Greylisting email with Postfix

Greylisting is a technique that can reduce spam by temporarily refusing to accept emails. The idea is that spammers generally do not retry to send messages after the first rejection, whereas properly configured mailservers continue to retry sending up to a certain number of hours or days.

Greylisting is very easy to set up with the Postfix SMTP server and an extra package called postgrey. Documentation for Postgrey is available from here.

RPMS for Postgrey are available for Redhat based systems from http://dag.wieers.com/rpm/packages/postgrey/. For Debian systems, use 'apt-get install postgrey'. After you have installed it, start it with '/etc/init.d/postgrey start'. It will create a socket in /var/spool/postfix/postgrey. Check to make sure it is there, because you will need it for the next part.

After Postgrey is installed, edit /etc/postfix/main.cf. If your main.cf already has a section for 'smtp_recipient_restrictions', add the following:

check_policy_service unix:/var/spool/postfix/postrey/postgrey.sock

The full smtp_recipient_restrictions section may look something like this:

smtp_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    reject_unlisted_recipient,
    check_policy_service unix:postgrey/postgrey.sock,
    permit

Notice the path to the postgrey socket is relative to /var/spool/postfix. The unix: prefix means that it's a unix domain socket. Also notice that the last rule in the restrictions is permit. You need this to let everything else through.

The default timeout for postgrey is too high for me. I set mine to only 20 seconds and I believe it does almost as well as if I set it to 15 or 30 minutes. To modify the timeout, you need to pass the --delay option to it. On Redhat based systems, create a file called /etc/sysconfig/postgrey and use it to override the options in /etc/init.d/postgrey. This is the default OPTIONS line:

OPTIONS="--unix=$SOCKET"

Copy and paste it into /etc/sysconfig/postfix, but change it to modify the delay:

OPTIONS="--unix=$SOCKET --delay 20"

You can also whitelist either clients or recipients. If you want to let everything from Yahoo.com through, put 'yahoo.com' into /etc/postfix/postgrey_whitelist_clients. You can also put IP addresses or regular expressions into this file. If you have a local user who does not want greylisting, put their email address in /etc/postfix/postgrey_whitelist_recipients.