[Greylist-users] Does Greylisting *always* work?

[Evan Harris]

> One problem is that greylisting returns a "temporary failure" to the
> originating server. Now, we mean this particular message has a temporary
> failure, but as far as the server knows it could be the greylisting server is
> having a temporary failure for all messages.

Different error codes mean different classes of failure.  Some mean things
like "mailbox full", while others could be construed to be a "server-wide"
failure.  I've tried to pick the "best" error code to return, and there was
some trial and error.  One of the ones I tried early on caused problems with
AOL.

The ones I'm using in the example code now seem to work well, but the best I
can do is point you at the RFC's for picking the code you want to use.

> In this case, although the originating server is following all RFCs, all
> messages to the greylisting server may fail. Can this happen? Has anyone seen
> it? I may have an example but I'm not sure if this is the problem yet.

Theoretically, a server that never retries a message may still be RFC
compliant, since (from my reading of it) retries are suggested, but not
required.  But practically all servers realize that the net isn't a perfect
place, and retries are sometimes necessary.  Greylisting takes advantage of
that fact.  And that's why I qualified my statement with "well behaved",
since in my opinion, a mailer that doesn't retry isn't well behaved, though
it may be RFC compliant.

Are there mailers out there that will have problems?  Probably.  Are they
significant enough to invalidate the use of greylisting?  Not in my opinion.

> If it is a problem, is there an easy way around it? It seems likely to happen
> soon after starting a greylisting server since when starting the database is
> empty and most messages are "new" and get failed for an hour.

If this is a problem for you, there is a simple workaround.  Change the code
so that it never tempfails, just populates the database.  After letting it
run for a few weeks, most of the legit associations will have been learned
(along with a lot of spam ones, but hopefully they won't cause too much
trouble), then switch over to a normal run mode.  You'll miss most of the
pain of the initial learning phase, but still get most of the benefits.

Evan