Greylisting / postgrey + ISPConfig

Discussion in 'ISPConfig 3 Priority Support' started by JaapV, May 16, 2017.

  1. JaapV

    JaapV New Member HowtoForge Supporter

    I'm running ISPConfig on a mail server (part of a multi-server setup). Postgrey is running on that machine. The intention is that users can turn of greylisting for their own email address via ISPConfig, but that doesn't work: all incoming mail goes through postgrey. Additionally, it looks like postgrey doesn't read the files in /etc/postgrey/whitelist*, because whatever I change there, * still gets blocked by postgrey.

    This is what it says in /etc/postfix/
    smtpd_recipient_restrictions =
    check_recipient_access mysql:/etc/postfix/,
    check_policy_service unix:private/policy-spf,
    check_recipient_access mysql:/etc/postfix/,

    In /etc/default/postgrey it says:
    POSTGREY_OPTS="--inet=10023 --delay=60 --whitelist-recipients=/etc/postgrey/whitelist_recipients --whitelist-clients=/etc/postgrey/whitelist_clients --whitelist-recipients=/etc/postgrey/whitelist_recipients.local --whitelist-clients=/etc/postgrey/whitelist_clients.local"
    This seems to be ignored.

    In /etc/postfix/
    user = ispconfig
    password = XXXXXXXXXX
    dbname = dbispconfig
    query = SELECT 'greylisting' FROM (SELECT greylisting, source AS email FROM mail_forwarding WHERE server_id = 3 UNION SELECT greylisting, email FROM mail_user WHERE server_id = 3) addresses WHERE'%s' AND addresses.greylisting='y'
    hosts =

    The mailserver is running Debian Wheezy with ISPConfig 3.1.3. The server has been running for a couple of years, so earlier experiments with the setup and non-fluent upgrades of ISPConfig might cause the current situation.

    Any ideas on how to I could get postfix/postgrey to listen to the per-user greylisting settings in ISPConfig? And how to get postgrey to read it's config files?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Here is the complete from a fresh installed Ubuntu system so you can compare it with yours:

    # See /usr/share/postfix/ for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    readme_directory = /usr/share/doc/postfix
    # See -- default to 2 on
    # fresh installs.
    compatibility_level = 2
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname =
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination =, localhost, localhost.localdomain
    relayhost =
    mynetworks = [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/, proxy:mysql:/etc/postfix/
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = mysql:/etc/postfix/
    virtual_gid_maps = mysql:/etc/postfix/
    sender_bcc_maps = proxy:mysql:/etc/postfix/
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/, reject_rbl_client, check_recipient_access mysql:/etc/postfix/
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/
    relay_domains = mysql:/etc/postfix/
    relay_recipient_maps = mysql:/etc/postfix/
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/ , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/, check_sender_access regexp:/etc/postfix/
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[]:10024
    receive_override_options = no_address_mappings
  3. JaapV

    JaapV New Member HowtoForge Supporter

    I ran a manual diff on the file.

    My version contained
    check_policy_service unix:private/policy-spf, 

    before greylisting.

    My version also contained:
    message_size_limit = 40960000
    strict_rfc821_envelopes = yes
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    smtpd_tls_ask_ccert = yes
    smtpd_tls_auth_only = yes
    smtp_tls_note_starttls_offer = yes
    policy-spf_time_limit = 3600s
    I've taken all of these out now, just to make sure they are not causing the problem. If greylisting behaves normally, I will start adding them again.
  4. JaapV

    JaapV New Member HowtoForge Supporter

    It looks like the greylisting config files are still ignored. These two lines should solve the "" problem, but they are not read.
    Any ideas on why greylisting doesn't read it's config files?
  5. JaapV

    JaapV New Member HowtoForge Supporter

    Ok... found out what was wrong with postgrey. Greylisting did not actually restart on "service postgrey restart" or "/etc/init.d/postgrey restart". Also "start" and "stop" did not what you would expect, so changes in the configuration were never read. Killing the postgrey daemon did the trick.

    After running for about 6 hours, it looks like postgrey integration with ISPConfig is fixed, too. Reverting to the "default" seems to have helped, allthough I haven't figured out why. I will try reintegrating the features I took out.

Share This Page