/Main_Page

::You must have ninja focus to complete your mission::NinjaFocus::

Email Server/Postgrey

Views:

Part of the Email Server documentation

Contents

Introduction

This page describes installing Postgrey, a policy daemon for Postfix. Postgrey "greylists" incoming messages before allowing Postfix to accept them. Each time a new to/from/server combination is found in an incoming message, a temporary error is sent to the sending email server. If the server waits and tries to send the message again, Postgrey will accept the message and move the to/from/server combination to a whitelist.

Dependencies

The Berkeley Database is needed, and some perl modules. 

# yum install db4
# yum install db4-devel
# yum install db4-utils
# ldconfig
# cpanp
> i Net::Server
> i IO::Multiplex
> i BerkeleyDB
> quit

Installation

# cd /usr/local/src
# wget http://postgrey.schweikert.ch/pub/postgrey-1.31.tar.gz
# tar zxvf wget postgrey-1.31.tar.gz
# cd postgrey-1.31
# cp postgrey /usr/local/sbin/
# useradd -s /bin/nologin -rmd /var/lib/postgrey/ postgrey

Configuration

You need to copy the configuration files from the source folder in to the Postfix configuration folder 

# cd /usr/local/src/postgrey-1.31
# cp postgrey_whitelist_* /etc/postfix/

To get Postfix to use the policy daemon you'll need to add the following line to /etc/postfix/main.cf. Be really careful when editing this setting, you probably want to make it the last restriction before the final "permit" 

smtpd_recipient_restrictions = 
    ...,
    ...,
    check_policy_service inet:127.0.0.1:60000,
    permit

Init Script

You'll need an init script to start Postgrey. Here's one suitable for CentOS, it's chkconfig compatible and makes use of the CentOS "functions" for init scripts. It's shouldn't be too difficult to adapt this to work for other distros.

Copy the init script to /etc/rc.d/init.d/postgrey and make it executable 

#!/bin/sh
#
# postgrey      Start/Stop postgrey greylist policy daemon for postfix.
#
# chkconfig: 345 71 39
# description: postgrey temorarily blocks forgein MTAs from sending emails\
#              once they have played the game and tried to send their message \
#              a second time, they are whitelisted.
# processname: postgrey

# postgrey [<options>...]
# 
#  -h, --help              display this help and exit
#      --version           output version information and exit
#  -v, --verbose           increase verbosity level
#  -q, --quiet             decrease verbosity level
#  -u, --unix=PATH         listen on unix socket PATH
#  -i, --inet=[HOST:]PORT  listen on PORT, localhost if HOST is not specified
#  -d, --daemonize         run in the background
#      --pidfile=PATH      put daemon pid into this file
#      --user=USER         run as USER (default: postgrey)
#      --group=GROUP       run as group GROUP (default: nogroup)
#      --dbdir=PATH        put db files in PATH (default: /var/spool/postfix/postgrey)
#      --delay=N           greylist for N seconds (default: 300)
#      --max-age=N         delete entries older than N days since the last time
#                          that they have been seen (default: 35)
#      --retry-window=N    allow only N days for the first retrial (default: 2)
#                          append 'h' if you want to specify it in hours
#      --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
#      --greylist-text=TXT response when a mail is greylisted
#                          (default: Greylisted + help url, see below)
#      --lookup-by-subnet  strip the last 8 bits from IP addresses (default)
#      --lookup-by-host    do not strip the last 8 bits from IP addresses
#      --privacy           store data using one-way hash functions
#      --hostname=NAME     set the hostname (default: `hostname`)
#      --exim              don't reuse a socket for more than one query (exim compatible)
#      --whitelist-clients=FILE     default: /etc/postfix/postgrey_whitelist_clients
#      --whitelist-recipients=FILE  default: /etc/postfix/postgrey_whitelist_recipients
#      --auto-whitelist-clients=N   whitelist host after first successful delivery
#                                   N is the minimal count of mails before a client is 
#                                   whitelisted (turned on by default with value 5)
#                                   specify N=0 to disable.
#      --listen-queue-size=N        allow for N waiting connections to our socket
# 
#  Note that the --whitelist-x options can be specified multiple times,
#  and that per default /etc/postfix/postgrey_whitelist_clients.local is
#  also read, so that you can put there local entries.

# Source function library.
. /etc/init.d/functions

path="/usr/local/sbin/postgrey"
prog="$(basename ${path})"
pidfile="/var/lib/postgrey/postgrey.pid"
FLAGS="--daemonize --dbdir=/var/lib/postgrey --pidfile=$pidfile --inet=127.0.0.1:60000 --user=postgrey --group=postgrey"
RETVAL=0


start() {
	echo -n $"Starting $prog: "
	daemon $path $FLAGS
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
	return $RETVAL
}

stop() {
	echo -n $"Stopping $prog: "
	killproc -p $pidfile $path
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
	return $RETVAL
}	

restart() {
  	stop
	start
}	

case "$1" in
  start)
  	start
	;;
  stop)
  	stop
	;;
  restart)
  	restart
	;;
  status)
	status $path
	;;
  condrestart)
  	[ -f /var/lock/subsys/$prog ] && restart || :
	;;
  *)
	echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
	exit 1
esac

exit $?

# chmod +x /etc/rc.d/init.d/postgrey

Start the service and make it start automatically 

# service postgrey start
# chkconfig postgrey on

Filesystem Permissions

Retrieved from "http://wiki.ninjafocus.net/Email_Server/Postgrey"

Main Menu

Personal tools

Toolbox