greylisting generates error email?

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

greylisting generates error email?

Grant-4
A few people have told me they received an email error message after emailing me.  I'm trying to get a copy of one of the error emails, but I can't imagine what would cause that besides possibly my greylisting.  Has greylisting been known to lead to email error messages being sent to senders in some instances?

How is greylisting set up in postfix now?  I know I used to use postgrey but then I remember some sort of change.  I can see that I have postgrey installed but the service is not running.  I checked main.cf and master.cf but I can't figure out how it's implemented now.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

James Griffin-2
!-- On Wed 14.Aug'13 at 11:23:11 BST, Grant ([hidden email]), wrote:

> A few people have told me they received an email error message after
> emailing me.  I'm trying to get a copy of one of the error emails, but I
> can't imagine what would cause that besides possibly my greylisting.  Has
> greylisting been known to lead to email error messages being sent to
> senders in some instances?
>
> How is greylisting set up in postfix now?  I know I used to use postgrey
> but then I remember some sort of change.  I can see that I have postgrey
> installed but the service is not running.  I checked main.cf and
> master.cfbut I can't figure out how it's implemented now.
>
> - Grant

I would imagine the log file and your configuration settings (postconf
-n) would yield some useful information.

--


James Griffin: jmz at kontrol.kode5.net

A4B9 E875 A18C 6E11 F46D  B788 BEE6 1251 1D31 DC38
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Noel Jones-2
In reply to this post by Grant-4
On 8/14/2013 5:23 AM, Grant wrote:
> A few people have told me they received an email error message after
> emailing me.  I'm trying to get a copy of one of the error emails,
> but I can't imagine what would cause that besides possibly my
> greylisting.  Has greylisting been known to lead to email error
> messages being sent to senders in some instances?

The sender may receive an error if their server has an unusual
setup. Such servers must be whitelisted in your greylist software.

Of course, there are a number of other errors the sender might get
that have nothing to do with greylisting.

You really need to see the error before you start trying to fix things.

One place to start is search your mail log for errors relating to
the sender's email address and/or their server.


>
> How is greylisting set up in postfix now?  I know I used to use
> postgrey but then I remember some sort of change.  I can see that I
> have postgrey installed but the service is not running.  I checked
> main.cf <http://main.cf> and master.cf <http://master.cf> but I
> can't figure out how it's implemented now.

Postfix has no "default" greylist, and there are several that are in
widespread use.  Look in your "postconf -n" for a
check_policy_service entry, then find that service in master.cf. Or
some folks use a milter defined in smtpd_milters for greylisting.

If you need more help, you'll need to provide "postconf -n" output,
master.cf contents, and any associated log entries.

http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

/dev/rob0
In reply to this post by Grant-4
On Wed, Aug 14, 2013 at 03:23:11AM -0700, Grant wrote:
> A few people have told me they received an email error message
> after emailing me.  I'm trying to get a copy of one of the error
> emails, but I can't imagine what would cause that besides possibly
> my greylisting.  Has greylisting been known to lead to email error
> messages being sent to senders in some instances?

In Postfix, see delay_warning_time: "To enable this feature, specify
a non-zero time value (an integral value plus an optional one-letter
suffix that specifies the time unit)."

delay_warning_time is disabled by default, but might cause the
confusion you are describing. Sendmail and other MTAs have similar
features. I think Sendmail's might be enabled by default at 4 hours.

http://www.postfix.org/postconf.5.html#delay_warning_time

It's not unheard of for greylisting to cause delays in excess of 4
hours, especially for senders from large providers like Gmail. Gmail
hands off deferred mail to an outbound farm which always tries from
different IP addresses, thus meaning more delay with each unknown IP
address.

> How is greylisting set up in postfix now?

I won't repeat the other replies you got about policy services, but
I'll mention that postscreen(8) can provide most of the pain and
benefits of greylisting, by enabling the after-220 ("deep protocol")
tests.

http://www.postfix.org/POSTSCREEN_README.html
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
In reply to this post by Noel Jones-2
>> A few people have told me they received an email error message after
>> emailing me.  I'm trying to get a copy of one of the error emails,
>> but I can't imagine what would cause that besides possibly my
>> greylisting.  Has greylisting been known to lead to email error
>> messages being sent to senders in some instances?
>
> The sender may receive an error if their server has an unusual
> setup. Such servers must be whitelisted in your greylist software.

The last sender who told me about the error message was on a
comcast.net address.  I found this which describes the same problem
with greylisting and comcast addresses but the solution turned out to
be fixing the MX record:

https://discussions.apple.com/thread/3030480?start=0&tstart=0

My DNS is hosted by my domain name registrar and the MX record looks
like this (but with my real domain):

Host Name: example.com
Mailserver Host Name: example.com
Mail Type: MX
MX Pref: 10
TTL: 1800

Does it look OK?

> One place to start is search your mail log for errors relating to
> the sender's email address and/or their server.

I grep'ed my mail logs for the email address in question and I don't
see anything that looks like an error.

>> How is greylisting set up in postfix now?  I know I used to use
>> postgrey but then I remember some sort of change.  I can see that I
>> have postgrey installed but the service is not running.  I checked
>> main.cf <http://main.cf> and master.cf <http://master.cf> but I
>> can't figure out how it's implemented now.
>
> Postfix has no "default" greylist, and there are several that are in
> widespread use.  Look in your "postconf -n" for a
> check_policy_service entry, then find that service in master.cf. Or
> some folks use a milter defined in smtpd_milters for greylisting.

It turns out I'm using postscreen with deep protocol checks:

smtp      inet  n       -       n       -       1       postscreen

postscreen_greet_action = enforce
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
In reply to this post by /dev/rob0
>> A few people have told me they received an email error message
>> after emailing me.  I'm trying to get a copy of one of the error
>> emails, but I can't imagine what would cause that besides possibly
>> my greylisting.  Has greylisting been known to lead to email error
>> messages being sent to senders in some instances?
>
> delay_warning_time is disabled by default, but might cause the
> confusion you are describing. Sendmail and other MTAs have similar
> features. I think Sendmail's might be enabled by default at 4 hours.
>
> http://www.postfix.org/postconf.5.html#delay_warning_time

I checked but that directive doesn't appear in my config.

> It's not unheard of for greylisting to cause delays in excess of 4
> hours, especially for senders from large providers like Gmail. Gmail
> hands off deferred mail to an outbound farm which always tries from
> different IP addresses, thus meaning more delay with each unknown IP
> address.
>
>> How is greylisting set up in postfix now?
>
> I won't repeat the other replies you got about policy services, but
> I'll mention that postscreen(8) can provide most of the pain and
> benefits of greylisting, by enabling the after-220 ("deep protocol")
> tests.

You were right, I'm using postscreen and deep protocol checks.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Charles Marcus
On 2013-08-14 11:24 AM, Grant [hidden email] wrote:
You were right, I'm using postscreen and deep protocol checks.

Turn them off (did you read the warnings associated with enabling them?)...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Noel Jones-2
In reply to this post by Grant-4
On 8/14/2013 10:21 AM, Grant wrote:

>>> A few people have told me they received an email error message after
>>> emailing me.  I'm trying to get a copy of one of the error emails,
>>> but I can't imagine what would cause that besides possibly my
>>> greylisting.  Has greylisting been known to lead to email error
>>> messages being sent to senders in some instances?
>>
>> The sender may receive an error if their server has an unusual
>> setup. Such servers must be whitelisted in your greylist software.
>
> The last sender who told me about the error message was on a
> comcast.net address.  I found this which describes the same problem
> with greylisting and comcast addresses but the solution turned out to
> be fixing the MX record:
>
> https://discussions.apple.com/thread/3030480?start=0&tstart=0

Nothing described in that posting indicates a problem with the MX
record. Either the poster didn't describe the problem he found and
fixed, or didn't understand the problem (the rDNS problem that was
described is not a problem for receiving mail, but might affect
sending).

Comcast (nor any major provider) should be greylisted.  Any
reasonable greylist software should have a setting to whitelist
well-known mail servers.

>
> My DNS is hosted by my domain name registrar and the MX record looks
> like this (but with my real domain):
>
> Host Name: example.com
> Mailserver Host Name: example.com
> Mail Type: MX
> MX Pref: 10
> TTL: 1800
>
> Does it look OK?

Yes, this is fine, and not the source of any problems.


> It turns out I'm using postscreen with deep protocol checks:

Postscreen will defer one mail once every 30 days per unique client IP.

If that's not acceptable, turn off postscreen deep protocol checks
or whitelist known good servers (from domain SPF records?) in the
postscreen access list.


Postfix 2.11 (currently in development snapshots) includes a
wonderful feature to bypass postscreen tests for clients listed in
dns whitelists, such as list.dnswl.org, greatly reducing unnecessary
tests.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
>>>> A few people have told me they received an email error message after
>>>> emailing me.  I'm trying to get a copy of one of the error emails,
>>>> but I can't imagine what would cause that besides possibly my
>>>> greylisting.  Has greylisting been known to lead to email error
>>>> messages being sent to senders in some instances?
>>>
>>> The sender may receive an error if their server has an unusual
>>> setup. Such servers must be whitelisted in your greylist software.
>>
>> The last sender who told me about the error message was on a
>> comcast.net address.
>
> Comcast (nor any major provider) should be greylisted.  Any
> reasonable greylist software should have a setting to whitelist
> well-known mail servers.

So I'm sure I understand, well-known mail servers should be whitelisted?

>> It turns out I'm using postscreen with deep protocol checks:
>
> Postscreen will defer one mail once every 30 days per unique client IP.
>
> If that's not acceptable, turn off postscreen deep protocol checks
> or whitelist known good servers (from domain SPF records?) in the
> postscreen access list.

The deep protocol checks have eliminated most of the spam from my
inbox so I'd like to keep them in place.

> Postfix 2.11 (currently in development snapshots) includes a
> wonderful feature to bypass postscreen tests for clients listed in
> dns whitelists, such as list.dnswl.org, greatly reducing unnecessary
> tests.

I'm actually using postfix-2.11_pre20130710.  Can you point me in the
right direction for setting up the DNS whitelist interaction?  Should
that (for example) prevent comcast.net users from receiving 450 error
email notices?

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Noel Jones-2
On 8/15/2013 2:30 AM, Grant wrote:

>>>>> A few people have told me they received an email error message after
>>>>> emailing me.  I'm trying to get a copy of one of the error emails,
>>>>> but I can't imagine what would cause that besides possibly my
>>>>> greylisting.  Has greylisting been known to lead to email error
>>>>> messages being sent to senders in some instances?
>>>>
>>>> The sender may receive an error if their server has an unusual
>>>> setup. Such servers must be whitelisted in your greylist software.
>>>
>>> The last sender who told me about the error message was on a
>>> comcast.net address.
>>
>> Comcast (nor any major provider) should be greylisted.  Any
>> reasonable greylist software should have a setting to whitelist
>> well-known mail servers.
>
> So I'm sure I understand, well-known mail servers should be whitelisted?

well-known mail servers should be whitelisted in greylist software.
 You can ignore this with postscreen and postfix 2.11+.


>> Postfix 2.11 (currently in development snapshots) includes a
>> wonderful feature to bypass postscreen tests for clients listed in
>> dns whitelists, such as list.dnswl.org, greatly reducing unnecessary
>> tests.
>
> I'm actually using postfix-2.11_pre20130710.  Can you point me in the
> right direction for setting up the DNS whitelist interaction?  Should
> that (for example) prevent comcast.net users from receiving 450 error
> email notices?

Excellent!

Use a dns white list with a negative score in the
postscreen_dnsbl_sites, and set a negative value for
postscreen_dnsbl_whitelist_threshold.  Simple example:
# main.cf
postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
postscreen_dnsbl_whitelist_threshold = -1

See the RELEASE_NOTES and POSTSCREEN_README for details.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

@lbutlr
In reply to this post by Grant-4

On 15 Aug 2013, at 01:30 , Grant <[hidden email]> wrote:

>>>>> A few people have told me they received an email error message after
>>>>> emailing me.  I'm trying to get a copy of one of the error emails,
>>>>> but I can't imagine what would cause that besides possibly my
>>>>> greylisting.  Has greylisting been known to lead to email error
>>>>> messages being sent to senders in some instances?
>>>>
>>>> The sender may receive an error if their server has an unusual
>>>> setup. Such servers must be whitelisted in your greylist software.
>>>
>>> The last sender who told me about the error message was on a
>>> comcast.net address.
>>
>> Comcast (nor any major provider) should be greylisted.  Any
>> reasonable greylist software should have a setting to whitelist
>> well-known mail servers.
>
> So I'm sure I understand, well-known mail servers should be whitelisted?

No known mailer should ever hit your greylist. Think about it, what is the greylist food? It's not to stop Google or comcast sending you mail. You know those are legitimate mailers and they will retry, so what are you accomplishing?

You use a greylist (though I recommend you don't) so try to stem the flow of botnets sending spam. They don't come back and retry, so greylisting is effective.


>>> It turns out I'm using postscreen with deep protocol checks:
>>
>> Postscreen will defer one mail once every 30 days per unique client IP.
>>
>> If that's not acceptable, turn off postscreen deep protocol checks
>> or whitelist known good servers (from domain SPF records?) in the
>> postscreen access list.
>
> The deep protocol checks have eliminated most of the spam from my
> inbox so I'd like to keep them in place.

Yes, but the key up there is "per unique IP". So, let's say that google has 4,000 mail servers. You could potentially hit all of them. If you are a low-traffic site, you will be deferring google mail all the time, and that may not be good because let's say you need an email and it comes from machine 1, and is retried by machine 211 and then retried by machine 3855. And you defer it every time.

>
>> Postfix 2.11 (currently in development snapshots) includes a
>> wonderful feature to bypass postscreen tests for clients listed in
>> dns whitelists, such as list.dnswl.org, greatly reducing unnecessary
>> tests.

And there was much rejoicing. \O/


--
I WILL NOT SCREAM FOR ICE CREAM Bart chalkboard Ep. AABF03

Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
In reply to this post by Noel Jones-2
>>> Postfix 2.11 (currently in development snapshots) includes a
>>> wonderful feature to bypass postscreen tests for clients listed in
>>> dns whitelists, such as list.dnswl.org, greatly reducing unnecessary
>>> tests.
>>
>> I'm actually using postfix-2.11_pre20130710.  Can you point me in the
>> right direction for setting up the DNS whitelist interaction?  Should
>> that (for example) prevent comcast.net users from receiving 450 error
>> email notices?
>
> Excellent!
>
> Use a dns white list with a negative score in the
> postscreen_dnsbl_sites, and set a negative value for
> postscreen_dnsbl_whitelist_threshold.  Simple example:
> # main.cf
> postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
> postscreen_dnsbl_whitelist_threshold = -1

I've added the following to main.cf:

postscreen_dnsbl_sites = list.dnswl.org*-1
postscreen_dnsbl_whitelist_threshold = -1

Thank you for your help!

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
In reply to this post by @lbutlr
>> So I'm sure I understand, well-known mail servers should be whitelisted?
>
> No known mailer should ever hit your greylist. Think about it, what is the greylist food? It's not to stop Google or comcast sending you mail. You know those are legitimate mailers and they will retry, so what are you accomplishing?

That makes perfect sense.

> You use a greylist (though I recommend you don't) so try to stem the flow of botnets sending spam. They don't come back and retry, so greylisting is effective.

You don't recommend it for the reason you state below?

>> The deep protocol checks have eliminated most of the spam from my
>> inbox so I'd like to keep them in place.
>
> Yes, but the key up there is "per unique IP". So, let's say that google has 4,000 mail servers. You could potentially hit all of them. If you are a low-traffic site, you will be deferring google mail all the time, and that may not be good because let's say you need an email and it comes from machine 1, and is retried by machine 211 and then retried by machine 3855. And you defer it every time.
>>
>>> Postfix 2.11 (currently in development snapshots) includes a
>>> wonderful feature to bypass postscreen tests for clients listed in
>>> dns whitelists, such as list.dnswl.org, greatly reducing unnecessary
>>> tests.
>
> And there was much rejoicing. \O/

If I understand correctly, this will completely eliminate the problem
you described above?

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Noel Jones-2
In reply to this post by Grant-4
On 8/16/2013 1:29 AM, Grant wrote:

>> Use a dns white list with a negative score in the
>> postscreen_dnsbl_sites, and set a negative value for
>> postscreen_dnsbl_whitelist_threshold.  Simple example:
>> # main.cf
>> postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
>> postscreen_dnsbl_whitelist_threshold = -1
>
> I've added the following to main.cf:
>
> postscreen_dnsbl_sites = list.dnswl.org*-1
> postscreen_dnsbl_whitelist_threshold = -1
>
> Thank you for your help!
>
> - Grant
>


Yes, that should whitelist known good sites from deep inspection,
certainly all the big mailers such as google, yahoo, comcast, etc.

However, I wonder why you don't have any dns blacklists such as
zen.spamhaus.org defined there.  The ability of postscreen to reject
known bad sites without using precious smtpd processes is one of its
key features.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
>>> Use a dns white list with a negative score in the
>>> postscreen_dnsbl_sites, and set a negative value for
>>> postscreen_dnsbl_whitelist_threshold.  Simple example:
>>> # main.cf
>>> postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1
>>> postscreen_dnsbl_whitelist_threshold = -1
>>
>> I've added the following to main.cf:
>>
>> postscreen_dnsbl_sites = list.dnswl.org*-1
>> postscreen_dnsbl_whitelist_threshold = -1
>>
>> Thank you for your help!
>
> Yes, that should whitelist known good sites from deep inspection,
> certainly all the big mailers such as google, yahoo, comcast, etc.
>
> However, I wonder why you don't have any dns blacklists such as
> zen.spamhaus.org defined there.  The ability of postscreen to reject
> known bad sites without using precious smtpd processes is one of its
> key features.

I would just rather have a false negative than a false positive.  I
get a pretty small amount of spam at this point so I don't think
reducing it further is worth increasing the chances of a false
positive.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Charles Marcus
On 2013-08-16 9:13 AM, Grant [hidden email] wrote:
Yes, that should whitelist known good sites from deep inspection,
certainly all the big mailers such as google, yahoo, comcast, etc.

However, I wonder why you don't have any dns blacklists such as
zen.spamhaus.org defined there.  The ability of postscreen to reject
known bad sites without using precious smtpd processes is one of its
key features.
I would just rather have a false negative than a false positive.  I
get a pretty small amount of spam at this point so I don't think
reducing it further is worth increasing the chances of a false
positive.

From what (little) I know about how postscreen works, rejecting the known bad sites doesn't really have any (substantive) chance of false positives, but it provides much more than just protection from spam - it protects you from the botnets/zombies hammering your server needlessly.

But, your system, your rules... ;)

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
> Yes, that should whitelist known good sites from deep inspection,
> certainly all the big mailers such as google, yahoo, comcast, etc.
>
> However, I wonder why you don't have any dns blacklists such as
> zen.spamhaus.org defined there.  The ability of postscreen to reject
> known bad sites without using precious smtpd processes is one of its
> key features.
>
> I would just rather have a false negative than a false positive.  I
> get a pretty small amount of spam at this point so I don't think
> reducing it further is worth increasing the chances of a false
> positive.
>
>
> From what (little) I know about how postscreen works, rejecting the known
> bad sites doesn't really have any (substantive) chance of false positives,
> but it provides much more than just protection from spam - it protects you
> from the botnets/zombies hammering your server needlessly.

Do you mean there aren't any legitimate servers listed in
zen.spamhaus.org?  When I switched servers a while back, the new IP I
received was listed on several blacklists and it was a hassle to get
them removed.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

/dev/rob0
[attribution of quotes reconstructed]
On Sat, Aug 17, 2013 at 12:54:44AM -0700, Grant wrote:
Noel:
> > However, I wonder why you don't have any dns blacklists such
> > as zen.spamhaus.org defined there.  The ability of postscreen
> > to reject known bad sites without using precious smtpd
> > processes is one of its key features.
Grant:
> > I would just rather have a false negative than a false positive.  
> > I get a pretty small amount of spam at this point so I don't
> > think reducing it further is worth increasing the chances of a
> > false positive.
Charles:
> > From what (little) I know about how postscreen works, rejecting
> > the known bad sites doesn't really have any (substantive) chance
> > of false positives, but it provides much more than just
> > protection from spam - it protects you from the botnets/zombies
> > hammering your server needlessly.
>
> Do you mean there aren't any legitimate servers listed in
> zen.spamhaus.org?

Zen is a composite list, and indeed it is intended to be safe for
widespread use.

SBL (Spamhaus Block List) lists IP addresses which are known to be
under the control of spammers.

XBL (Exploits Block List) lists IP addresses which are actively
spewing bot spam. Legitimate servers are occasionally listed in XBL,
because they meet that condition. Some short time after they stop
their abuse, they are delisted. Typically this is less than a day.

PBL (Policy Block List) lists IP addresses which, according to the
netblock owners, should not normally be sending legitimate email.
Exceptions can be made for hosts with custom PTR upon request. Many
colocation providers submit their networks for PBL, but removal is
easy.

> When I switched servers a while back, the new IP
> I received was listed on several blacklists and it was a hassle
> to get them removed.

Far better that you go through that step than the Internet be exposed
to more spam. Anyway, did you notice how bad your deliverability was
during the time of your PBL listing? That's how it is. Lots of
Internet sites use Zen for blocking.

There is safety in numbers. Any Zen-listed site which is wanting to
deliver mail to you is also having problems getting mail to the rest
of the Internet. They simply must address the problem[s] that caused
the listing.

All that said, to address a point from Charles above, sure, it is
possible for an over-eager person to make a postscreen which will
block non-spam. Here's my example postscreen configuration which is
intended to be safe and reasonable for most uses:
        http://rob0.nodns4.us/postscreen.html
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

Grant-4
> [attribution of quotes reconstructed]
> On Sat, Aug 17, 2013 at 12:54:44AM -0700, Grant wrote:
> Noel:
>> > However, I wonder why you don't have any dns blacklists such
>> > as zen.spamhaus.org defined there.  The ability of postscreen
>> > to reject known bad sites without using precious smtpd
>> > processes is one of its key features.
> Grant:
>> > I would just rather have a false negative than a false positive.
>> > I get a pretty small amount of spam at this point so I don't
>> > think reducing it further is worth increasing the chances of a
>> > false positive.
> Charles:
>> > From what (little) I know about how postscreen works, rejecting
>> > the known bad sites doesn't really have any (substantive) chance
>> > of false positives, but it provides much more than just
>> > protection from spam - it protects you from the botnets/zombies
>> > hammering your server needlessly.
>>
>> Do you mean there aren't any legitimate servers listed in
>> zen.spamhaus.org?
>
> Zen is a composite list, and indeed it is intended to be safe for
> widespread use.
>
> SBL (Spamhaus Block List) lists IP addresses which are known to be
> under the control of spammers.
>
> XBL (Exploits Block List) lists IP addresses which are actively
> spewing bot spam. Legitimate servers are occasionally listed in XBL,
> because they meet that condition. Some short time after they stop
> their abuse, they are delisted. Typically this is less than a day.
>
> PBL (Policy Block List) lists IP addresses which, according to the
> netblock owners, should not normally be sending legitimate email.
> Exceptions can be made for hosts with custom PTR upon request. Many
> colocation providers submit their networks for PBL, but removal is
> easy.
>
>> When I switched servers a while back, the new IP
>> I received was listed on several blacklists and it was a hassle
>> to get them removed.
>
> Far better that you go through that step than the Internet be exposed
> to more spam.

I agree, but the fact is that not everyone will go through that step.

> All that said, to address a point from Charles above, sure, it is
> possible for an over-eager person to make a postscreen which will
> block non-spam. Here's my example postscreen configuration which is
> intended to be safe and reasonable for most uses:
>         http://rob0.nodns4.us/postscreen.html

Do you use that config on a commercial mail server?  I don't mean to
say that you shouldn't, I'm just wondering if you do.  In a commercial
environment, the penalty for a false positive is a customer unable to
reach the company behind the server which just isn't tolerable.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: greylisting generates error email?

lists@rhsoft.net


Am 17.08.2013 19:39, schrieb Grant:
> Do you use that config on a commercial mail server?  I don't mean to
> say that you shouldn't, I'm just wondering if you do.  In a commercial
> environment, the penalty for a false positive is a customer unable to
> reach the company behind the server which just isn't tolerable

there is *no way* to have never ever false positivies

and without spam protection someone deletes your message
within the 500 spam mails each day as collateral damagae

in case of a false positive: the sender get a bounce from his mailserver
in case of deleted: it was silently dropped

chosse one.....
12