Postgrey is a Postfix policy server implementing greylisting.
When a request for delivery of a mail is received by Postfix via SMTP, the triplet "CLIENT_IP" / "SENDER"
/ "RECIPIENT" is built. If it is the first time that this triplet is seen, or if the triplet was first
seen less than delay seconds (300 is the default), then the mail gets rejected with a temporary error.
Hopefully spammers or viruses will not try again later, as it is however required per RFC.
Note that you shouldn't use the --lookup-by-host option unless you know what you are doing: there are a
lot of mail servers that use a pool of addresses to send emails, so that they can change IP every time
they try again. That's why without this option postgrey will strip the last byte of the IP address when
doing lookups in the database.
Installation
• Create a "postgrey" user and the directory where to put the database dbdir (default:
"/var/lib/postgrey")
• Write an init script to start postgrey at boot and start it. Like this for example:
postgrey --inet=10023 -d
contrib/postgrey.init in the postgrey source distribution includes a LSB-compliant init script by
Adrian von Bidder for the Debian system.
• Put something like this in /etc/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
...
reject_unauth_destination
check_policy_service inet:127.0.0.1:10023
• Install the provided whitelist_clients and whitelist_recipients in /etc/postgrey.
• Put in /etc/postgrey/whitelist_recipients users that do not want greylisting.
Whitelists
Whitelists allow you to specify client addresses or recipient address, for which no greylisting should be
done. Per default postgrey will read the following files:
/etc/postgrey/whitelist_clients
/etc/postgrey/whitelist_clients.local
/etc/postgrey/whitelist_recipients
/etc/postgrey/whitelist_recipients.local
You can specify alternative paths with the --whitelist-x options.
Postgrey whitelists follow similar syntax rules as Postfix access tables. The following can be specified
for recipientaddresses:
domain.addr
"domain.addr" domain and subdomains.
name@ "name@.*" and extended addresses "name+blabla@.*".
name@domain.addr
"name@domain.addr" and extended addresses.
/regexp/ anything that matches "regexp" (the full address is matched).
The following can be specified for clientaddresses:
domain.addr
"domain.addr" domain and subdomains.
IP1.IP2.IP3.IP4
IP address IP1.IP2.IP3.IP4. You can also leave off one number, in which case only the first
specified numbers will be checked.
IP1.IP2.IP3.IP4/MASK
CIDR-syle network. Example: 192.168.1.0/24
/regexp/ anything that matches "regexp" (the full address is matched).
Auto-whitelistingclients
With the option --auto-whitelist-clients a client IP address will be automatically whitelisted if the
following conditions are met:
• At least 5 successful attempts of delivering a mail (after greylisting was done). That number can be
changed by specifying a number after the --auto-whitelist-clients argument. Only one attempt per hour
counts.
• The client was last seen before --max-age days (35 per default).
GreylistAction
To set the action to be returned to postfix when a message fails postgrey's tests and should be deferred,
use the --greylist-action=ACTION option.
By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to check the rest of the restrictions
and defer the message only if it would otherwise be accepted. A delay action of 451 causes postfix to
always defer the message with an SMTP reply code of 451 (temp fail).
See the postfix manual page access(5) for a discussion of the actions allowed.
GreylistText
When a message is greylisted, an error message like this will be sent at the SMTP-level:
Greylisted, see http://postgrey.schweikert.ch/help/example.com.html
Usually no user should see that error message and the idea of that URL is to provide some help to system
administrators seeing that message or users of broken mail clients which try to send mails directly and
get a greylisting error. Note that the default help-URL contains the original recipient domain
(example.com), so that domain-specific help can be presented to the user (on the default page it is said
to contact postmaster@example.com)
You can change the text (and URL) with the --greylist-text parameter. The following special variables
will be replaced in the text:
%s How many seconds left until the greylisting is over (300).
%r Mail-domain of the recipient (example.com).
GreylistHeader
When a message is greylisted, an additional header can be prepended to the header section of the mail:
X-Greylist: delayed %t seconds by postgrey-%v at %h; %d
You can change the text with the --x-greylist-header parameter. The following special variables will be
replaced in the text:
%t How many seconds the mail has been delayed due to greylisting.
%v The version of postgrey.
%d The date.
%h The host.
Privacy
The --privacy option enable the use of a SHA1 hash function to store IPs and emails in the greylisting
database. This will defeat straight forward attempts to retrieve mail user behaviours.
SEEALSO
See <http://www.greylisting.org/> for a description of what greylisting is and
<http://www.postfix.org/SMTPD_POLICY_README.html> for a description of how Postfix policy servers work.
Install Now
PNG Icons