As user interfasys points out, you can't tell at connect time if a sender is going to authenticate or not. Which is why I recommend nolisting, which works through mx; local connections don't use mx.
Jeff
How would you recommend getting a list of external hosts? I presume you mean for every host except the server's hostname.
Note that we get similar (better? I think so) results using nolisting; it's unlikely I'd switch to a delay, but I could include it (untested) for others depending on how you'd look it up.
I just don't feel like keeping every connection from outside open for three seconds; I believe that would cause an increase in server load, while with nolisting (lowest-cost MX to a server without port 25 open) there's no extra load at all.
Jeff
I'm confused as to what nolisting has to do with anything in this case...
After a sender has passed the nolisting test by identifying the correct mail server to connect to it will still get delayed by 3 seconds, like everybody else.
If one wants to make the difference between authorized senders and the rest, I suggest creating a rule that uses +auth_relay_hosts and the port that is in use if you manage to force your user to use a different port. Works like a charm.
We use nolisting instead of a 3 second delay, not along with a 3 second delay.I'm confused as to what nolisting has to do with anything in this case...
After a sender has passed the nolisting test by identifying the correct mail server to connect to it will still get delayed by 3 seconds, like everybody else.