1milter-greylist(8) milter-greylist(8)
2
3
4
6 milter-greylist - grey listing filter for sendmail
7
9 milter-greylist [-A] [-a autowhite_delay] [-c] [-D] [-d dumpfile] [-f
10 configfile] [-h] [-l] [-q] [-r] [-S] [-T] [-u username[:groupname]]
11 [-v] [-w greylist_delay] [-L cidrmask] [-M prefixlen] [-P pidfile] -p
12 socket
13
15 milter-greylist is a mail filter for sendmail that implements grey
16 listing, a spam filtering technique proposed by Evan Harris.
17
18 Grey listing works by assuming that contrarily to legitimate MTA, spam
19 engines will not retry sending their junk mail on a temporary error.
20 The filter will always temporarily reject mail on a first attempt, and
21 accept it after some time has elapsed.
22
23 If spammers ever try to resend rejected messages, we can assume they
24 will not stay idle between the two sends. Odds are good that the spam‐
25 mer will send a mail to an honey pot address and get blacklisted in a
26 distributed black list before the second attempt.
27
28 Of course, the filter can be configured to not apply grey listing to
29 some hosts or networks. You can whitelist friendly SMTP servers, and
30 you should whitelist your own network, otherwise your SMTP clients will
31 have real trouble to send e-mail. Whitelisting localhost is also a
32 must.
33
34 milter-greylist works with two files. greylist.conf is the configura‐
35 tion file. It holds the whitelist of addresses that will not suffer
36 grey list filtering. It is read once upon milter-greylist startup,
37 then it will be automatically reloaded whenever a new message gets in
38 and if it had been modified. You should not send milter-greylist a kill
39 -1 as it will just terminate it (libmilter works that way).
40
41 See greylist.conf(5) for documentation on the file's format.
42
43 The second file is greylist.db. milter-greylist will regularly dump
44 its grey list database into this file, which is used on startup to
45 restore the previous grey list state. If the file does not exist or is
46 unreadable, milter-greylist will start with an empty grey list.
47
48 The default location for the grey list database and the socket for com‐
49 municating with sendmail is /var/milter-greylist/. That directory must
50 be owned and writeable by the user id under which milter-greylist runs.
51
52 The following options are available; if present, they override their
53 equivalents specified in the configuration file:
54
55 -A Normally, milter-greylist does not greylist senders that suc‐
56 ceeded SMTP AUTH. This option disables that feature and causes
57 authentication to be ignored. Equivalent to the noauth option
58 in the configuration file.
59
60 -a autowhite_delay
61 Configure auto-whitelisting. After a tuple (sender IP, sender e-
62 mail, recipient e-mail) has been accepted, other identical
63 tuples will get accepted for autowhite_delay. The default is
64 one day. Use zero to disable auto-whitelisting. A suffix can be
65 added to specify seconds (s), minutes (m), hours (h), days (d)
66 or weeks (w). Without any suffix, values are treated as seconds.
67 Equivalent to the autowhite option in the configuration file.
68
69 -c Only check the configuration file and exit. Return value is 0 if
70 the configuration is valid, or an error code from <sysexit.h>
71 otherwise.
72
73 -D Do not fork; run in the foreground instead. Without this flag,
74 milter-greylist will become a daemon. Equivalent to the node‐
75 tach option in the configuration file.
76
77 -d dumpfile
78 Location of the dump file. Default is /var/lib/milter-
79 greylist/db/greylist.db. Equivalent to the dumpfile option in
80 the configuration file.
81
82 -f configfile
83 Location of the config file. Default is /etc/mail/greylist.conf.
84
85 -h Show usage information.
86
87 -L cidrmask
88 Use cidrmask as a matching mask when checking IPv4 addresses
89 entries in the greylist. This is aimed as a workaround to mail
90 farms that re-emit messages from different IP addresses. With -L
91 24, the matching mask is 255.255.255.0, and all addresses within
92 the same class C network are considered the same. Default is -L
93 32, which corresponds to all addresses considered different.
94
95 -M prefixlen
96 Use prefixlen as a matching mask when checking IPv6 addresses
97 entries in the greylist. This is aimed as a workaround to mail
98 farms that re-emit messages from different IP addresses. With -M
99 64, the matching mask is ffff:ffff:ffff:ffff::, and all
100 addresses within the same subnet are considered the same.
101 Default is -M 128, which corresponds to all IPv6 addresses con‐
102 sidered different.
103
104 -l Enable debug output in the access-list management code.
105
106 -P pidfile
107 write the daemon's PID to pidfile. Equivalent to the pidfile
108 option in the configuration file.
109
110 -p socket
111 Use socket as the socket used by sendmail(8) to communicate with
112 milter-greylist.
113
114 -q Quiet mode. milter-greylist will not tell SMTP clients how much
115 time they have to wait before the message will be accepted.
116 Equivalent to the quiet option in the configuration file.
117
118 -r Display milter-greylist version and build environment, then
119 exit.
120
121 -S If milter-greylist was built with SPF support, then SPF-compli‐
122 ant senders bypass greylisting. This flag causes messages to be
123 greylisted regardless of whether they are SPF-compliant or not.
124 Equivalent to the nospf option in the configuration file.
125
126 -T Enable test mode. This alters the meaning of rcpt lines in
127 greylist.conf, so that only messages sent to recipient adresses
128 listed there are selected for greylisting. This option and the
129 rcpt lines have been deprecated in favor of ACL, so do not use
130 it.
131
132 -u username[:groupname]
133 Drop root privileges and switch to username (and optionally
134 groupname) credentials. Make sure this user (and group) has
135 write access to greylist.db. Equivalent to the user option in
136 the configuration file.
137
138 -v Enable debug output. milter-greylist will send messages (and
139 debug output if it is given the -v flag) to syslogd(8) with
140 facility LOG_MAIL. Equivalent to the verbose option in the con‐
141 figuration file.
142
143 -w greylist_delay
144 sets the minimum delay between the first attempt and the time
145 the message can be accepted. Default is 30 minutes. A suffix
146 can be added to specify seconds (s), minutes (m), hours (h),
147 days (d) or weeks (w). Whithout any suffix, values are treated
148 as seconds. Equivalent to the greylist option in the configura‐
149 tion file.
150
152 milter-greylist is now able to sync the greylist between multiple MX.
153 In order to enable this feature, you need to list the peer MXs in
154 greylist.conf(5) like this:
155
156 peer 192.0.2.17
157 peer 192.0.2.18
158
159 When peers are configured, milter-greylist will listen on the port
160 defined for the mxglsync service in /etc/services (defaults to 5252),
161 and it will connect to peers at this port. Each time an entry is added
162 or deleted on one MX, it will be propagated to the others.
163
164 The protocol is quite simple, just telnet to your MX at port 5252, and
165 type help to see how it works. Note that connections will only be
166 accepted from peer MXs, even localhost will be rejected (and don't ever
167 add localhost as a peer for MX sync, as you will cause each entry in
168 the greylist to be added twice).
169
170 If an MX is down, changes to the greylist will be queued until it gets
171 back up again. The queue length is limited (default is 1024 entries),
172 and if it overflows, newer entries will be discarded.
173
175 Emmanuel Dreyfus <manu@netbsd.org>
176
177 milter-greylist received many contributions from (in alphabetical
178 order): Aida Shinra, Adam Katz, Alexander Lobodzinski, Alexandre
179 Cherif, Alexey Popov, Andrew McGill, Attila Bruncsak, Benoit Branciard,
180 Bernhard Schneider, Bob Smith, Constantine A. Murenin, Christian
181 Pelissier, Cyril Guibourg, Dan Hollis, Elrond, Enrico Scholz, Eugene
182 Crosser, Fabien Tassin, Fredrik Pettai, Gary Aitken, Georg Horn, Gert
183 Doering, Greg Troxel, Guido Kerkewitz, Hajimu Umemoto, Hideki ONO, Ivan
184 F. Martinez, Jacques Beigbeder, Jean Benoit, Jeff Rife, Jobst Schmalen‐
185 bach, Joe Pruett, Joel Bertrand, Johann E. Klasek, Johann Klasek, John
186 Thiltges, Klas Heggemann, Laurence Moindrot, Lev Walkin, Manuel Bad‐
187 zong, Martin Paul, Matt Kettler, Mattheu Herrb, Matthias Scheler,
188 Matthieu Herrb, Michael Fromme, Moritz Both, Nerijus Baliunas, Pavel
189 Cahyna, Per Holm, Petr Kristof, Ralf S. Engelschall, Ranko Zivojnovic,
190 Remy Card, Rick Adams, Rogier Maas, Romain Kang, Rudy Eschauzier,
191 Stephane Lentz, Thomas Scheunemann, Tim Mooney, Wolfgang Solfrank, and
192 Yaroslav Boychuk.
193
194 Thanks to Helmut Messerer and Thomas Pfau for their feedback on the
195 first releases of this software.
196
198 greylist.conf(5), sendmail(8), syslogd(8).
199
200 Evan Harris's paper:
201 http://projects.puremagic.com/greylisting/
202
203 milter-greylist's web site:
204 http://hcpnet.free.fr/milter-greylist/
205
206
207
208 May 10, 2005 milter-greylist(8)