postgrey, for instance, whitelists hosts that have 5 successful
deliveries. In the presence of this option, you can just greylist
*everything*.

Yes and no. An increasing number of sites refuse "bounces" (that is
messages with null return-path) to some addresses that are known never
to send mail. This breaks the procedure and is reacted by other sites
by using a fixed "just-probing-***@their_domain" address, and mail to
that address doesn't incur that check (but ends up in /dev/null or
gets refused at DATA time).

This is not adequate, sorry, at least, not in my book.

I am concerned that you not use a spam-defeating technique which
blocks perfectly legitimate and standards-compliant email.

What I object to is specifically the attempt to create *new*
standards, by blocking legitimate email. There is no standard
requirement that a server farm use a small netmask or one of a set of
common patterns. If you want such a requirement, please propose one
to the IETF. You know how.

Saying "if everyone followed rule X (and heck, lots of people already
do!) my system would work perfectly" is irrelevant to me. What
matters to me is "my scheme works when everyone follows the actual
public standards for email."

Thomas

Does the second email I sent (with the missing stuff) provides the
clarification you asked for?
Read below. When you do, please remember that many of us consider that a
fully-open system which drowns us in SPAM is also broken, because you do
lose information for failure of locating it among the noise.
There is no hardcoding. Please use more exact terms. I think I understood
what you wanted to say, but whitelists are not *hardcoded*. They have never
been, they are updated in runtime. So use the proper terms next time.
What I believe you mean is that for you, a non-perfect solution for
identifying outgoing SMTP clusters is not acceptable, as it gives a non-zero
possibility of permanent delivery failure to a graylisted destination.

Well, there are solutions that are good enough in practice. If you do not
like them because they are not perfect (as in guaranteed zero fail rate),
then there is no solution I know of that will be acceptable to you.

But please remember that people operating outgoing SMTP clusters *want* to
deliver email, and that they are aware of graylisting practices and also of
the diminishing probability of sucessful delivery when the sending site has
broken DNS configuration, or is listed in popular blackists and dial-up
IP space lists.

Also, keep in mind that the Debian graylisting proposal specifically states
that graylisting is not to be applied to every single incoming connection,
but rather to those coming from broken DNS sources, and blacklisted sources,
which are extremely unlikely to be the class of sending cluster that would
break graylisting in the first place.

So you do NOT need a perfect theorical solution to get zero fail rate in
practice for the proposed graylisting scheme. You don't get any guarantees
of a zero fail rate, however.
That is a broken graylist implementation, then. It should be fixed (or
avoided at all costs). Which graylister was that one?

For graylisting, you need to verify that the sender will retry. This is not
done through verification of completed email delivery! It is done as soon
as you got enough information to identify it as the same sender and message.
If the sender will retry, you are to approve him through the graylist
regardless of any delivery taking place.
Agreed, you cannot say that. But nobody did say it. And the scenario you
experienced for Alice's failure to deliver email to Bob requires a broken
graylisting implementation that acts in a specific *wrong* way, and that was
the answer to my question.

Now, I am a bit annoyed with the "graylisting violates the RFCs" generic
statement, so I'd really appreciate if you could make it more specific.
Please explain how the idea behind graylisting ("force a host to retry a
SMTP transaction at a later time") violates RFC 2821. RFC 2821, AFAIK,
requires that the sending side deal with that scenario, and anyone who
doesn't deal with it is the one violating the RFC.

There is an issue with current graylisting implementations that *I know of*
(and I certainly am no expert in the area), in that they *will* fail to
recognize shared-queue outgoing clusters in theory, and *may* fail to do so
in practice (depends on such cluster deployments failing to match known
patterns). This has nothing to do with RFC 2821 except if you go into
subjective "in spirit" violations. Was this the violation you were talking
about when refering to graylisting?
Actually, I am ALSO arguing that these cases are probably not going to
happen in practice, now that graylisting is far more mature and widely used.

Which rfcs and where, exactly? Specific filename, version and line numbers,
as Kimball would say it.

AFAICT, the protocol allows the receiving end to temporarily reject email,
and the sending end will retry. AFAICT QUIT is allowed after RCPT TO to
abort a mail transaction - and sender verification is no different from a
normal mail transaction in the view of the receiver.

-- vbi

It was pretty clear for anyone actually reading the messages. The error is
in the "safe side", i.e. let stuff through the graylisting without delaying
it.