[RndTbl] mail server help

Trevor Cordes trevor at tecnopolis.ca
Thu Aug 17 03:22:54 CDT 2017

I just started getting some weirdness with some email sent to my mail 
servers.  Greylisting "come back later" (451) messages are being 
interpreted (it appears) by remote MTAs as a 5xx level error, meaning they 
immediately abort send attempts and bounce the email!  I have never seen 
this before.

I've seen it from two separate remote MTAs so far, but from reports I'm 
getting in, it's happening on more.

Here's what I get from umce3cip03.ad.umanitoba.ca:

Remote Server returned '554 5.0.0 <[] #5.0.0 smtp; 5.1.0 - 
Unknown address error 550-'<foobar at tecnopolis.ca>... 451 4.7.1 Greylisting 
in action, please come back later' (delivery attempts: 0)>'

On my server sendmail log I see:

Aug 16 08:43:15 pog sendmail[14379]: v7GDhFav014379: Milter: 
to=<foobar at tecnopolis.ca>, reject=451 4.7.1 Greylisting in action, please 
come back later

So umce3cip03.ad.umanitoba.ca appears to be taking my 451 and turning it 
into a 500/554/510 permanent error.

I also see this from yahoomail, but that's a different situation because 
yahoo is always considered "broken mta" in milter-greylist and we must 
whitelist all of their servers... but, the usual/previous symptom was 
yahoo would keep retrying as normal, just with a different IP each time, 
thus never passing greylisting.  And now yahoo is doing the same thing as 
umce3cip03.ad.umanitoba.ca above (when I haven't yet whitelisted the 
particular IP that day, grrr):

Sorry, we were unable to deliver your message to the following address.
<foo at tecnopolis.ca>:
550: <foo at tecnopolis.ca>... 451 4.7.1 Greylisting in action, please 
come back later

So at least 2 MTAs, probably more, are changing 451 greylist into 5xx.  Is 
there some new massive change out there to basically take greylist MTAs as 
broken?  Is there a way to find out what MTA (or outsourced service 
provider) umce3cip03.ad.umanitoba.ca is using?  Perhaps there is just one 
brand that unilaterally decided on this action?

I can find no google hits on any of this.  :-(

There is an easy workaround/gotcha: if people wait the greylist timeout 
(usually 2 to 20 minutes) and then resend the same to-from-ip tuple email, 
it will go through as their server will have been whitelisted in the 
interim!  But that makes it harder to troubleshoot this problem because it 
then becomes transient.

If any MUUGers have problems with MUUG mailing lists bouncing, please 
resend your email after 1 hr if it hasn't showed up yet (you can check the 
website mail list archives section) and/or please email me directly with 
your bounce email message (twice, wait 20 mins!) so I can solve this for 
both MUUG servers and my own.

If this problem is a) permanent/deliberate, and b) widespread, I think 
that spells the death of greylisting (grrrrr...) and the nearing of "spf 
strict" enabling.

More information about the Roundtable mailing list