[Greylist-users] question about multiple mx
Evan Harris
eharris at puremagic.com
Wed Jan 28 08:41:04 PST 2004
The situation you describe doesn't have a solution. If there are real
mailservers that will accept and forward a significant portion of your mail,
and you don't have control of them and can't put greylisting on them also,
then you won't see any real benefit from greylisting.
The same problem exists even for mail servers that don't forward for a whole
domain. Even individual users who have outside email accounts (at a
different domain) that forward to a domain with greylisting, since the
forwarding server will retry until the mail gets through, greylisting will
not prevent any of the spam coming through that forwarding server from being
delivered.
Evan
On Wed, 28 Jan 2004, Ricardo Kirkner wrote:
> Hi:
>
> What happens when you have multiple MX for a domain (for example if you
> have several levels of backup relays)?
>
> Assume the following scenario:
>
> a.domain.com IN MX mx1.domain.com
> a.domain.com IN MX relay1.otherdomain.com
> a.domain.com IN MX relay2.anotherdomain.com
>
> you have greylisting installed in mx1.domain.com only, because you don't
> have controll over the relays.
>
> When you send a new mail to the a.domain.com domain, the greylisting
> machine tempfails that mail, so the mailer tries the next MX in the list
> (i.e. relay1.otherdomain.com) which accepts the mail.
>
> Then, the relay1.otherdomain.com machine delivers the mail to the
> mx1.domain.com machine which will go through since we are being
> delivered from a known relay.
>
> So, now I have an open relay for spammers to go. That's not pretty.
>
> How can I prevent this? I need to have those relays as a backup measure,
> but I cannot afford to turn them into open relays for spammers.
>
> BTW, if I don't whitelist those relays, it is only a matter of time for
> them to get whitelisted automatically, since they will retry until the
> greylisting filter lets them through, so not whitelisting my relays is
> not a solution here.
>
> I hope that someone can answer this for me
>
> With regards
>
> Ricardo Kirkner
>
>
More information about the Greylist-users
mailing list