Greylisting

Greylisting is located under the Security dialog at: Security » Security Settings » Other » Greylisting. Greylisting is a spam-fighting technique that exploits the fact that SMTP servers retry delivery of any message that receives a temporary (i.e. "try again later") error code. Using this technique, when a message arrives from a non-white listed or otherwise previously unknown sender, its sender, recipient, and sending server's IP address will be logged and then the message will be refused by Greylisting during the SMTP session with a temporary error code. Furthermore, for a designated period of time (say, 15 minutes) any future delivery attempts will also be temporarily refused. Because "spammers" do not typically make further delivery attempts when a message is refused, greylisting can significantly help to reduce the amount of spam your users receive. But, even if the spammers should attempt to retry delivery at a later time, it is possible that by that time the spammers will have been identified and other spam-fighting options (such as DNS Black Lists) will successfully block them. It's important to note, however, that this technique can deliberately delay "good" email along with the "bad". But, the legitimate messages should still be delivered sometime later after the greylisting period has expired. It is also important to note that you have no way of knowing how long the sending servers will wait before making further delivery attempts. It is possible that purposely refusing a message with a temporary error code could cause it to be delayed by as little as just a few minutes or by as much as an entire day.

There are several traditional problems and negative side-effects associated with greylisting, and the Greylisting screen contains a number of options designed to deal with them.

First, some sending domains use a pool of mail servers to send outbound mail. Since a different mail server could be used for each delivery attempt, each attempt would be treated as a new connection to the greylisting engine. This could multiply the length of time it would take to get past Greylisting because each of those attempts would be greylisted as if they were separate messages instead of retries of a previous message. By utilizing an SPF lookup option, this problem can be solved for sending domains who publish their SPF data. Furthermore, there is an option to ignore the IP of the sending mail server completely. Using this option lowers the efficiency of greylisting, but it does completely solve the server pool problem.

Second, greylisting traditionally entails a large database since each incoming connection must be tracked. MDaemon minimizes the need to track connections by placing the Greylisting feature nearly last in the SMTP processing sequence. This allows all of MDaemon's other options to refuse a message prior to reaching the greylisting stage. As a result, the size of the greylisting data file is greatly reduced, and since it is memory resident there is little practical performance impact.

Finally, several options are available to minimize the impact of greylisting on "good" messages. First, messages sent to mailing lists can be excluded. Next, Greylisting has its own white list file on which you can designate IP addresses, senders, and recipients that you wish to be exempt from greylisting. Finally, Greylisting contains an option for using each account's private address book files as a white list database. So, mail to a user from someone in that user's address book can be excluded from greylisting.

For more information about greylisting in general, visit Even Harris' site at:

Greylisting

Enable greylisting

Click this option to enable the Greylisting feature within MDaemon.

...but only for Gateway domains

Click this check box if you only wish to greylist messages destined for gateway domains.

White list

This button opens the Greylisting white list on which you can designate senders, recipients, and IP addresses that will be exempt from greylisting.

Defer initial delivery attempt with 451 for this many minutes

Designate the number of minutes for which a delivery attempt will be greylisted after the initial attempt. During that period of time, any subsequent delivery attempts by the same server/sender/recipient combination (i.e. "greylisting triplet") will be refused with another temporary error code. After the greylist period has elapsed, no further greylisting delays will be implemented on that triplet unless its Greylisting database record expires.

Expire unused greylisting database records after this many days

After the initial greylisting period has elapsed for a given greylisting triplet, no further messages matching that triplet will be delayed by Greylisting. However, if no message matching that triplet is received for the number of days designated in this option, its Greylisting database record will expire. A subsequent attempt by that triplet will cause a new Greylisting record to be created it will have to go through the initial greylisting period again.

Advanced

Click this button to open the Greylisting database, which you can use to review or edit your greylisting triplets.

SMTP response (leave blank for default)

If you provide a custom string of text in this space then MDaemon will return the SMTP response, "451 <your custom text>" rather than the default "451 Greylisting enabled, try again in X minutes." This is useful, for example, if you wish to provide a string that contains a URL to a description of greylisting.

Don't include IP address when greylisting (use only MAIL & RCPT values)

Click this check box if do not wish to use the sending server's IP address as one of the greylisting parameters. This will solve the potential problem that can be caused by server pools, but it will reduce Greylisting's efficiency.

Don't greylist subsequent connections which pass SPF processing

When using this option, if an incoming message matches a triplet's sender and recipient but not the sending server, but SPF processing determines that the sending server is a valid alternate to the one listed in the triplet, then the message will be treated as a subsequent delivery matching that triplet rather than a new connection requiring a new Greylisting record.

Don't greylist mail from senders in local address books

Click this option if you wish to exempt a message from greylisting when its sender is listed in the recipient's address book.

Don't greylist messages to mailing lists

Click this check box if you wish to exempt mailing list messages from greylisting.

Don't greylist mail sent over authenticated sessions

Use this option if you wish all messages coming in over an authenticated session to be exempt from greylisting.

Don't greylist mail from trusted IPs

Use this option if you wish all messages coming from trusted IP addresses to be exempt from greylisting.