Killing that spam with greylisting using Postfix and Postgrey

[erk]

Ever heard of greylisting?

Greylisting is a powerful way of reducing spam to your mailserver. Greylisting in short means that when someone wants to deliver a mail to your mailserver it will simply reply "Please come back later". That is something all RFC compliant mailservers do and when they do come back the mail is accepted. Most spammers and spam software are not compliant and not patient enough to try again. You will be surprised to see how effective this is. Anyway, follow the links below to really learn about it. There are as always pros and cons so do your homework before you put it on a production server.

Greylisting.org
Greylisting on Wikipedia

There are several implementations of greylisting and it can be done with most any server. I will show you how to do it on a Debian Sarge with Postfix running as MTA with Postgrey.

Install Postgrey

I assume you have a working Postfix installation. Requirements for postgrey are:
- Perl >= 5.6.0
- Net::Server (Perl Module)
- IO::Multiplex (Perl Module)
- BerkeleyDB (Perl Module)
- Berkeley DB >= 4.1 (Library)

First we install the postgrey package with :

Code:

apt-get install postgrey

This will install the postgrey server on your machine. Now we might want to change some settings. The most annoying thing with greylisting is that it impose a delay on the delivery of mails. I find the 5 minute delay that is default to be a little too long so I set it to 1 minute. If you wish you can change this by editing /etc/default/postgrey. Change the default :

Code:

POSTGREY_OPTS="--inet=127.0.0.1:60000"

to

Code:

POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=60"

However I would suggest changing the defaults only after you have verified that everything works as expected.

Now start the postgrey policyserver with :

Code:

/etc/init.d/postgrey start

The Postgrey policy service should now be up and running on port 60000. Let's configure Postfix to use Postgrey.

Configure Postfix

The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/main.cf and add check_policy_service inet:127.0.0.1:60000 to the smtpd_recipient_restrictions.
It should look something like this :

Code:

smtpd_recipient_restrictions = permit_sasl_authenticated,
                       permit_mynetworks,
                       reject_unauth_destination,
                       check_policy_service inet:127.0.0.1:60000

Now all we have to do is to reload the Postfix configuration with :

Code:

postfix reload

Simple and nice. Sit back and enjoy the absence of spam

//Erk

PS. This is really not a ISPC specific HowTo but I thought I would post it here first.

[DerLobo]

Wow,

very helpfull.

Thank you very much.

Regards from Thailand,

Lobo

[DerLobo]

Quote:

I assume you have a working Postfix installation. Requirements for postgrey are:
- Perl >= 5.6.0
- Net::Server (Perl Module)
- IO::Multiplex (Perl Module)
- BerkeleyDB (Perl Module)
- Berkeley DB >= 4.1 (Library)

If not, no worry
apt-get install postgrey
will install all requirements.

[erk]

Yep, you are right, Debian apt-get will install the requirements but if you want to install for a different distro or from source tarball I thought it was prudent to point out the requirements.

//Erk

[farao]

Dear all,

After installing Postgrey last night, and verifying it actually works, I set the delay-option to 60 seconds. But then I found it delays my messages for too long.
In my headers, I see entries like:
X-Greylist: delayed 1025 seconds by postgrey-1.24 (...blah blah)

Another test gave me a 1101 second delay.
Does anyone have an idea what could be the problem?

Thanks.

[torusturtle]

Thanks erk!

[martinmuc]

Quote:

Originally Posted by farao

Dear all,

After installing Postgrey last night, and verifying it actually works, I set the delay-option to 60 seconds. But then I found it delays my messages for too long.
In my headers, I see entries like:
X-Greylist: delayed 1025 seconds by postgrey-1.24 (...blah blah)

Another test gave me a 1101 second delay.
Does anyone have an idea what could be the problem?

Thanks.

Hi, you completely misunderstood greylisting.
Please read the documentation before you use greylisting and how e-mail works. Otherwise it could happen that your server is blocking all mails.

The delay-Parameter does not define, when the e-mail should arrive your server (60 seconds). It defines that the e-mail is accepted in 60 seconds.
You have no influence when the sending e-mail server will retry to send the e-mail, after you greylisted it.
Before these 60 seconds the server will not accept the email.

I used 360 seconds, because spammers will try it in 60 seconds again :-)
There is a second parameter, how long you will accept the e-mail --retry-windows=2h
This defines that you accept the emails 2 hours after you have greylisted the email (first contact). Now the email must be incoming between the first 360 seconds and 2 hours, after 2 hours it would be greylisted again.

Hope this helps :-)


Martin

[sjau]

I set my server to 15min before it allows that... I guess for the moment that's enough delay

[farao]

@martinmuc: Thanks, this helps indeed. I kind of figured out that the sending server is the one responsible for the actual delay, since my postfix-server can't resend that mail. I just thought that mailservers would retry continuous for say two days, my bad. The time window explanation completely cleared the fog for me, I'll just give mail a day to reach me, after that, the urgency is most often gone anyway.
I'll change the settings tonight, and see what happens.
Guess I'll have to add some domains to the postgrey-whitelist as well...

What are your experiences with average delay-times?
And now that I'm asking: I want to run a mailman listservice on a subdomain, can I exclude domains from postgrey-processing? It would be nasty to first delay the original post, and then further delay the mailman-mails to recipients on the same box.
Ouch, maybe I should just stick to spamassassin and skip the greylisting.

Thanks.

[Telesat]

Martin, it should be --retry-window=2h

I won't retry Windows