Copyright 2007 by Kim Minh Kaplan
Greyfix is the greylisting policy daemon for Postfix written by Kim Minh Kaplan. Greylisting is an anti spam technique described by Evan Harris. Postfix is a popular mail transport agent developped by Wietse Zweitze Venema. Greyfix uses Postfix policy mechanism to enable greylisting with Postfix.
It is recommended that you use at least version 0.3.8.
greyfix-0.3.9.tar.gz (PGP signature)
Greyfix uses GNU's build system. To install the greyfix daemon just type the following commands:
$ gzip -cd greyfix-0.3.9.tar.gz | tar xf -
$ cd greyfix-0.3.9
$ ./configure
$ make
$ su -c 'make install'
Edit Postfix's master configuration file, /etc/postfix/master.cf, and
add the following (if you are running Solaris see below):
greyfix unix - n n - - spawn user=nobody argv=/usr/local/sbin/greyfix -/ 24
Edit Postfix's main configuration file, /etc/postfix/main.cf and add
the following (not for Solaris):
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/greyfix
If there is already a smtpd_recipient_restrictions configuration line
you should edit it rather than add a new one. The important part for
greyfix is that you should add check_policy_service
unix:private/greyfix to it.
Finally have postfix reload its configuration with postfix
reload.
A user reported a Corrupted DB on x64 Solaris 10 U4. If you want to help me track this, please contact me.
http://www.postfix.org/SMTPD_POLICY_README.html has some important
note for Solaris. The important thing to note is that Solaris
UNIX-domain sockets do not work reliably. Use TCP sockets instead.
Here is what you should add to your /etc/postfix/master.cf:
127.0.0.1:9998 inet n n n - 9 spawn user=nobody argv=/usr/local/sbin/greyfix -/ 24
and to your /etc/postfix/main.cf:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:9998 127.0.0.1:9998_time_limit = 3600
greyfix [-V] [-v] [-d] [-h <Berkeley DB home directory>] [-g <greylist delay>]
[-b <bloc maximum idle>] [-p <pass maximum idle>] [-r <reject action>]
[-G <greylisted action>] [-/ <network bits>] [--dump-triplets] [--help]
-b <seconds>, --bloc-max-idle <seconds>
This determines how many seconds of life are given to a record
that is created from a new mail (ip, from, to) triplet. Note
that the window created by this setting for passing mails is
reduced by the amount set for --greylist-delay. NOTE: See
also --pass-max-idle. Defaults to 18000 (5 hours).
-d, --debug
Debug logging
-g <seconds>, --greylist-delay <seconds>
This determines how many seconds we will block inbound mail
that is from a previously unknown (ip, from, to) triplet. If
it is set to zero, incoming mail association will be learned,
but no deliveries will be tempfailed. Use a setting of zero
with caution, as it will learn spammers as well as legitimate
senders. Defaults to 3480 (58 minutes).
-h <Berkeley DB home directory>, --home <Berkeley DB home directory>
Location of the Berkeley DB environment home location (the
default is autoconf's $localstatedir/greyfix
i.e. /usr/local/var/lib/greyfix).
--help
Show usage information.
-p <seconds>, --pass-max-idle <seconds>
How much life (in secs) to give to a record we are updating
from an allowed (passed) email.
The default is 36 days, which should be enough to handle
messages that may only be sent once a month, or on things like
the first monday of the month (which sometimes means 5 weeks).
Plus, we add a day for a delivery buffer.
-r <reject action>, --reject-action <reject action>
The reject action directive that will be used. See access(5)
for valid actions. The string expands %d to the number of
seconds, %p to the empty string if %d expands to 1 or "s"
otherwise, %s to " " and %% to "%".
The default is "DEFER_IF_PERMIT Greylisted by Greyfix X.Y.Z,
try again in %d second%p. See
http://www.kim-minh.com/pub/greyfix/ for more information.".
http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?r1=1.10&r2=1.11
suggests that a 451 SMTP error code is a better idea.
-G <greylisted action>, --greylisted-action <greylisted action>
The action that will be used the first time a triplet passes
greylisting. Same expansion as for --reject-action.
The default is "PREPEND X-Greyfix: Greylisted by Grefix X.Y.Z
for %d second%p. See http://www.kim-minh.com/pub/greyfix/ for
more information."
-v, --verbose
Verbose logging
-V, --version
Show version information.
-/ <nbits>, --network-prefix <nbits>
Only consider the first <nbits> bits of an IPv4 address.
Defaults to 32 i.e. the whole adresse is significant.
--dump-triplets
Dump the triplets database to stdout. Mostly for debugging
purposes.
GNU Autoconf's default value for $(localstatedir) is
/usr/local/var/lib which is quite different from what most Unix
distribution use. You'll probably want to invoke configure like this:
$ ./configure --localstatedir=/var/lib
This makes Greyfix DB be located in /var/lib/greyfix. Alternatively
you can use the -h <DB home> command line option but do not forget
to create the directory and give it correct permissions so that
Greyfix can access it.
Greyfix uses syslog with facility LOG_MAIL. As such the log messages
should appear along postfix's.
If you log messages with DEBUG serverity you will see some messages saying something like "DEBUG: BDB-16: db_env->remove returned: Device busy". They are not error messages and are normal when multiple greyfix daemons operate concurrently.
You should use some whitelisting of some sort for some servers. A good starting base is whitelist_ip.txt.
--network-prefix unnecessary,--network-prefix with IPv6.Bugs are filed on Greyfix's ticket page. To report a bug see first check that it is not already present in the list. Then you can create a New Ticket.
Note that version 0.3.8 fixes important bugs. Do not use earlier versions.
would die. This would cause Postfix's smtpd to reply with an error code 500 and the email would bounce. Now Greyfix will log a warning and let the email continue.
--help and --version options, thanks to Stefan Siegel.policy.h file.--dump-triplets, --reject-action and --greylisted-action.451 reject code is probably better than DEFER_IF_PERMIT.--network-prefix.LOG_MAIL facility.