Greylisting for Postfix on Debian and Gentoo
- step by step -

Greylisting (http://www.greylisting.org/) is a (relatively) new, resource-preserving measure against SPAM and virus mails. It raises the barrier for unwanted mails by not accepting one-shot mailings, which are common to all current virus and many SPAM injectors. It also narrows the time window for spammers before they are listed on RBLs (blacklists). Intercepting the mails early in the SMTP dialog reduces the unwanted data traffic by a few orders of magnitude.

WARNING - GLD has not been updated for several years now - and cannot handle IPv6 addresses!

This is a step-by-step guide on how to implement greylisting on a production Linux server (Debian 3.1 old-stable/Sarge, Debian stable/Etch or Gentoo).

 

Requirements:

 

Installing the GLD:

Debian (3.1/Sarge and 4.0/Etch):

Debian Stable (Sarge):

If you're running the current STABLE Debian you can install "postfix-gld" directly from the standard archive with
 
apt-get install postfix-gld

You will have to enable it by confuguring that in the /etc/default/gld file

 
#/etc/default/gld
ENABLED=1

Gentoo:

GLD can be installed directly from the standard archive with
 
emerge gld

From Source:

If you don't use the .DEB package, retrieve the source code archive from the GLD home (see above), untar the file, create and install the daemon to /usr/local/bin/gld by running
 
make
make install

 

Configuration of the GLD:

You will find a sample /etc/gld.conf script that you should adapt according to your needs. If it's not called that way (but e.g. /etc/gld.conf.sample) rename it to /etc/gld.conf.
I'm using the the following setting (*):
 
#/etc/gld.conf
#-------------------------------------------
PORT=2525	# port to listen to
LOOPBACKONLY=1	# and only on 127.0.0.1
MAXCON=100	# max. connections
MINTIME=300	# 5 minutes greylisting before accepting message
LIGHTGREY=0	# do exact host match, don't accept the class C net around it
WHITELIST=0	# don't do whitelisting - we use /etc/postfix/access for that
ERRACCEPT=1	# fail graciously
UPDATE=1	# update "last used" fields for easier maintenance
SYSLOG=1	# log to syslog
FACILITY=mail	# as MAIL facility
MESSAGE=Temporarily held back, please try again in one hour or so.
### MySQL
SQLHOST=localhost
SQLUSER=GREYUSERNAME
SQLPASSWD=GREYPASSWORD
SQLDB=GREYDATABASE
### user, pwd and db are set to "gld" by default, better change that
### unless you've installed from Debian Sarge which installs the proper
### database along with the script installation

Then connect to mysql DB, add a database (with proper user permissions), and use the tables.sql script (within the archive) to create the needed tables. You won't need this if you've installed from Sarge archive as the setup script will take care of that.

 
# mysql mysql -u root -p
> use mysql;
> insert into user values ('%','GREYUSER',password('GREYPASSWORD'),
	'N','N','N','N','N','N','N','N','N','N','N','N','N','N');
> insert into db values ('%','GREYDATABASE','GREYUSER',
	'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
> create database GREYDATABASE;
> use GREYDATABASE;
> source 'tables.sql';
> reload; 	
> quit

The GLD server must be started automatically else postfix will not accept any mail. While on GenToo this already comes with the archive, we'll need to set up the scripts for Debian manually. For this create /etc/init.d/gld and create a symling pointing toward it at /etc/rc2.d/S19gld - if the startup scripts are not installed automatically (*).

 
# /etc/init.d/gld   =  /etc/rc2.d/S19gld
#---------------------------------------------------
#!/bin/sh
# gld : Postfix greylist server
# config: /etc/gld.conf
case "$1" in
  start)
	# Start daemons.
	echo -n "Starting gld: "
	gld
	echo
	exit 0
	;;
  stop)
	# Stop daemons.
	echo -n
	"Stopping gld: "
        killall gld
	exit 0
	;;
  restart)
	# Stop/Start
	$0 stop
	sleep 1
	$0 start
	;;
  reload)
	# Reload the configuration
	killall -HUP gld
	exit 0
        ;;	
  *)
	echo "Usage: gld {start|stop|restart|reload}"
	exit 1
esac
exit 0
After this start GLD with "/etc/inid.d/gld start".

 

Modifying Postfix for greylisting:

We assume that you already have a running Postfix mail server setup. If not, get your Postfix up and (properly) running before modifying it. Make especially sure that you are not running an open relay.

Here is the modified postfix setup, including SASL delivery, manual black-/whitelists and greylisting. You can simply copy and replace or add the corresponding parts in your original setup as needed. Make sure to remove (improper) leading spaces and comments at the end of parameter lines (*).

 
# snippet from /etc/postfix/main.cf
#---------------------------------------------------------------------
# delete the documenting comments at the end of all lines here!!!


# these smtpd_*_restrictions are basically included in 
# smtpd_recipient_restrictions, but only that can have relaying 
# restriction capabilities, thus using only that one 
smtpd_helo_restrictions =
smtpd_client_restrictions =
smtpd_sender_restrictions =
	
# one clean, readable first-match list of restrictions
smtpd_recipient_restrictions =
        permit_mynetworks,					# allow local mail
        permit_sasl_authenticated,				# allow password auth
        reject_unauth_destination,				# ease load on greylisting: drop wrong domains...
        reject_non_fqdn_sender,					# reject forged senders
        check_sender_access hash:/etc/postfix/localdomains,	# reject fake local senders
        check_recipient_access hash:/etc/postfix/recv_access,	# check black-/whitelist
        check_client_access hash:/etc/postfix/client_access,	# check black-/whitelist
        reject_rbl_client sbl-xbl.spamhaus.org,			# check RBL
        reject_rbl_client list.dsbl.org,			# check RBL
        reject_rbl_client relays.ordb.org			# check RBL
        reject_unknown_sender_domain,				# reject nonexisting domains
        reject_rhsbl_sender bogusmx.rfc-ignorant.org		# reject domains without existing MX record
        reject_unlisted_recipient,				# drop unknown users BEFORE greylisting check
        check_policy_service inet:127.0.0.1:2525		### THIS is the GREYLISTING activation
	
# FYI:  "reject_unverified_sender"  is incompatible with greylisting
	
		
disable_vrfy_command = yes

Before reloading the postfix, check that you have included the parts below in your /etc/postfix/recv_access and /etc/postfix/client_access files - there are some broken mail servers around, that we probably do not want to blacklist accidentally.

After editing the file run postmap /etc/postfix/recv_access and reload postfix (/etc/init.d/postfix reload) (*)

 
# /etc/postfix/recv_access
#--------------------------------------------------------
# run  "postmap  /etc/postfix/recv_access"  after each edit
#############################################################################
##### contacting the admin(s) is always allowed
#####
##### WARNING! DARNGER, Will Robinson! DANGER!
##### If you do not filter against sender address forgery your server 
##### will be an open relay to all mails sent from one of these addresses!
#####
#############################################################################
postmaster@ 	PERMIT
hostmaster@	PERMIT
abuse@ 		PERMIT
##### WARNING! DARNGER, Will Robinson! DANGER!

After editing the file run postmap /etc/postfix/client_access and reload postfix (/etc/init.d/postfix reload) (*)

 
# /etc/postfix/client_access
#--------------------------------------------------------
# run  "postmap  /etc/postfix/client_access"  after each edit
		
#############################################################################
#############################################################################
##### Whitelist of non-greylistable servers  2004-07-21
##### http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt
#############################################################################
#############################################################################
	
# Southwest Airlines (unique sender, no retry)
12.5.136.141 	PERMIT
12.5.136.142 	PERMIT

# AOL (common pool)
64.12.136 	PERMIT
64.12.137 	PERMIT
64.12.138 	PERMIT
152.163.225 	PERMIT
205.188.156 	PERMIT

# moveon.org (unique sender per attempt)
64.124.204.39	PERMIT
	
# collab.net (unique sender per attempt)
64.125.132.254	PERMIT

# Ebay (for time critical alerts)
66.135.209	PERMIT
66.135.197	PERMIT

# Yahoo Groups servers (common pool, no retry)
66.218.66	PERMIT
66.218.67	PERMIT

# Joker.com email forwarding server
194.245.101.88	PERMIT

# skynet.be (wierd retry pattern)
195.238.2.105	PERMIT
195.238.2.124	PERMIT
195.238.3.12	PERMIT
195.238.3.13	PERMIT

# Ameritrade (no retry)
204.107.120.10	PERMIT
	
# SecurityFocus.com (unique sender per attempt)
205.206.231	PERMIT

# Prodigy - broken software that retries continually (no delay)
207.115.63	PERMIT

# Amazon.com
207.171.168	PERMIT
207.171.180	PERMIT
207.171.187	PERMIT
207.171.188	PERMIT
207.171.190	PERMIT

# Mysql.com (unique sender)
213.115.162.31	PERMIT

# AXKit mailing list (unique sender per attempt)
217.158.50.178	PERMIT

#############################################################################

#--------------------------------------------------
# Freshmeat does not retry either
66.35.250.168   PERMIT
	
# Additional Yahoogroups
66.94.237       PERMIT
195.92.246.182  PERMIT
returns.groups.yahoo.com PERMIT
.scd.yahoo.com  PERMIT

 

Enjoy...

...a massively reduced SPAM and virus traffic.

 

Suggestions and corrections are welcome.

(*)   -   If you cut/copy/paste from this page, make sure to remove (improper) leading spaces from these samples. Especially Postfix configs are a bit sensitive to this!