Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

Postfix and Postgrey: A proactive approach to spam filtering — page 2

Posted by chantra on November 23rd, 2006

This entry is part 2 of 2 in the series Postfix and Postgrey: A proactive approach to spam filtering

4. Tweaking up Postgrey

4.1. Postgrey Configuration files

There is two main configuration files in /etc/postgrey: whitelist_clients and whitelist_recipients.

In whitelist_clients, you can define a list of mail server that you do not want to greylist. Either because there are hosts that you trust, or because there are host that it is an issue to greylist.
Client addresses can be specified as follow:

  • domain.addr : the fully qualified domain name
  • WWW.XXX.YYY.ZZZ : an IP address
  • /regex/ : a regular expression

In whitelist_recipients, you can specify a list of recipients that you do not want to apply greylisting on.
Recipient addresses can be specified as follow:

  • domain.addr : a fully qualified domain
  • name@ : every "name" user for any domain as well as extended address like name+foo@.*
  • name@domain : mails for name@domain as well as extended address
  • /regex/ : a regular expression

4.2. postgrey daemon options

Earlier on, I told you that postgrey was greylisting mails for 5 minuntes if it is the first time a triplet client_ip/sender/recipient has been seen or if the last time the triplet was seen was more than 35 days ago.

Well, those settings can be changed when starting postgrey daemon. On a Debian Like system, those settings are in /etc/default/postgrey.

By default, this file contains:

POSTGREY_OPTS="--inet=127.0.0.1:60000"

Now let's imagine you want to greylist mails for 2 minutes, and allow a known triplet to bypass greylisting if it successfully went through greylisting less than 20 days ago, you will need to use the following settings:

POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=120 --max-age=20"

Also, postgrey offers a nice neat feature which is the ability of whitelisting triplet that have successfully attempted to deliver mails 5 times (default value) after greylisting was done and if the client was last seen before --max-age.
Default value can be change with --auto-whitelist-clients. Setting this to 0 will disable that feature.
If you want to override that value, same as above, modify /etc/default/postgrey and set --auto-whitelist-clients to your needs, like for instance:

POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=120 --max-age=20 --auto-whitelist-clients=10"

5. Getting postgrey report

Postgrey is shipped with a tool called postgreyreport. Using postgreyreport you can get a report of triplet than did not pass the greylisting step (meaning that the difference in first and last time seen is less than --delay=N and therefore it might have been a spam).
To get a report, you can use the following command line:

#cat /var/log/mail.log | postgreyreport \
--nosingle_line --check_sender=mx,a --show_tries \
--separate_by_subnet=":===============================================================================================\n"

This will output somthing like:

:===============================================================================================
unknown XXX.XXX.XXX.XXX
1 spammer1@spammer1.com user1@host1.com
1 spammer2@spammer2.com user2@host2.com
1 spammer3@spammer3.com user3@host3.com
:===============================================================================================
unknown YYY.YYY.YYY.YYY
1 spammer4@spammer4.com user4@domain1.com
:===============================================================================================
unknown ZZZ.ZZZ.ZZZ.ZZZ
1 spammer5@spammer5.com user1@host1.com
1 spammer6@spammer6.com user1@host1.com
1 spammer7@spammer7.com user2@host2.com
:===============================================================================================

6. Conclusion

Postgrey is really easy to install and you get a pretty efficient job done as soon as you enable it. The only backdraw one could see from it is the fact that the first email from a specific sender is going to be delayed for at least 5 minutes (or your --delay settings).
If this is an issue for you, you should fill free of adding a list of trusted (whitelisted) domain senders in /etc/postgrey/whitelist_clients .
But anyway, if you can bare the 5 minutes, people your are exchanging mail with often, will soon get into the autowhitelisted entries and you won't suffer the delay anymore.

Series Navigation<< Postfix and Postgrey: A proactive approach to spam filtering

2 Responses to “Postfix and Postgrey: A proactive approach to spam filtering — page 2”

  1. I've used Postgrey but it whitelisted a spam message. With this mail log below, how can I tell Postgrey by saying "hey Postgrey, this is spam and I want this blacklisted." ?

    Oct 18 07:05:27 server1 postgrey[6283]: action=pass, reason=triplet found, delay=10948, client_name=unknown, client_address=202.125.41.250, sender=patty_foster[at]cellandeskincare.com, recipient=gp-at-graysonpeddie.com

    It seems the spammer did bother to try again. Here's the previous log:

    Oct 18 04:03:04 server1 postfix/smtpd[7031]: NOQUEUE: reject: RCPT from unknown[202.125.41.250]: 450 4.2.0 <gp-at-graysonpeddie-dot-com>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/graysonpeddie.com.html; from=<patty_foster-at-cellandeskincare.com> to=<gp-at-graysonpeddie-dot-com> proto=ESMTP helo=<server.able2host.com>

    • It is a long time since I used postgrey, but if I remember correctly, postgrey do not blacklist. If a triple is seen a given number of time, it will be whitelisted.

      You might want to add a layer of RBL , this can be very efficient.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>