10 - integrate amavisd and postgrey with postfix

I have few words about greylisting. While this is the most effective anti-spam mechanism I ever used, greylisting may lead to some headaches for systems administrators, because e-mail sent from badly configured mail servers may reach quickly to well-known mail servers, such as Yahoo! or GMail, but messages sent to the local domain is delayed at the first conversation attempt. The delay period is not controllable by you, since the SMTP queue retry parameter is configured on the remote server. To make things worse, some e-mail hosting companies do not use queues at all, resulting in a silently non-delivered mail to the local domain at the 'first encounter'.
Use greylisting with caution and be prepared to provide answers regarding how email is received to the local users. If you don't like this, just remove the policy check from smtpd_client_restrictions and disable automatic startup for postgrey in /etc/rc.conf. It is possible to add some IP addresses as exceptions to smtpd_client_restrictions, making it possible to except some SMTP client addresses.



Edit /usr/local/etc/postfix/master.cf:
smtp      inet  n       -       n       -       300      smtpd
smtps     inet  n       -       n       -       300      smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
#    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated

# Added the amavis feed service
amavisfeed unix -      -       n     -       4  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    -o sender_bcc_maps=
    -o receive_override_options=no_address_mappings

# Added the post-amavisd listener
127.0.0.1:10025 inet n  -       n     -       -  smtpd
    -o content_filter=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.1/32
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_header_rewrite_clients=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

# where to receive notifications from amavisd-new?
127.0.0.1:20025 inet n  -       n     -       -  smtpd
    -o content_filter=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.1/32
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o milter_default_action=accept
    -o local_header_rewrite_clients=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

   
### Tell postfix to perform content filtering using amavsd-new's socket
# postconf -e content_filter=amavisfeed:\[127.0.0.1\]:10024


### Install greylisting service if you desire
portupgrade -Np postgrey


### You may want to tune postgrey
edit 'postgrey_flags' in /etc/rc.conf to taste. I use
postgrey_flags='--daemonize --pidfile=/var/run/posrgrey.pid --inet=127.0.0.1:10023 --delay=180 --user=postgrey \
    --group=postgrey --dbdir=/var/db/postgrey \
    --whitelist-clients=/usr/local/etc/postfix/postgrey_whitelist_clients \
    --whitelist-clients=/usr/local/etc/postfix/postgrey_whitelist_clients.local \
    --greylist-text="Greylisting in action, retry after %s seconds. See http://postgrey.schweikert.ch/help/%r.html for more details."'

# Enable automatic startup for postgrey
echo 'postgrey_enable="YES"' >> /etc/rc.conf
service postgrey start



### Instruct postfix to use greylisting
edit /usr/local/etc/postfix/main.cf and add a check_policy line to smtpd_client_restrictions to the end of restrictions
smtpd_sender_restrictions =
    check_sender_access regexp:/usr/local/etc/postfix/tag_as_originating.re
    check_banned_recipients,
    check_banned_senders,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_helo_hostname,
    reject_sender_login_mismatch,
    reject_spf_invalid_sender,
    check_sender_access regexp:/usr/local/etc/postfix/tag_as_foreign.re,
    check_policy_service inet:127.0.0.1:10023

Prev: Install and configure amavisd-new with SpamAssassin, mysql database, DKIM
Next: Add a webmail frontend
Comments