Greylisting is yet another way for preventing your mailbox getting full of spam. A famous spam fighter software is spamassassin which filter emails. Greylisting won't replace such softwares but it will behave as a powerful proactive barrier which will reduce the amount of spam getting through your mail server.
Greylisting is a great way for fighting spams, the basic idea out of it is that spammers mail servers are not respecting RFC standards specifications which basically says that when an email could not be delivered, the mail server should try again later on. By sending so many emails, spammers can't afford to spend to much resources on resending emails when they could not be delivered, so if the email could not be delivered in the first place, they won't send it back to you.
From this ideas, greylisting simply reject any untrusted mail domain by giving a 450 response code, which means "I can't deal with your request now, please try again later".
As spam mail server are not usually RFC compliant, they won't try back and therefore you won't get the spam.
Postgrey is a postfix policy server implementing greylisting.
It is really easy to integrate to postfix and is really effective.
Postgrey approach is to keep a record of the triplet: CLIENT_IP / SENDER / RECIPIENT. If this is the first time the triplet is seen, or if it was first seen less than 5 minutes ago, the triplet is greylisted, and the email will be reject with a temporary error. If the same tuple is seen after 5 minutes and before 35 days, the email will get through.
Note that the 5 minutes and 35 days are default values. Later on, I will explain how to change those.
Postgrey being packaged by default on Debian/Ubuntu, it is fairly easy to install. You simply need to run:
$sudo apt-get install postgrey
On Debian likes, postgrey works out of the box. It is by default bound to the loopback interface (127.0.0.1) on port 60000. Therefore, postgrey service is not accessible from the outside.
Now, we need to tell postfix to use postgrey policy server.
As I say earlier, it is really easy to integrate postgrey to postfix (also you need at least postfix 2.1). It all happens in /etc/postfix/main.cf. So open /etc/postfix/main.cf and make sure check_policy_service inet:127.0.0.1:60000 is added at the end of smtpd_recipient_restrictions so you get something like:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000
Note that your settings might be a bit different
Reload postfix:
$sudo /etc/init.d/postfix reload
and there you go,you have now a working greylisting policy and postfix mail server is going to start rejecting temporarily new incoming emails and you will start seeing:
Nov 23 21:42:10 mymailserver postfix/smtpd[4256]: NOQUEUE: reject: RCPT from spammerrelay.com[xxx.xxx.xxx.xxx]: 450 <recipient@spammed.com>: Recipient address rejected: Greylisted for 300 seconds (see http://isg.ee.ethz.ch/tools/postgrey/help/spammed.com.html); from=<sender@spammer.com> to=<recipient@spammed.com> proto=ESMTP helo=<spammerrelay.com>
From now on, the amount of spam reaching your inbox is going to be drastically reduced.
Now, it is time to get a bit deeper into postgrey for those who want to tweak it up.
There is two main configuration files in /etc/postgrey: whitelist_clients and whitelist_recipients.
In whitelist_clients, you can define a list of mail server that you do not want to greylist. Either because there are hosts that you trust, or because there are host that it is an issue to greylist.
Client addresses can be specified as follow:
In whitelist_recipients, you can specify a list of recipients that you do not want to apply greylisting on.
Recipient addresses can be specified as follow:
Earlier on, I told you that postgrey was greylisting mails for 5 minuntes if it is the first time a triplet client_ip/sender/recipient has been seen or if the last time the triplet was seen was more than 35 days ago.
Well, those settings can be changed when starting postgrey daemon. On a Debian Like system, those settings are in /etc/default/postgrey.
By default, this file contains:
POSTGREY_OPTS="--inet=127.0.0.1:60000"
Now let's imagine you want to greylist mails for 2 minutes, and allow a known triplet to bypass greylisting if it successfully went through greylisting less than 20 days ago, you will need to use the following settings:
POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=120 --max-age=20"
Also, postgrey offers a nice neat feature which is the ability of whitelisting triplet that have successfully attempted to deliver mails 5 times (default value) after greylisting was done and if the client was last seen before --max-age.
Default value can be change with --auto-whitelist-clients. Setting this to 0 will disable that feature.
If you want to override that value, same as above, modify /etc/default/postgrey and set --auto-whitelist-clients to your needs, like for instance:
POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=120 --max-age=20 --auto-whitelist-clients=10"
Postgrey is shipped with a tool called postgreyreport. Using postgreyreport you can get a report of triplet than did not pass the greylisting step (meaning that the difference in first and last time seen is less than --delay=N and therefore it might have been a spam).
To get a report, you can use the following command line:
#cat /var/log/mail.log | postgreyreport \
--nosingle_line --check_sender=mx,a --show_tries \
--separate_by_subnet=":===============================================================================================\n"
This will output somthing like:
:===============================================================================================
unknown XXX.XXX.XXX.XXX
1 spammer1@spammer1.com user1@host1.com
1 spammer2@spammer2.com user2@host2.com
1 spammer3@spammer3.com user3@host3.com
:===============================================================================================
unknown YYY.YYY.YYY.YYY
1 spammer4@spammer4.com user4@domain1.com
:===============================================================================================
unknown ZZZ.ZZZ.ZZZ.ZZZ
1 spammer5@spammer5.com user1@host1.com
1 spammer6@spammer6.com user1@host1.com
1 spammer7@spammer7.com user2@host2.com
:===============================================================================================
Postgrey is really easy to install and you get a pretty efficient job done as soon as you enable it. The only backdraw one could see from it is the fact that the first email from a specific sender is going to be delayed for at least 5 minutes (or your --delay settings).
If this is an issue for you, you should fill free of adding a list of trusted (whitelisted) domain senders in /etc/postgrey/whitelist_clients .
But anyway, if you can bare the 5 minutes, people your are exchanging mail with often, will soon get into the autowhitelisted entries and you won't suffer the delay anymore.