Postfix and Postgrey: A proactive approach to spam filtering — page 2

2 minute read

4. Tweaking up Postgrey

4.1. Postgrey Configuration files

There is two main configuration files in /etc/postgrey: whitelist_clients and whitelist_recipients.

In whitelist_clients, you can define a list of mail server that you do not want to greylist. Either because there are hosts that you trust, or because there are host that it is an issue to greylist.

Client addresses can be specified as follow:

  • domain.addr : the fully qualified domain name
  • WWW.XXX.YYY.ZZZ : an IP address
  • /regex/ : a regular expression

In whitelist_recipients, you can specify a list of recipients that you do not want to apply greylisting on.

Recipient addresses can be specified as follow:

  • domain.addr : a fully qualified domain
  • name@ : every “name” user for any domain as well as extended address like name+foo@.*
  • name@domain : mails for name@domain as well as extended address
  • /regex/ : a regular expression

4.2. postgrey daemon options

Earlier on, I told you that postgrey was greylisting mails for 5 minuntes if it is the first time a triplet client_ip/sender/recipient has been seen or if the last time the triplet was seen was more than 35 days ago.

Well, those settings can be changed when starting postgrey daemon. On a Debian Like system, those settings are in /etc/default/postgrey.

By default, this file contains:

POSTGREY_OPTS="--inet=127.0.0.1:60000"

Now let’s imagine you want to greylist mails for 2 minutes, and allow a known triplet to bypass greylisting if it successfully went through greylisting less than 20 days ago, you will need to use the following settings:

POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=120 --max-age=20"

Also, postgrey offers a nice neat feature which is the ability of whitelisting triplet that have successfully attempted to deliver mails 5 times (default value) after greylisting was done and if the client was last seen before --max-age.

Default value can be change with --auto-whitelist-clients. Setting this to 0 will disable that feature.

If you want to override that value, same as above, modify /etc/default/postgrey and set --auto-whitelist-clients to your needs, like for instance:

POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=120 --max-age=20 --auto-whitelist-clients=10"

5. Getting postgrey report

Postgrey is shipped with a tool called postgreyreport. Using postgreyreport you can get a report of triplet than did not pass the greylisting step (meaning that the difference in first and last time seen is less than –delay=N and therefore it might have been a spam).

To get a report, you can use the following command line:

#cat /var/log/mail.log | postgreyreport \
 --nosingle_line --check_sender=mx,a --show_tries \
 --separate_by_subnet=":===============================================================================================\n"

This will output somthing like:

:===============================================================================================
 unknown XXX.XXX.XXX.XXX
 1 [email protected] [email protected]
 1 [email protected] [email protected]
 1 [email protected] [email protected]
 :===============================================================================================
 unknown YYY.YYY.YYY.YYY
 1 [email protected] [email protected]
 :===============================================================================================
 unknown ZZZ.ZZZ.ZZZ.ZZZ
 1 [email protected] [email protected]
 1 [email protected] [email protected]
 1 [email protected] [email protected]
 :===============================================================================================

6. Conclusion

Postgrey is really easy to install and you get a pretty efficient job done as soon as you enable it. The only backdraw one could see from it is the fact that the first email from a specific sender is going to be delayed for at least 5 minutes (or your –delay settings).

If this is an issue for you, you should fill free of adding a list of trusted (whitelisted) domain senders in /etc/postgrey/whitelist_clients .

But anyway, if you can bare the 5 minutes, people your are exchanging mail with often, will soon get into the autowhitelisted entries and you won’t suffer the delay anymore.