Just do dual-layer greylisting. Do a 3minute reject on first delivery, then a longer greylisting on mail that is received again and after content analysis at the data phase.
Quite frankly, for the "latency sensitive" situations I was mentioning, first-shot greylisting at all, no matter how short a duration, is inapplicable.
One thing you need to realize is that no matter how short your greylist period is, you're bound by the limits of how fast the remote server will retry. Don't fool yourself into thinking that a "3 minute" greylist delays mail for only 3 minutes, it certainly does not.
I've been experimenting with front-end greylisting one of my accounts for only 1 minute and using no other greylisting on it. Most emails that get greylisted end up delaying 20-30 minutes, which is the default retry for many sendmail installs. I've had a few however that delayed for several hours, the highest so far being 3 hours and 20 minutes. I've also seen a few messages retry after 2 minutes. However, by-and-large the added delay is about 20 minutes.. which is undesirable but not too bad. However, those 3 hour ones can have a significant impact on business transactions.
Admittedly email isn't exactly the best "low latency" medium, however adding extra latency isn't acceptable in all situations. Again, it all boils down to what your network needs are.
However, it is interesting that I have had that 1 minute greylisting be as effective against spam as a 1 hour greylist. The account in question has gone from 300+ spams a day to 2. Very little spam gets past it, and of the spam that does get past, it's one's that are relayed via a well behaved server that would eventually retry enough to get past any greylist.
As a result, I don't see any point in greylisting for longer durations, it just doesn't add much useful value. Most spam is one-shot, but the spam that retries is going to retry the same way legitimate mail does. The difference in spam rates on a 1minute vs 3 hour greylist are nonexistent.
The only benefit of the long delay is hoping the IP will get added to DNSBLs in the meantime. To me, that's a pretty marginal benefit. Short greylists get you a lot of gravy anyway, but even those might be unacceptable in delay for certain people.
