Greylisting
For a overview what greylisting does, have a look at www.greylisting.org/
There are several greylisting daemons for Postfix available. I stick to David Schweikert's Postgrey or to Lionel Bouton's SQLgrey in combination with it's web-interface http://www.vanheusden.com/sgwi/
Postgrey
Postgrey greylisting daemon
perldoc postgrey:
postgrey - Postfix Greylisting Policy Server
SYNOPSIS
<postgrey> [<options>...]
-h, --help display this help and exit
--version output version information and exit
-v, --verbose increase verbosity level
-u, --unix=PATH listen on unix socket PATH
-i, --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified
-d, --daemonize run in the background
--pidfile=PATH put daemon pid into this file
--user=USER run as USER (default: postgrey)
--group=GROUP run as group GROUP (default: nogroup)
--dbdir=PATH put db files in PATH (default: /var/spool/postfix/postgrey)
--delay=N greylist for N seconds (default: 300)
--max-age=N delete entries older than N days since the last time
that they have been seen (default: 35)
--retry-window=N allow only N days for the first retrial (default: 2)
append 'h' if you want to specify it in hours
--greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
--greylist-text=TXT response when a mail is greylisted
(default: Greylisted + help url, see below)
--lookup-by-subnet strip the last 8 bits from IP addresses (default)
--lookup-by-host do not strip the last 8 bits from IP addresses
--whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients
--whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients
--auto-whitelist-clients=N whitelist host after first successful delievery
N is the minimal count of mails before a client is
whitelisted (turned on by default with value 5)
specify N=0 to disable.
--privacy store data using one-way hash functions
--hostname=NAME set the hostname (default: `hostname`)
--exim don't reuse a socket for more than one query (exim compatible)
Note that the --whitelist-x options can be specified multiple times,
and that per default /etc/postfix/postgrey_whitelist_clients.local is
also read, so that you can put there local entries.
- create „/etc/default/postgrey“:
# # Insert startup options here # OPTIONS="--inet=localhost:10023 --daemonize --dbdir=/var/lib/postgrey --user=postgrey --pidfile=/var/run/postgrey.pid --whitelist-clients=/etc/postfix/postgrey/postgrey_whitelist_clients --whitelist-recipients=/etc/postfix/postgrey/postgrey_whitelist_recipients"
- Put something like this in /etc/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
...
reject_unauth_destination
check_policy_service inet:127.0.0.1:10023
- Copy the provided „postgrey_whitelist_clients“ and „postgrey_whitelist_recipients“ to „/etc/postfix/“.
- Put in „/etc/postfix/postgrey_whitelist_recipients“ users that do not want greylisting.
Whitelists:
Whitelists allow you to specify client addresses or recipient address, for which no greylisting should be done. Per default postgrey will read the following files:
/etc/postfix/postgrey_whitelist_clients /etc/postfix/postgrey_whitelist_clients.local /etc/postfix/postgrey_whitelist_recipients
You can specify alternative paths with the whitelist options.
Postgrey whitelists follow similar syntax rules as Postfix access tables. The following can be specified for recipient addresses:
domain.addr
"domain.addr" domain and subdomains.
name@ "name@.*" and extended addresses "name+blabla@.*".
name@domain.addr
"name@domain.addr" and extended addresses.
/regexp/ anything that matches "regexp" (the full address is matched).
The following can be specified for client addresses:
domain.addr
"domain.addr" domain and subdomains.
IP1.IP2.IP3.IP4
IP address IP1.IP2.IP3.IP4. You can also leave off one number, in which case only the first specified numbers will be checked.
/regexp/ anything that matches "regexp" (the full address is matched).
Auto-whitelisting clients: With the option auto-whitelist-clients a client IP address will be automatically whitelisted if the following conditions are met:
- At least 5 successfull attempts of delivering a mail (after greylisting was done). That number can be changed by specifying a number after the auto-whitelist-clients argument. Only one attempt per hour counts.
- The client was last seen before maxage days (35 per default).
Greylist Action:
To set the action to be returned to postfix when a message fails postgreys tests and should be deferred, use the greylistaction=ACTION option.
By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to check the rest of the restrictions and defer the message only if it would otherwise be accepted. A delay action of 451 causes postfix to always defer the message with an SMTP reply code of 451 (temp fail).
See the postfix manual page access(5) for a discussion of the actions allowed.
Greylist Text:
When a message is greylisted, an error message like this will be sent at the SMTP-level:
Greylisted, see http://isg.ee.ethz.ch/tools/postgrey/help/example.com.html
Usually no user should see that error message and the idea of that URL is to provide some help to system administrators seeing that message or users of broken mail clients which try to send mails directly and get a greylisting error. Note that the default help URL contains the original recipient domain (example.com), so that domainspecific help can be presented to the user (on the default page it is said to contact postmaster@example.com)
You can change the text (and URL) with the greylisttext parameter.
The following special variables will be replaced in the text:
%s How many seconds left until the greylisting is over (300). %r Maildomain of the recipient (example.com).
Privacy:
The privacy option enable the use of a SHA1 hash function to store IPs and emails in the greylisting database. This will defeat straight forward attempts to retrieve mail user behaviours.
← zurück