3.4. Greylisting with postgrey

Greylisting is one of the most effective methods of getting rid of SPAM. The receiving SMTP server using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate the originating server will, after a delay, try again and, if sufficient time has elapsed, the email will be accepted. If the mail is from a spam sender, sending to many thousands of email addresses, it will probably not be retried. More info about greylisting can be found here.

Greylisting can be used with postfix by using policies and are usually written in PERL. Postgrey is also written in PERL and the connection between postfix and postgrey can be made through a local socket or through a inet socket, so the postgrey policy server can run on a different machine.

Installation of postgrey in CentOS is straightforward, it requires just a simple yum command and a very simple configuration. Since this is a non-standard package, the rpmforge reporitory should be already included into yum configuration.

CentOS postgrey installation

# yum install postgrey
Loaded plugins: downloadonly, fastestmirror, kernel-module, priorities, protectbase, versionlock
Loading mirror speeds from cached hostfile
 * epel: mirrors.adnettelecom.ro
 * rpmforge: ftp-stud.fht-esslingen.de
 * base: ftp.iasi.roedu.net
 * updates: ftp.iasi.roedu.net
 * addons: ftp.iasi.roedu.net
 * extras: ftp.iasi.roedu.net
epel                                                                                               | 3.7 kB     00:00    
rpmforge                                                                                           | 1.1 kB     00:00    
primary.xml.gz                                                                                     | 2.2 MB     00:09    
rpmforge                                                       10345/10345
base                                                                                               | 2.1 kB     00:00    
updates                                                                                            | 1.9 kB     00:00    
addons                                                                                             |  951 B     00:00    
extras                                                                                             | 2.1 kB     00:00    
3575 packages excluded due to repository priority protections
0 packages excluded due to repository protections
Reading version lock configuration
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package postgrey.noarch 0:1.33-1.el5.rf set to be updated
--> Processing Dependency: perl(BerkeleyDB) for package: postgrey
--> Processing Dependency: perl(IO::Multiplex) for package: postgrey
--> Processing Dependency: perl(Net::Server::Daemonize) for package: postgrey
--> Processing Dependency: perl(Net::Server::Multiplex) for package: postgrey
--> Processing Dependency: perl(Net::Server) for package: postgrey
--> Running transaction check
---> Package perl-IO-Multiplex.noarch 0:1.08-5.el5 set to be updated
---> Package perl-BerkeleyDB.i386 0:0.32-1.el5 set to be updated
---> Package perl-Net-Server.noarch 0:0.96-2.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================
 Package                           Arch                   Version                          Repository                Size
==========================================================================================================================
Installing:
 postgrey                          noarch                 1.33-1.el5.rf                    rpmforge                  45 k
Installing for dependencies:
 perl-BerkeleyDB                   i386                   0.32-1.el5                       epel                     151 k
 perl-IO-Multiplex                 noarch                 1.08-5.el5                       epel                      20 k
 perl-Net-Server                   noarch                 0.96-2.el5                       epel                     154 k

Transaction Summary
==========================================================================================================================
Install      4 Package(s)        
Update       0 Package(s)        
Remove       0 Package(s)        

Total download size: 370 k
Is this ok [y/N]: y

Postgrey uses few configuration files:
/etc/sysconfig/postgrey : to set parameters for the postgrey process
/etc/postfix/whitelist_clients : the list the sender addresses for which greylisting will not be used, usually contains servers known to behave improperly when sending mail, eg. lack of a sending queue
/etc/postfix/whitelist_clients.local : the list of the local additions to the above list.
/etc/postfix/whitelist_recipients : the list of the local e-mail addresses for which greylisting will not be used and the e-mail will pass without being delayed.

To use postgrey on the same machine as the postfix SMTP server, it's fine to start postgrey using a socket. So, i configure postgrey with the following parameters:

/etc/sysconfig/postgrey contents

OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=300 --greylist-text='Greylisting in progress, retry after %s seconds. See http://postgrey.schweikert.ch/help/%r.html for details.'"

The parameters listed above specify where should be placed the socket, what is the duration before the first sending attempt and the time when message will be accepted and a slightly modified response message for the SMTP clients, informing them how much time to wait before retrying.

After the initial configuration, the process should be started.

Starting postgrey

# chkconfig --levels 345 postgrey on
# service postgrey start

Integrating postgrey into postfix

postfix configuration needs just a small adjustment to take postgrey into consideration. It should have a supplemental check included at 'smtpd_recipient_restrictions'

main.cf - postgrey integration

smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service unix:postgrey/socket,
    permit


And, finally, postfix configuration should be re-read:

Enabling new postfix configuration

# service postfix reload


Up: Postfix installation and configuration
Prev: Postfix TLS configuration
Next: Postfixadmin installation
Comments