Greylisting - fight Spam with Postgrey and Postfix on Debian and Ubuntu

Ever heard of greylisting?

There are numerous ways to prevent spam from reaching your inbox, the most popular is probably SpamAssassin. Greylisting will not replace spam filtering software like SA but it will serve as a powerful first hurdle for spam thus reducing the amount of spam entering the system at all. It should rather be seen as an addition to all the other anti spam features of Postfix.

Apart from the obvious benefit of reducing the amount of spam in your inbox, it will give your virus scanner and SpamAssassing less work to do. Both spam filtering and virus scanning is a CPU intensive business and stopping spam in the door will potentially save you money due to reduced hardware requirements.

Greylisting in short means that when someone wants to deliver a mail to your mail server it will simply reply -Please come back later-?. That is something all RFC-compliant mail servers do and when they do come back the mail is accepted. Most spammers and spam software are not compliant and not patient enough to try again. You will be surprised to see how effective this is. Anyway, follow the links below to really learn about it. There are as always pros and cons so do your homework before you put it on a production server.

Greylisting.org
Greylisting on Wikipedia

There are several implementations of greylisting and it can be done with most any server. I will show you how to do it on a Debian with Postfix running as MTA with Postgrey. The steps from this guide will work for all Debian versions from Debian 3.1 (sarge) to 8 (jessie).

Install Postgrey

I assume you have a working Postfix installation.

If you use apt-get to install Postgrey the requirements will be handled automagically. However, if you install from source you will have to check it manually.

Requirements for Postgrey are:

  • Perl >= 5.6.0
  • Net::Server (Perl Module)
  • IO::Multiplex (Perl Module)
  • BerkeleyDB (Perl Module)
  • Berkeley DB >= 4.1 (Library)

I'll recommend installing the Postgrey package with apt.

First, we install the Postgrey package with:

apt-get -y install postgrey

This will install the Postgrey server on your machine. You might want to change some settings. The most annoying thing with greylisting is that it impose a delay on the delivery of mails. If you find the 5-minute delay, that is the default, to be a little too long you can set it to 1 minute. You can change this by editing /etc/default/postgrey. Change the default:

POSTGREY_OPTS="--inet=127.0.0.1:10023"

to:

POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60"

However, I would suggest changing the defaults only after you have verified that everything works as expected. It is also worth noticing that a shorter delay will reduce the efficiency of the greylisting. Increasing the delay to an hour will be harder on spam but also harder on your users patience. :)

Now start the Postgrey policy server with:

service postgrey start

The Postgrey policy service should now be up and running on port 10023.

Now let's configure Postfix to use Postgrey.

Configure Postfix

The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/main.cf and add check_policy_service inet:127.0.0.1:10023 to the smtpd_recipient_restrictions. It should look something like this:

smtpd_recipient_restrictions = permit_sasl_authenticated,
           permit_mynetworks,
           reject_unauth_destination,
           check_policy_service inet:127.0.0.1:10023

Now all we have to do is to reload the Postfix configuration with:

postfix reload

Simple and nice. Sit back and enjoy the absence of spam :)

//Erk

Share this page:

9 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous
Reply  

Interesting timeing. I just got done installing sqlgrey on my Sarge box.  This has more knobs to tweak than postgrey seems to, and overall should scale better.  The downside is that it's not packaged for Debian.  :-( Just RH and gentoo.)

 http://sourceforge.net/projects/sqlgrey/

By: Anonymous
Reply  

The setup for postfix-gld is just as easy and you can manage the lists directly through mysql. Tutorial to setup postfix-gld: http://wyae.de/docs/greylisting/

By: erk
Reply  

Good tutorial for postfix-gld!

There are a fairly large number of greylisting softwares and they are not very well known so I'm glad to see tips and opinions about them in the comments.

One of the deciding factors for going with Postgrey for me was acually that I did not want any SQL database server. I suppose Sqlgrey with SQLite would have been an option but I like to keep to stuff that is in Debian stable for production use.

//Erk

By: mymaestro
Reply  

This howto threw me off and never worked. Turns out newer postgrey is different and/or RedHat configures it differently.

Following the CentOS howto makes everything work again.

http://wiki.centos.org/HowTos/postgrey

By: Anonymous
Reply  

Yeah the author should probably say that this guide it's for debian/ubuntu only.

By: IzFazt
Reply  

used yast2 to install on opensuse 11, had to edit /etc/sysconfig/postgrey

then commented out

#POSTGREY_CONN_OPTIONS="--unix=/var/spool/postfix/postgrey/socket"

and uncommented 

POSTGREY_CONN_OPTIONS="--inet=127.0.0.1:10031"

then changed port from default 10031 to 60000 in this line

after that it worked by restarting postgrey

By: Jay
Reply  

On my box the default port was not 60000. Run `ps aux|grep postgrey` after you start it and it will show the port on the command line.

By:
Reply  


I'm using postgrey 1.34 and were having issues getting postgrey working.

smtpd[7976]: warning: connect to 127.0.0.1:10023: Connection refused

 it seems postgrey now uses ipv6 as default - so change the line 

 POSTGREY_OPTS="--inet=127.0.0.1:60000"

to: 

 POSTGREY_OPTS="--inet=60000"

and everything is fine.. 

By: laurentm
Reply  

Nice tutorial. Works perfectly and saved my customers from the ransomware locky !

But you have to be warned that postgrey has trouble when sender domain has multiple smtp servers (load balance), the delay can be many hours. To avoid that, you need to whitelist these domains (like gmail or yahoo).