[Mimedefang] Re: Justifying greylisting to management

[Jan Pieter Cornet]

On Sun, Feb 26, 2006 at 10:29:43PM +0200, Yizhar Hurwitz wrote:
> I would like to share a specific issue that I had with greylisting at 
> the sender side:
> 
> I manage [...] MS Exchange 2003.
> Some of the recipients that my customers send emails to, are using some 
> sort of greylisting (I didn't check which method exactly).
[only half coherent description of problem]
> However - the bottom line was the important emails (important for both 
> sender and recipient) where delayed for more then 1 week, without any 
> notification to sender nor recipient!

That sounds like an enormous bug in the setup on the exchange side.

> I haven't asked MS [...]
> 
> * I assume that this is not a single specific issue but does/will 
> probably affect customers in other similar scenarios.

I doubt it. To be blunt - it sounds like an incompetently managed
Exchange server. Sure, some issue like this are likely to be present in
more than one location - dumb admins are everywhere, and not only behind
winders machines. But that's the whole point. We detect spammers in
basically two ways - by their breaking of RFCs, and by the content
of their message. Greylisting falls in the first category.

So, if you're stupid enough to do the Exchange equivalent of running
sendmail without a queue runner, then, yes, mail to greylisted hosts
will not arrive, ever, and you'll be classified a "spammer" by the
greylisting system.

Now I'm not too fond of Exchange, but I do know a little bit about
MS Exchange, and I am positive that a properly configured exchange
server has no trouble dealing with a greylisting mailserver.

Now, all exchange experts I've spoken to, agree that one of the cardinal
mistakes you can make in setting up an exchange server is letting it talk
directly to the internet at large - you should always put it behind a
sendmail(or other unix MTA) box that does the actual mail receiving and
transmitting into the whole bad world for it. (However, those deeply
inundated with M$ will only very reluctantly admit this). It looks like
in your situation you made at least this setup error.

> * My point is that you should also take into account that greylisting 
> might cause more severe problems and not only delays of few minutes,
> and this should be added to the "cons" count against greylisting.

I'd say that counts as one of the "cons" of incompetence :) Temporary
failures do happen, occasionally, independent of greylisting. If your
setup cannot handle that, then you have a problem.

> * You can say: "that's a problem of the sending server, not mine (the 
> recipient side)".

Indeed it is. The whole world will not compensate for the inadequacies
of a small group of incompetent administrators. Not anymore - the
internet is moving away from that view very fast. We tried it, and it
worked pretty well in the old days, but it stopped working when some
particularly anti-social individuals found out it was sooo easy to abuse
this implicit trust you got everywhere.

> But your customers (end users and management) might argue about 
> important emails lost or delayed for days.

That happens too without greylisting...
 
> The issue I have described should be counted as one of the "cons" against 
> it.

I'd rather chalk it up as "FUD", because that is the exact sentiment
in your message.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disc lamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please  !!
!! archive this message indefinately to allow verification of the logs.   !!