1POSTGREY(8) Postgrey Policy Server for Postfix POSTGREY(8)
2
6 postgrey - Postfix Greylisting Policy Server
7
9 postgrey [options...]
10 -h, --help display this help and exit
12 --version output version information and exit
13 -v, --verbose increase verbosity level
14 --syslog-facility Syslog facility to use (default mail)
15 -q, --quiet decrease verbosity level
16 -u, --unix=PATH listen on unix socket PATH
17 -i, --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified
18 -d, --daemonize run in the background
19 --pidfile=PATH put daemon pid into this file
20 --user=USER run as USER (default: postgrey)
21 --group=GROUP run as group GROUP (default: postgrey)
22 --dbdir=PATH put db files in PATH (default: /var/spool/postfix/postgrey)
23 --delay=N greylist for N seconds (default: 300)
24 --max-age=N delete entries older than N days since the last time
25 that they have been seen (default: 35)
26 --retry-window=N allow only N days for the first retrial (default: 2)
27 append 'h' if you want to specify it in hours
28 --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
29 --greylist-text=TXT response when a mail is greylisted
30 (default: Greylisted + help url, see below)
31 --lookup-by-subnet strip the last 8 bits from IP addresses (default)
32 --lookup-by-host do not strip the last 8 bits from IP addresses
33 --privacy store data using one-way hash functions
34 --hostname=NAME set the hostname (default: `hostname`)
35 --exim don't reuse a socket for more than one query (exim compatible)
36 --whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients
37 --whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients
38 --auto-whitelist-clients=N whitelist host after first successful delivery
39 N is the minimal count of mails before a client is
40 whitelisted (turned on by default with value 5)
41 specify N=0 to disable.
42 --listen-queue-size=N allow for N waiting connections to our socket
43 Note that the --whitelist-x options can be specified multiple times,
45 and that per default /etc/postfix/postgrey_whitelist_clients.local is
46 also read, so that you can put there local entries.
47
49 Postgrey is a Postfix policy server implementing greylisting.
50 When a request for delivery of a mail is received by Postfix via SMTP,
52 the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" is built. If it is the
53 first time that this triplet is seen, or if the triplet was first seen
54 less than delay seconds (300 is the default), then the mail gets
55 rejected with a temporary error. Hopefully spammers or viruses will not
56 try again later, as it is however required per RFC.
57 Note that you shouldn't use the --lookup-by-host option unless you know
59 what you are doing: there are a lot of mail servers that use a pool of
60 addresses to send emails, so that they can change IP every time they
61 try again. That's why without this option postgrey will strip the last
62 byte of the IP address when doing lookups in the database.
63 Installation
65 · Create a "postgrey" user and the directory where to put the
67 database dbdir (default: "/var/spool/postfix/postgrey")
68 · Write an init script to start postgrey at boot and start it. Like
70 this for example:
71 postgrey --inet=10023 -d
73 · Put something like this in /etc/main.cf:
75 smtpd_recipient_restrictions =
77 permit_mynetworks
78 ...
79 reject_unauth_destination
80 check_policy_service inet:127.0.0.1:10023
81 · Install the provided postgrey_whitelist_clients and
83 postgrey_whitelist_recipients in /etc/postfix.
84 · Put in /etc/postfix/postgrey_whitelist_recipients users that do not
86 want greylisting.
87 Whitelists
89 Whitelists allow you to specify client addresses or recipient address,
91 for which no greylisting should be done. Per default postgrey will read
92 the following files:
93 /etc/postfix/postgrey_whitelist_clients
95 /etc/postfix/postgrey_whitelist_clients.local
96 /etc/postfix/postgrey_whitelist_recipients
97 You can specify alternative paths with the --whitelist-x options.
99 Postgrey whitelists follow similar syntax rules as Postfix access
101 tables. The following can be specified for recipient addresses:
102 domain.addr
104 "domain.addr" domain and subdomains.
105 name@ "name@.*" and extended addresses "name+blabla@.*".
107 name@domain.addr
109 "name@domain.addr" and extended addresses.
110 /regexp/ anything that matches "regexp" (the full address is matched).
112 The following can be specified for client addresses:
114 domain.addr
116 "domain.addr" domain and subdomains.
117 IP1.IP2.IP3.IP4
119 IP address IP1.IP2.IP3.IP4. You can also leave off one
120 number, in which case only the first specified numbers will
121 be checked.
122 IP1.IP2.IP3.IP4/MASK
124 CIDR-syle network. Example: 192.168.1.0/24
125 /regexp/ anything that matches "regexp" (the full address is matched).
127 Auto-whitelisting clients
129 With the option --auto-whitelist-clients a client IP address will be
131 automatically whitelisted if the following conditions are met:
132 · At least 5 successfull attempts of delivering a mail (after
134 greylisting was done). That number can be changed by specifying a
135 number after the --auto-whitelist-clients argument. Only one
136 attempt per hour counts.
137 · The client was last seen before --max-age days (35 per default).
139 Greylist Action
141 To set the action to be returned to postfix when a message fails
143 postgrey's tests and should be deferred, use the
144 --greylist-action=ACTION option.
145 By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to
147 check the rest of the restrictions and defer the message only if it
148 would otherwise be accepted. A delay action of 451 causes postfix to
149 always defer the message with an SMTP reply code of 451 (temp fail).
150 See the postfix manual page access(5) for a discussion of the actions
152 allowed.
153 Greylist Text
155 When a message is greylisted, an error message like this will be sent
157 at the SMTP-level:
158 Greylisted, see http://postgrey.schweikert.ch/help/example.com.html
160 Usually no user should see that error message and the idea of that URL
162 is to provide some help to system administrators seeing that message or
163 users of broken mail clients which try to send mails directly and get a
164 greylisting error. Note that the default help-URL contains the original
165 recipient domain (example.com), so that domain-specific help can be
166 presented to the user (on the default page it is said to contact
167 postmaster@example.com)
168 You can change the text (and URL) with the --greylist-text parameter.
170 The following special variables will be replaced in the text:
171 %s How many seconds left until the greylisting is over (300).
173 %r Mail-domain of the recipient (example.com).
175 Privacy
177 The --privacy option enable the use of a SHA1 hash function to store
179 IPs and emails in the greylisting database. This will defeat straight
180 forward attempts to retrieve mail user behaviours.
181 SEE ALSO
183 See <http://www.greylisting.org/> for a description of what greylisting
185 is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a
186 description of how Postfix policy servers work.
187
189 Copyright (c) 2004-2007 by ETH Zurich. All rights reserved. Copyright
190 (c) 2007 by Open Systems AG. All rights reserved.
191
193 This program is free software; you can redistribute it and/or modify it
194 under the terms of the GNU General Public License as published by the
195 Free Software Foundation; either version 2 of the License, or (at your
196 option) any later version.
197 This program is distributed in the hope that it will be useful, but
199 WITHOUT ANY WARRANTY; without even the implied warranty of
200 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
201 General Public License for more details.
202 You should have received a copy of the GNU General Public License along
204 with this program; if not, write to the Free Software Foundation, Inc.,
205 675 Mass Ave, Cambridge, MA 02139, USA.
206
208 David Schweikert <david@schweikert.ch>
209perl v5.10.0 2009-07-28 POSTGREY(8)