1sqlgrey(1) User Contributed Perl Documentation sqlgrey(1)
2
6 sqlgrey - Postfix Greylisting Policy Server
7
9 sqlgrey [options...]
10 -h, --help display this help and exit
12 --man display man page
13 --version output version information and exit
14 -d, --daemonize run in the background
15 -p, --pidfile=FILE write process ID to FILE
16 (overrides 'pidfile' in configfile)
17 -k, --kill kill a running sqlgrey
18 (identified by 'pidfile' content)
19 -f, --configfile=FILE read config from FILE
20 (default /etc/sqlgrey/sqlgrey.conf)
21 expecting config_param=value lines,
22 - spaces are ignored,
23 - '#' is used for comments
24 See the default config file at /etc/sqlgrey/sqlgrey.conf for runtime
26 parameters. If you got sqlgrey from sources, read the HOWTO file in
27 the compressed archive. If it came prepackaged, look into the
28 documentation tree for this file: /usr/share/doc/sqlgrey-<version>/ on
29 most Linux distributions for example.
30
32 Sqlgrey is a Postfix policy server implementing greylisting.
33 When a request for delivery of a mail is received by Postfix via SMTP,
35 the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" is built. If it is the
36 first time that this triplet is seen, or if the triplet was first seen
37 less than reconnect-delay minutes (1 is the default), then the mail
38 gets rejected with a temporary error. Hopefully spammers or viruses
39 will not try again later, as it is however required per RFC.
40 In order to alleviate the reconnect delay, sqlgrey uses a 2-level auto-
42 white-list (AWL) system:
43 • As soon as a "CLIENT IP" / "SENDER" is accepted, it is added to an
45 AWL. The couple expires when it isn't seen for more than awl-age
46 days (60 is the default).
47 • If group-domain-level "SENDER"s (2 is the default) from the same
49 domain or more use the same "CLIENT IP", another AWL is used based
50 on a "CLIENT IP" / "DOMAIN" couple. This couple expires after awl-
51 age days too. This AWL is meant to be used on high throughput sites
52 in order to :
53 • minimize the amount of data stored in database,
55 • minimize the amount of processing required to find an entry in
57 the AWL.
58 • don't impose any further mail delay when a "CLIENT IP" /
60 "DOMAIN" couple is known.
61 It can be disabled by setting group-domain-level to 0.
63 General idea:
65 When a SMTP client has been accepted once, if the IP isn't dynamic,
67 greylisting the IP again is only a waste of time when it sends another
68 e-mail. As we already know that this IP runs an RFC-compliant MTA (at
69 least the 4xx error code handling) and will get the new e-mail through
70 anyway.
71 In the case of mail relays, these AWLs works very well as the same
73 senders and mail domains are constantly coming through the same IP
74 addresses -> the e-mails are quickly accepted on the first try. In the
75 case of individual SMTP servers, this works well if the IP is fixed
76 too. When using a floating IP address, the AWLs are defeated, but it
77 should be the least common case by far.
78 Why do we put the domain in the AWL and not the IP only ? If we did
80 only store IP addresses, polluting the AWL would be far too easy. It
81 would only take one correctly configured MTA sending one e-mail from
82 one IP one single time to put it in a whitelist used whatever future
83 mails from this IP look like.
84 With this AWL system, one single mail can only allow whitelisting of
86 mails from a single sender from the same IP...
87
89 • Create a "sqlgrey" user. This will be the user the daemon runs as.
90 • When using a full-fledge SGBD (MySQL and PostgreSQL, not SQLite),
92 create a 'sqlgrey' db user and a 'sqlgrey' database. Grant access
93 to the newly created database to sqlgrey.
94 • Use the packaged init script to start sqlgrey at boot and start it
96 manually.
97
99 General
100 • Start by adding check_policy_service after
101 reject_unauth_destination in /etc/postfix/main.cf :
102 smtpd_recipient_restrictions =
104 ...
105 reject_unauth_destination
106 check_policy_service inet:127.0.0.1:2501
107 • Be aware that some servers do not behave correctly and do not
109 resend mails (as required by the standard) or use unique return
110 addresses. This is the reason why you should maintain whitelists
111 for them.
112 SQLgrey comes with a comprehensive whitelisting system. It can even
114 be configured to fetch up-to-date whitelists from a repository. See
115 the HOWTO for the details.
116 Disabling greylisting for some users
118 If you want to disable greylisting for some users you can configure
119 Postfix like this:
120 /etc/postfix/sqlgrey_recipient_access:
122 i_like_spam@ee.ethz.ch OK
123 Then you'll add a check_recipient_access in main.cf before the
125 check_policy_service :
126 smtpd_recipient_restrictions =
127 ...
128 reject_unauth_destination
129 check_client_access hash:/etc/postfix/sqlgrey_client_access
130 check_recipient_access
131 hash:/etc/postfix/sqlgrey_recipient_access
132 check_policy_service inet:127.0.0.1:10023
133
135 See <http://www.greylisting.org/> for a description of what greylisting
136 is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a
137 description of how Postfix policy servers work.
138
140 Copyright (c) 2004 by Lionel Bouton.
141
143 This program is free software; you can redistribute it and/or modify it
144 under the terms of the GNU General Public License as published by the
145 Free Software Foundation; either version 2 of the License, or (at your
146 option) any later version.
147 This program is distributed in the hope that it will be useful, but
149 WITHOUT ANY WARRANTY; without even the implied warranty of
150 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
151 General Public License for more details.
152 You should have received a copy of the GNU General Public License along
154 with this program; if not, write to the Free Software Foundation, Inc.,
155 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
156
158 Lionel Bouton <lionel-dev@bouton.name>
159perl v5.38.0 2023-07-22 sqlgrey(1)