[Greylist-users] Does Greylisting *always* work?

martin dempsey mjd at digitaleveryware.com
Mon Jun 23 16:14:21 PDT 2003

>From the description of greylisting Evan Harris says:

"The best part is that since we never permanently fail a message delivery, as 
long as the delivering MTA's are well behaved, we should never cause a 
legitimate mail to bounce. There should never be a false positive!"

Thats one of the reasons I implemented greylisting. And I think its pretty 
much true, but is is *always* true? Can an MTA that follows all the relevant 
RFCs fail when talking to a server implementing greylisting? I think so. 

One problem is that greylisting returns a "temporary failure" to the 
originating server. Now, we mean this particular message has a temporary 
failure, but as far as the server knows it could be the greylisting server is 
having a temporary failure for all messages.

If you have a busy "normal" email server that sends a new message from 
potentially a different user to to a different user every 20 minutes, each 
new message will get "temp failed" since its new and the one hour clock 
starts. However, from the point of view of the originating server every 
twenty minutes they contact the greylisting server and a message is "temp 
failed". If the server includes logic that says "don't bother running the 
queue for a server that reported a failure less than 30 minutes ago", then 
since the grelisting server always has failed less than twenty minutes ago, 
the originating server may decide not to bother processing the queue of 
previously failed messages (that would now be ok).  Or it might be past the 
four hour window by the time it retries a previously tried message.

In this case, although the originating server is following all RFCs, all 
messages to the greylisting server may fail. Can this happen? Has anyone seen 
it? I may have an example but I'm not sure if this is the problem yet.

If it is a problem, is there an easy way around it? It seems likely to happen 
soon after starting a greylisting server since when starting the database is 
empty and most messages are "new" and get failed for an hour.


More information about the Greylist-users mailing list