Introduction

Greylisting is a spam-reduction technique which can be very effective. It works by delaying mail from unknown senders, and to recipients that - to the greylisting service's knowledge - have not received mail before.

If the sending mail server is standards-compliant, it will attempt to re-send its e-mail message after some time, and your receiving mail server will then accept it. Most spam mailers, on the other hand, do not re-send delayed messages. Thus, in theory, greylisting effectively blocks the majority of spammers.

Servers that re-send the mail will be added to a list of known clients, and will not be delayed in the future. This means that the first e-mail from a given sender will be delayed, but subsequent ones will be received right away.

Installation

Check that you have enabled the universe repository in /etc/apt/sources.list before attempting to install Postgrey. See Adding Repositories if you need info on how to do this.

Install the postgrey package and its dependencies with the following command:

sudo apt-get install postgrey

Configuration

In this guide, we assume that Postgrey is listening on port number 10023. The default port has been known to vary between versions, so you should check this in /var/log/mail.log to make sure you have the correct configuration value for Postfix.

In Ubuntu 14.04 and 16.04, enter the following command to find the relevant log line:

sudo grep postgrey /var/log/mail.log | grep -i resolved

You should see an output similar to this:

Jul 29 13:40:26 mailserver postgrey[16036]: Resolved [localhost]:10023 to [127.0.0.1]:10023, IPv4

If you need Postgrey to use another port, modify the value of the "--inet" paramteter in /etc/default/postgrey.

Now you are ready to instruct Postfix to use Postgrey.

To accomplish this, you can either edit /etc/postfix/main.cf manually and add check_policy_service inet:127.0.0.1:10023 to the parameter smtpd_recipient_restrictions or have the postconf command set the complete parameter for you. The latter can be done by entering e.g. the following command:

sudo postconf -e 'smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023'

Finally, run the following command to reload the Postfix configuration:

sudo postfix reload

In Use

Once Postgrey is running and in use by Postfix, entries will start to appear in /var/log/mail.log. To see the ones printed by Postfix whenever it gets told to delay a message, run:

sudo grep -i postfix/smtpd /var/log/mail.log | grep -i greylisted

Entries will look something like this:

Jul 24 16:00:57 mailserver postfix/smtpd[12524]: NOQUEUE: reject: RCPT from mail.server.com[1.2.3.4]: 450 4.2.0 <someone@somedomain.com>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/somedomain.com.html; from=<bounce-someone.else@anotherdomain.com> proto=ESMTP helo=<mail.server.com>

Postgrey also writes its own log entries. To see the ones it generates whenever it tells Postfix to delay a message, enter:

sudo grep -i postgrey /var/log/mail.log | grep -i action=greylist

Entries will look something like this:

Jul 24 16:00:57 mailserver postgrey[1420]: action=greylist, reason=new, client_name=mail.server.com, client_address=1.2.3.4, sender=bounce-mc.us11_12345678.998765-someone=somedomain.com@mail.server.com, recipient=someone@somedomain.com

In addition, messages that have been delayed due to greylisting will have an X-Greylist header, e.g.:

X-Greylist: delayed 1541 seconds by postgrey-1.34 at mail.server.com; Sun, 24 Jul 2016 16:26:38 CEST

The default delay - i.e. the amount of time that must pass before Postgrey will accept a retry from the greylisted client - is 300 seconds (5 minutes). To change this value, edit /etc/default/postgrey and add the --delay=N argument to POSTGREY_OPTS, where N is the desired delay in seconds.

E.g., for a 60-second delay:

POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60"

Whitelisting

You may want to prevent certain senders (known as "clients" in Postgrey) and/or local recipients from getting their mails delayed by greylisting.

Before you start gathering domain names, you should have a look at the file /etc/postgrey/whitelist_clients.

In Ubuntu and other Debian derivatives, the default version of whitelist_clients contains many domains of mail providers (e.g. Google) whose servers are known to transfer legitimate mail.

To add your own list of whitelisted clients in addition to the ones that ship with Postgrey by default, add the file /etc/postgrey/whitelist_clients.local and enter one host or domain per line.

Remember to reload your configuration so that Postgrey can pick up your changes. In Ubuntu 16.04, enter the following command:

sudo systemctl reload postgrey