Setting up Postgrey for Postfix

How greylisting works

Greylisting (or also graylisting) is currently the most effective way to protect you mailserver from spam. It makes use of the the SMT-Protocoll by sending the Error Code "450 Currently Unaivalable" to every host who tries to send mail to the mailserver the first time. Postgrey in this case saves a so called "triplet" (consisting of the hosts IP, the sender and the recipient address). A correct implemented and well-configured mailserver will try to deliver the mail more than once (which is required by RFC). The second attempt to deliver the mail will succeed as Postgrey now find's the existing triplet in it's database. Most mailservers used by spammailers do not try to deliver a mail again - they even do not interpret the error codes sent by other mailservers.

Setting up Postgrey

For this tutorial I assume you've got a running Postfix on a debian-like system. First thing to do is to install the postfix debian package. You can do this with the packagemanager of your choice (I will use apt-get):

ktulu:~# apt-get install postgrey

Debian will install some by postfix required perl-packages. After finishing the install the postgrey service will listen on 127.0.0.1:60000. To determine if the service is already running you can do the following:

ktulu:~# netstat -t -p -l|grep 60000

If the service is not running start it with /etc/init.d/postgrey start

or

postgrey --inet=127.0.0.1:60000

There are two important parameters to mention here:

--delay=N Specifies how many seconds to greylist

--max-age=N Specifies how many days an entry remains in the database

Telling Postfix to use Postgrey

Next and last thing to complete the installation is to add a short directive into the postfix configuration. Add the following line to the smtpd_recipient_restrictions' directive in the main.cf (located in /etc/postfix/):
check_policy_service inet:127.0.0.1:60000

The whole line might now look like this:

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:60000''

Now save the main.cf and reload the postfix by calling /etc/init.d/postfix reload to complete the installation. A quick look into the mail.log (per default located in /var/log/) after sending a mail to your mailserver should show that postgrey is running. The mail will get blocked the first time and perfectly delivered to your maildir after the timeout of 5 minutes (see postgrey.conf to change the timeout - I recommend to leave it at 5 minutes) and the second attempt of the foreign mailserver.

Recommended books on this topic

Linux Email: Set Up and Run a Small Office Email Server Linux Email: Set Up and Run a Small Office Email Server by David Rusenko

Comments (0) | Debian, Postfix, Linux

No comments yet!

Submit Comment