sent an email once and treat any temporary failure as a rejection/bounce.

--
Women like silent men, they think they're listening.

Reply | Threaded
Open this post in threaded view
|

Re: Greylisting?

/dev/rob0
In reply to this post by allenc
On Mon, Mar 12, 2018 at 09:59:27AM +0000, Allen Coates wrote:
> Late last year I tried the Postscreen "deep protocol tests" as a
> primitive form of greylisting; It was a high-maintenance exercise
> for minimal benefit and I have since stopped using it.
>
> Google and the like, use a different mail server for each connect
> attempt.  You need an actively maintained whitelist to bypass the
> grey-list process.

Postfix 2.11+ (which is to say, all supported versions of Postfix at
this time) supports DNS whitelists via
postscreen_dnsbl_whitelist_threshold, and this is a very good and
low-maintenance solution to that problem.  Large senders such as
Google are all listed at dnswl.org.  What few smaller senders you
encounter typically retry from the same IP address.

We get the potential benefit of greylisting without much pain.

> Also, (in my case) I was plagued by Ukrainian spamming mail
> servers; they just retried and got through.

Of course.  The only potential benefit of greylisting a real MTA is
that DNSBLs might have listed a spamming one by the time it retries
delivery.

> The experiment DID stop a few zombies, but not many.

Every little bit helps, in such a hostile protocol as SMTP.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Greylisting?

John Allen
In reply to this post by John Allen
Thanks.


On 2018-03-11 10:39 PM, john wrote:

> I  was just taking a look through my postfix configuration and noticed
> that I have a "check_policy_service" for postgrey a greylisting service.
>
> I greylisting still considered worthwhile or should I drop it?
>
> TIA
>
> John A
>
>