1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
POSTGREY(1) User Contributed Perl Documentation POSTGREY(1)
NAME
postgrey - Postfix Greylisting Policy Server
SYNOPSIS
postgrey [options...]
-h, --help display this help and exit
--version output version information and exit
-v, --verbose increase verbosity level
--syslog-facility Syslog facility to use (default mail)
-q, --quiet decrease verbosity level
-u, --unix=PATH listen on unix socket PATH
--socketmode=MODE unix socket permission (default 0666)
-i, --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified
-d, --daemonize run in the background
--pidfile=PATH put daemon pid into this file
--user=USER run as USER (default: postgrey)
--group=GROUP run as group GROUP (default: nogroup)
--dbdir=PATH put db files in PATH (default: /var/spool/postfix/postgrey)
--delay=N greylist for N seconds (default: 300)
--max-age=N delete entries older than N days since the last time
that they have been seen (default: 35)
--retry-window=N allow only N days for the first retrial (default: 2)
append 'h' if you want to specify it in hours
--greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
--greylist-text=TXT response when a mail is greylisted
(default: Greylisted + help url, see below)
--lookup-by-subnet strip the last N bits from IP addresses, determined by ipv4cidr and ipv6cidr (default)
--ipv4cidr=N What cidr to use for the subnet on IPv4 addresses when using lookup-by-subnet (default: 24)
--ipv6cidr=N What cidr to use for the subnet on IPv6 addresses when using lookup-by-subnet (default: 64)
--lookup-by-host do not strip the last 8 bits from IP addresses
--privacy store data using one-way hash functions
--hostname=NAME set the hostname (default: `hostname`)
--exim don't reuse a socket for more than one query (exim compatible)
--whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients
--whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients
--auto-whitelist-clients=N whitelist host after first successful delivery
N is the minimal count of mails before a client is
whitelisted (turned on by default with value 5)
specify N=0 to disable.
--listen-queue-size=N allow for N waiting connections to our socket
--x-greylist-header=TXT header when a mail was delayed by greylisting
default: X-Greylist: delayed <seconds> seconds by postgrey-<version> at <server>; <date>
Note that the --whitelist-x options can be specified multiple times,
and that per default /etc/postfix/postgrey_whitelist_clients.local is
also read, so that you can put there local entries.
DESCRIPTION
Postgrey is a Postfix policy server implementing greylisting.
When a request for delivery of a mail is received by Postfix via SMTP,
the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" is built. If it is the
first time that this triplet is seen, or if the triplet was first seen
less than delay seconds (300 is the default), then the mail gets
rejected with a temporary error. Hopefully spammers or viruses will not
try again later, as it is however required per RFC.
Note that you shouldn't use the --lookup-by-host option unless you know
what you are doing: there are a lot of mail servers that use a pool of
addresses to send emails, so that they can change IP every time they
try again. That's why without this option postgrey will strip the last
byte of the IP address when doing lookups in the database.
Installation
o Create a "postgrey" user and the directory where to put the
database dbdir (default: "/var/spool/postfix/postgrey")
o Write an init script to start postgrey at boot and start it. Like
this for example:
postgrey --inet=10023 -d
contrib/postgrey.init in the postgrey source distribution includes
a LSB-compliant init script by Adrian von Bidder for the Debian
system.
o Put something like this in /etc/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
...
reject_unauth_destination
check_policy_service inet:127.0.0.1:10023
o Install the provided postgrey_whitelist_clients and
postgrey_whitelist_recipients in /etc/postfix.
o Put in /etc/postfix/postgrey_whitelist_recipients users that do not
want greylisting.
Whitelists
Whitelists allow you to specify client addresses or recipient address,
for which no greylisting should be done. Per default postgrey will read
the following files:
/etc/postfix/postgrey_whitelist_clients
/etc/postfix/postgrey_whitelist_clients.local
/etc/postfix/postgrey_whitelist_recipients
You can specify alternative paths with the --whitelist-x options.
Postgrey whitelists follow similar syntax rules as Postfix access
tables. The following can be specified for recipient addresses:
domain.addr
"domain.addr" domain and subdomains.
name@ "name@.*" and extended addresses "name+blabla@.*".
name@domain.addr
"name@domain.addr" and extended addresses.
/regexp/ anything that matches "regexp" (the full address is matched).
The following can be specified for client addresses:
domain.addr
"domain.addr" domain and subdomains.
IP1.IP2.IP3.IP4
IP address IP1.IP2.IP3.IP4. You can also leave off one
number, in which case only the first specified numbers will
be checked.
IP1.IP2.IP3.IP4/MASK
CIDR-syle network. Example: 192.168.1.0/24
/regexp/ anything that matches "regexp" (the full address is matched).
Auto-whitelisting clients
With the option --auto-whitelist-clients a client IP address will be
automatically whitelisted if the following conditions are met:
o At least 5 successfull attempts of delivering a mail (after
greylisting was done). That number can be changed by specifying a
number after the --auto-whitelist-clients argument. Only one
attempt per hour counts.
o The client was last seen before --max-age days (35 per default).
Greylist Action
To set the action to be returned to postfix when a message fails
postgrey's tests and should be deferred, use the
--greylist-action=ACTION option.
By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to
check the rest of the restrictions and defer the message only if it
would otherwise be accepted. A delay action of 451 causes postfix to
always defer the message with an SMTP reply code of 451 (temp fail).
See the postfix manual page access(5) for a discussion of the actions
allowed.
Greylist Text
When a message is greylisted, an error message like this will be sent
at the SMTP-level:
Greylisted, see http://postgrey.schweikert.ch/help/example.com.html
Usually no user should see that error message and the idea of that URL
is to provide some help to system administrators seeing that message or
users of broken mail clients which try to send mails directly and get a
greylisting error. Note that the default help-URL contains the original
recipient domain (example.com), so that domain-specific help can be
presented to the user (on the default page it is said to contact
postmaster@example.com)
You can change the text (and URL) with the --greylist-text parameter.
The following special variables will be replaced in the text:
%s How many seconds left until the greylisting is over (300).
%r Mail-domain of the recipient (example.com).
Greylist Header
When a message is greylisted, an additional header can be prepended to
the header section of the mail:
X-Greylist: delayed %t seconds by postgrey-%v at %h; %d
You can change the text with the --x-greylist-header parameter. The
following special variables will be replaced in the text:
%t How many seconds the mail has been delayed due to greylisting.
%v The version of postgrey.
%d The date.
%h The host.
Privacy
The --privacy option enable the use of a SHA1 hash function to store
IPs and emails in the greylisting database. This will defeat straight
forward attempts to retrieve mail user behaviours.
SEE ALSO
See <http://www.greylisting.org/> for a description of what greylisting
is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a
description of how Postfix policy servers work.
COPYRIGHT
Copyright (c) 2004-2007 by ETH Zurich. All rights reserved. Copyright
(c) 2007 by Open Systems AG. All rights reserved.
LICENSE
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA.
AUTHOR
David Schweikert <david@schweikert.ch>
perl v5.32.0 2015-09-01 POSTGREY(1)
|
