1POSTGREY(8) Postgrey Policy Server for Postfix POSTGREY(8)
2
3
4
6 postgrey - Postfix Greylisting Policy Server
7
9 postgrey [options...]
10
11 -h, --help display this help and exit
12 --version output version information and exit
13 -v, --verbose increase verbosity level
14 --syslog-facility Syslog facility to use (default mail)
15 -q, --quiet decrease verbosity level
16 -u, --unix=PATH listen on unix socket PATH
17 --socketmode=MODE unix socket permission (default 0666)
18 -i, --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified
19 -d, --daemonize run in the background
20 --pidfile=PATH put daemon pid into this file
21 --user=USER run as USER (default: postgrey)
22 --group=GROUP run as group GROUP (default: postgrey)
23 --dbdir=PATH put db files in PATH (default: /var/spool/postfix/postgrey)
24 --delay=N greylist for N seconds (default: 300)
25 --max-age=N delete entries older than N days since the last time
26 that they have been seen (default: 35)
27 --retry-window=N allow only N days for the first retrial (default: 2)
28 append 'h' if you want to specify it in hours
29 --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
30 --greylist-text=TXT response when a mail is greylisted
31 (default: Greylisted + help url, see below)
32 --lookup-by-subnet strip the last N bits from IP addresses, determined by ipv4cidr and ipv6cidr (default)
33 --ipv4cidr=N What cidr to use for the subnet on IPv4 addresses when using lookup-by-subnet (default: 24)
34 --ipv6cidr=N What cidr to use for the subnet on IPv6 addresses when using lookup-by-subnet (default: 64)
35 --lookup-by-host do not strip the last 8 bits from IP addresses
36 --privacy store data using one-way hash functions
37 --hostname=NAME set the hostname (default: `hostname`)
38 --exim don't reuse a socket for more than one query (exim compatible)
39 --whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients
40 --whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients
41 --auto-whitelist-clients=N whitelist host after first successful delivery
42 N is the minimal count of mails before a client is
43 whitelisted (turned on by default with value 5)
44 specify N=0 to disable.
45 --listen-queue-size=N allow for N waiting connections to our socket
46 --x-greylist-header=TXT header when a mail was delayed by greylisting
47 default: X-Greylist: delayed <seconds> seconds by postgrey-<version> at <server>; <date>
48
49 Note that the --whitelist-x options can be specified multiple times,
50 and that per default /etc/postfix/postgrey_whitelist_clients.local is
51 also read, so that you can put there local entries.
52
54 Postgrey is a Postfix policy server implementing greylisting.
55
56 When a request for delivery of a mail is received by Postfix via SMTP,
57 the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" is built. If it is the
58 first time that this triplet is seen, or if the triplet was first seen
59 less than delay seconds (300 is the default), then the mail gets
60 rejected with a temporary error. Hopefully spammers or viruses will not
61 try again later, as it is however required per RFC.
62
63 Note that you shouldn't use the --lookup-by-host option unless you know
64 what you are doing: there are a lot of mail servers that use a pool of
65 addresses to send emails, so that they can change IP every time they
66 try again. That's why without this option postgrey will strip the last
67 byte of the IP address when doing lookups in the database.
68
69 Installation
70 • Create a "postgrey" user and the directory where to put the
71 database dbdir (default: "/var/spool/postfix/postgrey")
72
73 • Write an init script to start postgrey at boot and start it. Like
74 this for example:
75
76 postgrey --inet=10023 -d
77
78 contrib/postgrey.init in the postgrey source distribution includes
79 a LSB-compliant init script by Adrian von Bidder for the Debian
80 system.
81
82 • Put something like this in /etc/main.cf:
83
84 smtpd_recipient_restrictions =
85 permit_mynetworks
86 ...
87 reject_unauth_destination
88 check_policy_service inet:127.0.0.1:10023
89
90 • Install the provided postgrey_whitelist_clients and
91 postgrey_whitelist_recipients in /etc/postfix.
92
93 • Put in /etc/postfix/postgrey_whitelist_recipients users that do not
94 want greylisting.
95
96 Whitelists
97 Whitelists allow you to specify client addresses or recipient address,
98 for which no greylisting should be done. Per default postgrey will read
99 the following files:
100
101 /etc/postfix/postgrey_whitelist_clients
102 /etc/postfix/postgrey_whitelist_clients.local
103 /etc/postfix/postgrey_whitelist_recipients
104
105 You can specify alternative paths with the --whitelist-x options.
106
107 Postgrey whitelists follow similar syntax rules as Postfix access
108 tables. The following can be specified for recipient addresses:
109
110 domain.addr
111 "domain.addr" domain and subdomains.
112
113 name@ "name@.*" and extended addresses "name+blabla@.*".
114
115 name@domain.addr
116 "name@domain.addr" and extended addresses.
117
118 /regexp/ anything that matches "regexp" (the full address is matched).
119
120 The following can be specified for client addresses:
121
122 domain.addr
123 "domain.addr" domain and subdomains.
124
125 IP1.IP2.IP3.IP4
126 IP address IP1.IP2.IP3.IP4. You can also leave off one
127 number, in which case only the first specified numbers will
128 be checked.
129
130 IP1.IP2.IP3.IP4/MASK
131 CIDR-syle network. Example: 192.168.1.0/24
132
133 /regexp/ anything that matches "regexp" (the full address is matched).
134
135 Auto-whitelisting clients
136 With the option --auto-whitelist-clients a client IP address will be
137 automatically whitelisted if the following conditions are met:
138
139 • At least 5 successfull attempts of delivering a mail (after
140 greylisting was done). That number can be changed by specifying a
141 number after the --auto-whitelist-clients argument. Only one
142 attempt per hour counts.
143
144 • The client was last seen before --max-age days (35 per default).
145
146 Greylist Action
147 To set the action to be returned to postfix when a message fails
148 postgrey's tests and should be deferred, use the
149 --greylist-action=ACTION option.
150
151 By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to
152 check the rest of the restrictions and defer the message only if it
153 would otherwise be accepted. A delay action of 451 causes postfix to
154 always defer the message with an SMTP reply code of 451 (temp fail).
155
156 See the postfix manual page access(5) for a discussion of the actions
157 allowed.
158
159 Greylist Text
160 When a message is greylisted, an error message like this will be sent
161 at the SMTP-level:
162
163 Greylisted, see http://postgrey.schweikert.ch/help/example.com.html
164
165 Usually no user should see that error message and the idea of that URL
166 is to provide some help to system administrators seeing that message or
167 users of broken mail clients which try to send mails directly and get a
168 greylisting error. Note that the default help-URL contains the original
169 recipient domain (example.com), so that domain-specific help can be
170 presented to the user (on the default page it is said to contact
171 postmaster@example.com)
172
173 You can change the text (and URL) with the --greylist-text parameter.
174 The following special variables will be replaced in the text:
175
176 %s How many seconds left until the greylisting is over (300).
177
178 %r Mail-domain of the recipient (example.com).
179
180 Greylist Header
181 When a message is greylisted, an additional header can be prepended to
182 the header section of the mail:
183
184 X-Greylist: delayed %t seconds by postgrey-%v at %h; %d
185
186 You can change the text with the --x-greylist-header parameter. The
187 following special variables will be replaced in the text:
188
189 %t How many seconds the mail has been delayed due to greylisting.
190
191 %v The version of postgrey.
192
193 %d The date.
194
195 %h The host.
196
197 Privacy
198 The --privacy option enable the use of a SHA1 hash function to store
199 IPs and emails in the greylisting database. This will defeat straight
200 forward attempts to retrieve mail user behaviours.
201
202 SEE ALSO
203 See <http://www.greylisting.org/> for a description of what greylisting
204 is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a
205 description of how Postfix policy servers work.
206
208 Copyright (c) 2004-2007 by ETH Zurich. All rights reserved. Copyright
209 (c) 2007 by Open Systems AG. All rights reserved.
210
212 This program is free software; you can redistribute it and/or modify it
213 under the terms of the GNU General Public License as published by the
214 Free Software Foundation; either version 2 of the License, or (at your
215 option) any later version.
216
217 This program is distributed in the hope that it will be useful, but
218 WITHOUT ANY WARRANTY; without even the implied warranty of
219 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
220 General Public License for more details.
221
222 You should have received a copy of the GNU General Public License along
223 with this program; if not, write to the Free Software Foundation, Inc.,
224 675 Mass Ave, Cambridge, MA 02139, USA.
225
227 David Schweikert <david@schweikert.ch>
228
229
230
231Postgrey 1.37 2023-07-21 POSTGREY(8)