1POSTGREY(8)           Postgrey Policy Server for Postfix           POSTGREY(8)
2
3
4

NAME

6       postgrey - Postfix Greylisting Policy Server
7

SYNOPSIS

9       postgrey [options...]
10
11        -h, --help              display this help and exit
12            --version           output version information and exit
13        -v, --verbose           increase verbosity level
14            --syslog-facility   Syslog facility to use (default mail)
15        -q, --quiet             decrease verbosity level
16        -u, --unix=PATH         listen on unix socket PATH
17            --socketmode=MODE   unix socket permission (default 0666)
18        -i, --inet=[HOST:]PORT  listen on PORT, localhost if HOST is not specified
19        -d, --daemonize         run in the background
20            --pidfile=PATH      put daemon pid into this file
21            --user=USER         run as USER (default: postgrey)
22            --group=GROUP       run as group GROUP (default: postgrey)
23            --dbdir=PATH        put db files in PATH (default: /var/spool/postfix/postgrey)
24            --delay=N           greylist for N seconds (default: 300)
25            --max-age=N         delete entries older than N days since the last time
26                                that they have been seen (default: 35)
27            --retry-window=N    allow only N days for the first retrial (default: 2)
28                                append 'h' if you want to specify it in hours
29            --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
30            --greylist-text=TXT response when a mail is greylisted
31                                (default: Greylisted + help url, see below)
32            --lookup-by-subnet  strip the last N bits from IP addresses, determined by ipv4cidr and ipv6cidr (default)
33            --ipv4cidr=N        What cidr to use for the subnet on IPv4 addresses when using lookup-by-subnet (default: 24)
34            --ipv6cidr=N        What cidr to use for the subnet on IPv6 addresses when using lookup-by-subnet (default: 64)
35            --lookup-by-host    do not strip the last 8 bits from IP addresses
36            --privacy           store data using one-way hash functions
37            --hostname=NAME     set the hostname (default: `hostname`)
38            --exim              don't reuse a socket for more than one query (exim compatible)
39            --whitelist-clients=FILE     default: /etc/postfix/postgrey_whitelist_clients
40            --whitelist-recipients=FILE  default: /etc/postfix/postgrey_whitelist_recipients
41            --auto-whitelist-clients=N   whitelist host after first successful delivery
42                                         N is the minimal count of mails before a client is
43                                         whitelisted (turned on by default with value 5)
44                                         specify N=0 to disable.
45            --listen-queue-size=N        allow for N waiting connections to our socket
46            --x-greylist-header=TXT      header when a mail was delayed by greylisting
47                                         default: X-Greylist: delayed <seconds> seconds by postgrey-<version> at <server>; <date>
48
49        Note that the --whitelist-x options can be specified multiple times,
50        and that per default /etc/postfix/postgrey_whitelist_clients.local is
51        also read, so that you can put there local entries.
52

DESCRIPTION

54       Postgrey is a Postfix policy server implementing greylisting.
55
56       When a request for delivery of a mail is received by Postfix via SMTP,
57       the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" is built. If it is the
58       first time that this triplet is seen, or if the triplet was first seen
59       less than delay seconds (300 is the default), then the mail gets
60       rejected with a temporary error. Hopefully spammers or viruses will not
61       try again later, as it is however required per RFC.
62
63       Note that you shouldn't use the --lookup-by-host option unless you know
64       what you are doing: there are a lot of mail servers that use a pool of
65       addresses to send emails, so that they can change IP every time they
66       try again. That's why without this option postgrey will strip the last
67       byte of the IP address when doing lookups in the database.
68
69   Installation
70       •   Create a "postgrey" user and the directory where to put the
71           database dbdir (default: "/var/spool/postfix/postgrey")
72
73       •   Write an init script to start postgrey at boot and start it. Like
74           this for example:
75
76            postgrey --inet=10023 -d
77
78           contrib/postgrey.init in the postgrey source distribution includes
79           a LSB-compliant init script by Adrian von Bidder for the Debian
80           system.
81
82       •   Put something like this in /etc/main.cf:
83
84            smtpd_recipient_restrictions =
85                          permit_mynetworks
86                          ...
87                          reject_unauth_destination
88                          check_policy_service inet:127.0.0.1:10023
89
90       •   Install the provided postgrey_whitelist_clients and
91           postgrey_whitelist_recipients in /etc/postfix.
92
93       •   Put in /etc/postfix/postgrey_whitelist_recipients users that do not
94           want greylisting.
95
96   Whitelists
97       Whitelists allow you to specify client addresses or recipient address,
98       for which no greylisting should be done. Per default postgrey will read
99       the following files:
100
101        /etc/postfix/postgrey_whitelist_clients
102        /etc/postfix/postgrey_whitelist_clients.local
103        /etc/postfix/postgrey_whitelist_recipients
104
105       You can specify alternative paths with the --whitelist-x options.
106
107       Postgrey whitelists follow similar syntax rules as Postfix access
108       tables.  The following can be specified for recipient addresses:
109
110       domain.addr
111                 "domain.addr" domain and subdomains.
112
113       name@     "name@.*" and extended addresses "name+blabla@.*".
114
115       name@domain.addr
116                 "name@domain.addr" and extended addresses.
117
118       /regexp/  anything that matches "regexp" (the full address is matched).
119
120       The following can be specified for client addresses:
121
122       domain.addr
123                 "domain.addr" domain and subdomains.
124
125       IP1.IP2.IP3.IP4
126                 IP address IP1.IP2.IP3.IP4. You can also leave off one
127                 number, in which case only the first specified numbers will
128                 be checked.
129
130       IP1.IP2.IP3.IP4/MASK
131                 CIDR-syle network. Example: 192.168.1.0/24
132
133       /regexp/  anything that matches "regexp" (the full address is matched).
134
135   Auto-whitelisting clients
136       With the option --auto-whitelist-clients a client IP address will be
137       automatically whitelisted if the following conditions are met:
138
139       •   At least 5 successfull attempts of delivering a mail (after
140           greylisting was done). That number can be changed by specifying a
141           number after the --auto-whitelist-clients argument. Only one
142           attempt per hour counts.
143
144       •   The client was last seen before --max-age days (35 per default).
145
146   Greylist Action
147       To set the action to be returned to postfix when a message fails
148       postgrey's tests and should be deferred, use the
149       --greylist-action=ACTION option.
150
151       By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to
152       check the rest of the restrictions and defer the message only if it
153       would otherwise be accepted.  A delay action of 451 causes postfix to
154       always defer the message with an SMTP reply code of 451 (temp fail).
155
156       See the postfix manual page access(5) for a discussion of the actions
157       allowed.
158
159   Greylist Text
160       When a message is greylisted, an error message like this will be sent
161       at the SMTP-level:
162
163        Greylisted, see http://postgrey.schweikert.ch/help/example.com.html
164
165       Usually no user should see that error message and the idea of that URL
166       is to provide some help to system administrators seeing that message or
167       users of broken mail clients which try to send mails directly and get a
168       greylisting error. Note that the default help-URL contains the original
169       recipient domain (example.com), so that domain-specific help can be
170       presented to the user (on the default page it is said to contact
171       postmaster@example.com)
172
173       You can change the text (and URL) with the --greylist-text parameter.
174       The following special variables will be replaced in the text:
175
176       %s  How many seconds left until the greylisting is over (300).
177
178       %r  Mail-domain of the recipient (example.com).
179
180   Greylist Header
181       When a message is greylisted, an additional header can be prepended to
182       the header section of the mail:
183
184        X-Greylist: delayed %t seconds by postgrey-%v at %h; %d
185
186       You can change the text with the --x-greylist-header parameter. The
187       following special variables will be replaced in the text:
188
189       %t  How many seconds the mail has been delayed due to greylisting.
190
191       %v  The version of postgrey.
192
193       %d  The date.
194
195       %h  The host.
196
197   Privacy
198       The --privacy option enable the use of a SHA1 hash function to store
199       IPs and emails in the greylisting database.  This will defeat straight
200       forward attempts to retrieve mail user behaviours.
201
202   SEE ALSO
203       See <http://www.greylisting.org/> for a description of what greylisting
204       is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a
205       description of how Postfix policy servers work.
206
208       Copyright (c) 2004-2007 by ETH Zurich. All rights reserved.  Copyright
209       (c) 2007 by Open Systems AG. All rights reserved.
210

LICENSE

212       This program is free software; you can redistribute it and/or modify it
213       under the terms of the GNU General Public License as published by the
214       Free Software Foundation; either version 2 of the License, or (at your
215       option) any later version.
216
217       This program is distributed in the hope that it will be useful, but
218       WITHOUT ANY WARRANTY; without even the implied warranty of
219       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
220       General Public License for more details.
221
222       You should have received a copy of the GNU General Public License along
223       with this program; if not, write to the Free Software Foundation, Inc.,
224       675 Mass Ave, Cambridge, MA 02139, USA.
225

AUTHOR

227       David Schweikert <david@schweikert.ch>
228
229
230
231Postgrey 1.37                     2023-07-21                       POSTGREY(8)
Impressum