Postfix/Greylisting

From Gentoo Wiki
Jump to: navigation, search

Greylisting is a process in which systems attempting to connect to your server to deliver mail for the first time are treated differently to known peers, delaying their mail. If the sending mail server is standards-compliant, it will re-send the e-mail, and the server will accept it. Most spam mailers, however, don't re-send the mail, and so the spam is blocked. Servers that re-send the mail will be added to a white list, and will not be delayed in future. This means that the first e-mail from a given sender will be delayed, but subsequent ones will not be.

Installation

Greylisting for postfix is typically implemented by using the the mail-filter/postgrey package, so first install that:

root #emerge --ask mail-filter/postgrey

By default postgrey listens to port 10030. This can be changed by modifying POSTGREY_PORT variable in /etc/conf.d/postgrey.

Setup

Next, we need to start it, and set it to start automatically.

root #rc-update add postgrey default
root #/etc/init.d/postgrey start

Now we have to tell postfix to use it, by adding the check_policy_service inet:127.0.0.1:10023 entry to the existing smtpd_recipient_restrictions directive in your main.cf file, as follows.

FILE /etc/postfix/main.cfUse greylist policy daemon
smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unauth_destination
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   check_policy_service inet:127.0.0.1:10023,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit

Deployment

Finally, tell postfix to reload its configuration for the changes to take effect.

root #/etc/init.d/postfix reload
Note
By using reload instead of restart, we are advised of any syntax errors we may have accidentally introduced and the daemon stays running under its current configuration instead of going down, which is what would happen if we used restart with a syntax error in main.cf!