.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "POSTGREY 8" .TH POSTGREY 8 "2021-01-01" "perl v5.32.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" postgrey \- Postfix Greylisting Policy Server .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBpostgrey\fR [\fIoptions\fR...] .PP .Vb 10 \& \-h, \-\-help display this help and exit \& \-\-version output version information and exit \& \-v, \-\-verbose increase verbosity level \& \-\-syslog\-facility Syslog facility to use (default mail) \& \-q, \-\-quiet decrease verbosity level \& \-u, \-\-unix=PATH listen on unix socket PATH \& \-\-socketmode=MODE unix socket permission (default 0666) \& \-i, \-\-inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified \& \-d, \-\-daemonize run in the background \& \-\-pidfile=PATH put daemon pid into this file \& \-\-user=USER run as USER (default: postgrey) \& \-\-group=GROUP run as group GROUP (default: postgrey) \& \-\-dbdir=PATH put db files in PATH (default: /var/lib/postgrey) \& \-\-delay=N greylist for N seconds (default: 300) \& \-\-max\-age=N delete entries older than N days since the last time \& that they have been seen (default: 35) \& \-\-retry\-window=N allow only N days for the first retrial (default: 2) \& append \*(Aqh\*(Aq if you want to specify it in hours \& \-\-greylist\-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT) \& \-\-greylist\-text=TXT response when a mail is greylisted \& (default: Greylisted + help url, see below) \& \-\-lookup\-by\-subnet strip the last N bits from IP addresses, determined by ipv4cidr and ipv6cidr (default) \& \-\-ipv4cidr=N What cidr to use for the subnet on IPv4 addresses when using lookup\-by\-subnet (default: 24) \& \-\-ipv6cidr=N What cidr to use for the subnet on IPv6 addresses when using lookup\-by\-subnet (default: 64) \& \-\-lookup\-by\-host do not strip the last 8 bits from IP addresses \& \-\-privacy store data using one\-way hash functions \& \-\-hostname=NAME set the hostname (default: \`hostname\`) \& \-\-exim don\*(Aqt reuse a socket for more than one query (exim compatible) \& \-\-whitelist\-clients=FILE default: /etc/postgrey/whitelist_clients \& \-\-whitelist\-recipients=FILE default: /etc/postgrey/whitelist_recipients \& \-\-auto\-whitelist\-clients=N whitelist host after first successful delivery \& N is the minimal count of mails before a client is \& whitelisted (turned on by default with value 5) \& specify N=0 to disable. \& \-\-listen\-queue\-size=N allow for N waiting connections to our socket \& \-\-x\-greylist\-header=TXT header when a mail was delayed by greylisting \& default: X\-Greylist: delayed seconds by postgrey\- at ; \& \& Note that the \-\-whitelist\-x options can be specified multiple times, \& and that per default /etc/postgrey/whitelist_clients.local and \& /etc/postgrey/whitelist_recipients.local are also read, so that you can put \& there local entries. .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" Postgrey is a Postfix policy server implementing greylisting. .PP When a request for delivery of a mail is received by Postfix via \s-1SMTP,\s0 the triplet \f(CW\*(C`CLIENT_IP\*(C'\fR / \f(CW\*(C`SENDER\*(C'\fR / \f(CW\*(C`RECIPIENT\*(C'\fR is built. If it is the first time that this triplet is seen, or if the triplet was first seen less than \&\fIdelay\fR seconds (300 is the default), then the mail gets rejected with a temporary error. Hopefully spammers or viruses will not try again later, as it is however required per \s-1RFC.\s0 .PP Note that you shouldn't use the \-\-lookup\-by\-host option unless you know what you are doing: there are a lot of mail servers that use a pool of addresses to send emails, so that they can change \s-1IP\s0 every time they try again. That's why without this option postgrey will strip the last byte of the \s-1IP\s0 address when doing lookups in the database. .SS "Installation" .IX Subsection "Installation" .IP "\(bu" 4 Create a \f(CW\*(C`postgrey\*(C'\fR user and the directory where to put the database \fIdbdir\fR (default: \f(CW\*(C`/var/lib/postgrey\*(C'\fR) .IP "\(bu" 4 Write an init script to start postgrey at boot and start it. Like this for example: .Sp .Vb 1 \& postgrey \-\-inet=10023 \-d .Ve .Sp \&\fIcontrib/postgrey.init\fR in the postgrey source distribution includes a LSB-compliant init script by Adrian von Bidder for the Debian system. .IP "\(bu" 4 Put something like this in /etc/main.cf: .Sp .Vb 5 \& smtpd_recipient_restrictions = \& permit_mynetworks \& ... \& reject_unauth_destination \& check_policy_service inet:127.0.0.1:10023 .Ve .IP "\(bu" 4 Install the provided whitelist_clients and whitelist_recipients in /etc/postgrey. .IP "\(bu" 4 Put in /etc/postgrey/whitelist_recipients users that do not want greylisting. .SS "Whitelists" .IX Subsection "Whitelists" Whitelists allow you to specify client addresses or recipient address, for which no greylisting should be done. Per default postgrey will read the following files: .PP .Vb 4 \& /etc/postgrey/whitelist_clients \& /etc/postgrey/whitelist_clients.local \& /etc/postgrey/whitelist_recipients \& /etc/postgrey/whitelist_recipients.local .Ve .PP You can specify alternative paths with the \-\-whitelist\-x options. .PP Postgrey whitelists follow similar syntax rules as Postfix access tables. The following can be specified for \fBrecipient addresses\fR: .IP "domain.addr" 10 .IX Item "domain.addr" \&\f(CW\*(C`domain.addr\*(C'\fR domain and subdomains. .IP "name@" 10 .IX Item "name@" \&\f(CW\*(C`name@.*\*(C'\fR and extended addresses \f(CW\*(C`name+blabla@.*\*(C'\fR. .IP "name@domain.addr" 10 .IX Item "name@domain.addr" \&\f(CW\*(C`name@domain.addr\*(C'\fR and extended addresses. .IP "/regexp/" 10 .IX Item "/regexp/" anything that matches \f(CW\*(C`regexp\*(C'\fR (the full address is matched). .PP The following can be specified for \fBclient addresses\fR: .IP "domain.addr" 10 .IX Item "domain.addr" \&\f(CW\*(C`domain.addr\*(C'\fR domain and subdomains. .IP "\s-1IP1.IP2.IP3.IP4\s0" 10 .IX Item "IP1.IP2.IP3.IP4" \&\s-1IP\s0 address \s-1IP1.IP2.IP3.IP4.\s0 You can also leave off one number, in which case only the first specified numbers will be checked. .IP "\s-1IP1.IP2.IP3.IP4/MASK\s0" 10 .IX Item "IP1.IP2.IP3.IP4/MASK" CIDR-syle network. Example: 192.168.1.0/24 .IP "/regexp/" 10 .IX Item "/regexp/" anything that matches \f(CW\*(C`regexp\*(C'\fR (the full address is matched). .SS "Auto-whitelisting clients" .IX Subsection "Auto-whitelisting clients" With the option \-\-auto\-whitelist\-clients a client \s-1IP\s0 address will be automatically whitelisted if the following conditions are met: .IP "\(bu" 4 At least 5 successful attempts of delivering a mail (after greylisting was done). That number can be changed by specifying a number after the \&\-\-auto\-whitelist\-clients argument. Only one attempt per hour counts. .IP "\(bu" 4 The client was last seen before \-\-max\-age days (35 per default). .SS "Greylist Action" .IX Subsection "Greylist Action" To set the action to be returned to postfix when a message fails postgrey's tests and should be deferred, use the \&\-\-greylist\-action=ACTION option. .PP By default, postgrey returns \s-1DEFER_IF_PERMIT,\s0 which causes postfix to check the rest of the restrictions and defer the message only if it would otherwise be accepted. A delay action of 451 causes postfix to always defer the message with an \s-1SMTP\s0 reply code of 451 (temp fail). .PP See the postfix manual page \fBaccess\fR\|(5) for a discussion of the actions allowed. .SS "Greylist Text" .IX Subsection "Greylist Text" When a message is greylisted, an error message like this will be sent at the SMTP-level: .PP .Vb 1 \& Greylisted, see http://postgrey.schweikert.ch/help/example.com.html .Ve .PP Usually no user should see that error message and the idea of that \s-1URL\s0 is to provide some help to system administrators seeing that message or users of broken mail clients which try to send mails directly and get a greylisting error. Note that the default help-URL contains the original recipient domain (example.com), so that domain-specific help can be presented to the user (on the default page it is said to contact postmaster@example.com) .PP You can change the text (and \s-1URL\s0) with the \fB\-\-greylist\-text\fR parameter. The following special variables will be replaced in the text: .ie n .IP "%s" 4 .el .IP "\f(CW%s\fR" 4 .IX Item "%s" How many seconds left until the greylisting is over (300). .ie n .IP "%r" 4 .el .IP "\f(CW%r\fR" 4 .IX Item "%r" Mail-domain of the recipient (example.com). .SS "Greylist Header" .IX Subsection "Greylist Header" When a message is greylisted, an additional header can be prepended to the header section of the mail: .PP .Vb 1 \& X\-Greylist: delayed %t seconds by postgrey\-%v at %h; %d .Ve .PP You can change the text with the \fB\-\-x\-greylist\-header\fR parameter. The following special variables will be replaced in the text: .ie n .IP "%t" 4 .el .IP "\f(CW%t\fR" 4 .IX Item "%t" How many seconds the mail has been delayed due to greylisting. .ie n .IP "%v" 4 .el .IP "\f(CW%v\fR" 4 .IX Item "%v" The version of postgrey. .ie n .IP "%d" 4 .el .IP "\f(CW%d\fR" 4 .IX Item "%d" The date. .ie n .IP "%h" 4 .el .IP "\f(CW%h\fR" 4 .IX Item "%h" The host. .SS "Privacy" .IX Subsection "Privacy" The \-\-privacy option enable the use of a \s-1SHA1\s0 hash function to store IPs and emails in the greylisting database. This will defeat straight forward attempts to retrieve mail user behaviours. .SS "\s-1SEE ALSO\s0" .IX Subsection "SEE ALSO" See for a description of what greylisting is and for a description of how Postfix policy servers work. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (c) 2004\-2007 by \s-1ETH\s0 Zurich. All rights reserved. Copyright (c) 2007 by Open Systems \s-1AG.\s0 All rights reserved. .SH "LICENSE" .IX Header "LICENSE" This program is free software; you can redistribute it and/or modify it under the terms of the \s-1GNU\s0 General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP This program is distributed in the hope that it will be useful, but \s-1WITHOUT ANY WARRANTY\s0; without even the implied warranty of \&\s-1MERCHANTABILITY\s0 or \s-1FITNESS FOR A PARTICULAR PURPOSE.\s0 See the \&\s-1GNU\s0 General Public License for more details. .PP You should have received a copy of the \s-1GNU\s0 General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, \s-1MA 02139, USA.\s0 .SH "AUTHOR" .IX Header "AUTHOR" David\ Schweikert\