1POSTGREY(8) Postgrey Policy Server for Postfix POSTGREY(8)
2
6 postgrey - Postfix Greylisting Policy Server
7
9 postgrey [options...]
10 -h, --help display this help and exit
12 --version output version information and exit
13 -v, --verbose increase verbosity level
14 -u, --unix=PATH listen on unix socket PATH
16 -i, --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified
17 -d, --daemonize run in the background
18 --pidfile=PATH put daemon pid into this file
19 --user=USER run as USER (default: postgrey)
20 --group=GROUP run as group GROUP (default: postgrey)
21 --dbdir=PATH put db files in PATH (default: /var/spool/postfix/postgrey)
22 --delay=N greylist for N seconds (default: 300)
23 --max-age=N delete entries older than N days since the last time
24 that they have been seen (default: 35)
25 --retry-window=N allow only N days for the first retrial (default: 2)
26 append 'h' if you want to specify it in hours
27 --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
28 --greylist-text=TXT response when a mail is greylisted
29 (default: Greylisted + help url, see below)
30 --lookup-by-subnet strip the last 8 bits from IP addresses (default)
31 --lookup-by-host do not strip the last 8 bits from IP addresses
32 --whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients
33 --whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients
34 --auto-whitelist-clients=N whitelist host after first successful delievery
35 N is the minimal count of mails before a client is
36 whitelisted (turned on by default with value 5)
37 specify N=0 to disable.
38 --privacy store data using one-way hash functions
39 --hostname=NAME set the hostname (default: `hostname`)
40 --exim don't reuse a socket for more than one query (exim compatible)
41 Note that the --whitelist-x options can be specified multiple times,
43 and that per default /etc/postfix/postgrey_whitelist_clients.local is
44 also read, so that you can put there local entries.
45
47 Postgrey is a Postfix policy server implementing greylisting.
48 When a request for delivery of a mail is received by Postfix via SMTP,
50 the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" is built. If it is the
51 first time that this triplet is seen, or if the triplet was first seen
52 less than delay seconds (300 is the default), then the mail gets
53 rejected with a temporary error. Hopefully spammers or viruses will not
54 try again later, as it is however required per RFC.
55 Note that you shouldn't use the --lookup-by-host option unless you know
57 what you are doing: there are a lot of mail servers that use a pool of
58 addresses to send emails, so that they can change IP every time they
59 try again. That's why without this option postgrey will strip the last
60 byte of the IP address when doing lookups in the database.
61 Installation
63 · Create a "postgrey" user and the directory where to put the data‐
65 base dbdir (default: "/var/spool/postfix/postgrey")
66 · Write an init script to start postgrey at boot and start it. Like
68 this for example:
69 postgrey --inet=10023 -d
71 · Put something like this in /etc/main.cf:
73 smtpd_recipient_restrictions =
75 permit_mynetworks
76 ...
77 reject_unauth_destination
78 check_policy_service inet:127.0.0.1:10023
79 · Install the provided postgrey_whitelist_clients and post‐
81 grey_whitelist_recipients in /etc/postfix.
82 · Put in /etc/postfix/postgrey_whitelist_recipients users that do not
84 want greylisting.
85 Whitelists
87 Whitelists allow you to specify client addresses or recipient address,
89 for which no greylisting should be done. Per default postgrey will read
90 the following files:
91 /etc/postfix/postgrey_whitelist_clients
93 /etc/postfix/postgrey_whitelist_clients.local
94 /etc/postfix/postgrey_whitelist_recipients
95 You can specify alternative paths with the --whitelist-x options.
97 Postgrey whitelists follow similar syntax rules as Postfix access
99 tables. The following can be specified for recipient addresses:
100 domain.addr
102 "domain.addr" domain and subdomains.
103 name@ "name@.*" and extended addresses "name+blabla@.*".
105 name@domain.addr
107 "name@domain.addr" and extended addresses.
108 /regexp/ anything that matches "regexp" (the full address is matched).
110 The following can be specified for client addresses:
112 domain.addr
114 "domain.addr" domain and subdomains.
115 IP1.IP2.IP3.IP4
117 IP address IP1.IP2.IP3.IP4. You can also leave off one num‐
118 ber, in which case only the first specified numbers will be
119 checked.
120 /regexp/ anything that matches "regexp" (the full address is matched).
122 Auto-whitelisting clients
124 With the option --auto-whitelist-clients a client IP address will be
126 automatically whitelisted if the following conditions are met:
127 · At least 5 successfull attempts of delivering a mail (after
129 greylisting was done). That number can be changed by specifying a
130 number after the --auto-whitelist-clients argument. Only one
131 attempt per hour counts.
132 · The client was last seen before --max-age days (35 per default).
134 Greylist Action
136 To set the action to be returned to postfix when a message fails post‐
138 grey's tests and should be deferred, use the --greylist-action=ACTION
139 option.
140 By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to
142 check the rest of the restrictions and defer the message only if it
143 would otherwise be accepted. A delay action of 451 causes postfix to
144 always defer the message with an SMTP reply code of 451 (temp fail).
145 See the postfix manual page access(5) for a discussion of the actions
147 allowed.
148 Greylist Text
150 When a message is greylisted, an error message like this will be sent
152 at the SMTP-level:
153 Greylisted, see http://isg.ee.ethz.ch/tools/postgrey/help/example.com.html
155 Usually no user should see that error message and the idea of that URL
157 is to provide some help to system administrators seeing that message or
158 users of broken mail clients which try to send mails directly and get a
159 greylisting error. Note that the default help-URL contains the original
160 recipient domain (example.com), so that domain-specific help can be
161 presented to the user (on the default page it is said to contact post‐
162 master@example.com)
163 You can change the text (and URL) with the --greylist-text parameter.
165 The following special variables will be replaced in the text:
166 %s How many seconds left until the greylisting is over (300).
168 %r Mail-domain of the recipient (example.com).
170 Privacy
172 The --privacy option enable the use of a SHA1 hash function to store
174 IPs and emails in the greylisting database. This will defeat straight
175 forward attempts to retrieve mail user behaviours.
176 SEE ALSO
178 See <http://www.greylisting.org/> for a description of what greylisting
180 is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a descrip‐
181 tion of how Postfix policy servers work.
182
184 Copyright (c) 2004-2006 by ETH Zurich. All rights reserved.
185
187 This program is free software; you can redistribute it and/or modify it
188 under the terms of the GNU General Public License as published by the
189 Free Software Foundation; either version 2 of the License, or (at your
190 option) any later version.
191 This program is distributed in the hope that it will be useful, but
193 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
194 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
195 Public License for more details.
196 You should have received a copy of the GNU General Public License along
198 with this program; if not, write to the Free Software Foundation, Inc.,
199 675 Mass Ave, Cambridge, MA 02139, USA.
200
202 David Schweikert <dws@ee.ethz.ch>
203
205 2004-05-20 ds Initial Version
206perl v5.8.8 2007-02-12 POSTGREY(8)