cPanel/Exim dealing with other servers that implement greylisting

[ichthus]

We have a local university that is implementing greylisting on their mailservers, and many of my users send mail through my cPanel enabled server. Many of these emails never get there and bounce back after about 5 days because exim isnt configured to send mail to servers that have this technique implemented. The "workaround" they suggest is to send the same copy of the email twice one time, and then it will work from then on. But only this sender/recipient combination is added to the whitelist, so you would have to do it for EVERY email address that you want to send to. I find this unacceptable.

Believe me, I am not a proponent of greylisting.... I think spammers could just get around it with that simple workaround if they wanted. But, other people in the world swear by it and are using it... so can we make our mail servers work with it?

Thanks-
Kevin

[AndyReed]

We have a local university that is implementing greylisting on their mailservers, and many of my users send mail through my cPanel enabled server. Many of these emails never get there and bounce back after about 5 days because exim isnt configured to send mail to servers that have this technique implemented. The "workaround" they suggest is to send the same copy of the email twice one time, and then it will work from then on.

The best work around this issue is the university putting your IPs or domain names in their whitelist. For more information, read http://projects.puremagic.com/greyli...hitepaper.html

[ichthus]

I'll try that, but what if there were 50 servers out there that implemented greylisting? Would I have to go to each and every one and request my server IP to be added to their whitelist?

[ichthus]

Also, their site says if the server was properly configured to meet "internet standards", then their servers would accept the mail no problem.
http://www.ietf.org/rfc/rfc2821.txt

[AndyReed]

I'll try that, but what if there were 50 servers out there that implemented greylisting? Would I have to go to each and every one and request my server IP to be added to their whitelist?

I guess, unless otherwise :-)
Allow me to ask you this, Is rDNS implemented on your server? make sure your server is properly configured, secured and up-to-date.

[chirpy]

Also, their site says if the server was properly configured to meet "internet standards", then their servers would accept the mail no problem.
http://www.ietf.org/rfc/rfc2821.txt

They always say that and it is rubbish. Greylisting may be great in theory, but it in practice it breaks the proper delivery, especially if it's not setup correctly. I positively hate the concept of denying delivery of email and expecting the sending server to try again - it's a dishonest way to run an MTA, IMHO There are much better ways of dealing with spam issues.

Unless the recipient fixes how they're doing things or is wiliing to investigate there's little you can do since the problem is entirely at their end, not yours.

BTW, what greylisting proponenets don't emphasise when they refer to the RFC that controls SMTP traffic, is that the word SHOULD has special meaning. If an RFC says MUST then an MTA must do as instructed. However, when an MTA receives an error from a remote server (which is what greylisting does):

451 Requested action aborted: error in processing

Then an MTA should try again. But in RFC parlance, that means it doesn't have to. If it doesn't retry it is still completely correctly adhering to the RFC. So the fault for delivery failure lies completely with the server that is greylisting. Indeed, the fact that exim does retry simply shows that their greylisting setup is broken.

[brianoz]

My understanding of greylisting was that the email was only refused the first time that email address is seen. Surely, when Exim retries, you'd expect the email to go through. Do you know why the email is not getting through the second time? There's no doubt Exim would be retrying.

Based on this I suspect their implementation of greylisting is broken. I think a lot of people out there are using it, and you'd never know as it's completely transparent.