.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "sqlgrey 1" .TH sqlgrey 1 "2012-02-16" "perl v5.14.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" sqlgrey \- Postfix Greylisting Policy Server .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBsqlgrey\fR [\fIoptions\fR...] .PP .Vb 10 \& \-h, \-\-help display this help and exit \& \-\-man display man page \& \-\-version output version information and exit \& \-d, \-\-daemonize run in the background \& \-p, \-\-pidfile=FILE write process ID to FILE \& (overrides \*(Aqpidfile\*(Aq in configfile) \& \-k, \-\-kill kill a running sqlgrey \& (identified by \*(Aqpidfile\*(Aq content) \& \-f, \-\-configfile=FILE read config from FILE \& (default /etc/sqlgrey/sqlgrey.conf) \& expecting config_param=value lines, \& \- spaces are ignored, \& \- \*(Aq#\*(Aq is used for comments .Ve .PP See the default config file at /etc/sqlgrey/sqlgrey.conf for runtime parameters. If you got sqlgrey from sources, read the \s-1HOWTO\s0 file in the compressed archive. If it came prepackaged, look into the documentation tree for this file: /usr/share/doc/sqlgrey\-/ on most Linux distributions for example. .SH "DESCRIPTION" .IX Header "DESCRIPTION" Sqlgrey is a Postfix policy server implementing greylisting. .PP When a request for delivery of a mail is received by Postfix via \s-1SMTP\s0, the triplet \f(CW\*(C`CLIENT_IP\*(C'\fR / \f(CW\*(C`SENDER\*(C'\fR / \f(CW\*(C`RECIPIENT\*(C'\fR is built. If it is the first time that this triplet is seen, or if the triplet was first seen less than \fIreconnect-delay\fR minutes (1 is the default), then the mail gets rejected with a temporary error. Hopefully spammers or viruses will not try again later, as it is however required per \s-1RFC\s0. .PP In order to alleviate the reconnect delay, sqlgrey uses a 2\-level auto-white-list (\s-1AWL\s0) system: .IP "\(bu" 4 As soon as a \f(CW\*(C`CLIENT IP\*(C'\fR / \f(CW\*(C`SENDER\*(C'\fR is accepted, it is added to an \&\s-1AWL\s0. The couple expires when it isn't seen for more than \fIawl-age\fR days (60 is the default). .IP "\(bu" 4 If \fIgroup-domain-level\fR \f(CW\*(C`SENDER\*(C'\fRs (2 is the default) from the same domain or more use the same \f(CW\*(C`CLIENT IP\*(C'\fR, another \s-1AWL\s0 is used based on a \&\f(CW\*(C`CLIENT IP\*(C'\fR / \f(CW\*(C`DOMAIN\*(C'\fR couple. This couple expires after awl-age days too. This \s-1AWL\s0 is meant to be used on high throughput sites in order to : .RS 4 .IP "\(bu" 4 minimize the amount of data stored in database, .IP "\(bu" 4 minimize the amount of processing required to find an entry in the \s-1AWL\s0. .IP "\(bu" 4 don't impose any further mail delay when a \f(CW\*(C`CLIENT IP\*(C'\fR / \f(CW\*(C`DOMAIN\*(C'\fR couple is known. .RE .RS 4 .Sp It can be disabled by setting \fIgroup-domain-level\fR to 0. .RE .PP General idea: .PP When a \s-1SMTP\s0 client has been accepted once, if the \s-1IP\s0 isn't dynamic, greylisting the \s-1IP\s0 again is only a waste of time when it sends another e\-mail. As we already know that this \s-1IP\s0 runs an RFC-compliant \s-1MTA\s0 (at least the 4xx error code handling) and will get the new e\-mail through anyway. .PP In the case of mail relays, these AWLs works very well as the same senders and mail domains are constantly coming through the same \s-1IP\s0 addresses \-> the e\-mails are quickly accepted on the first try. In the case of individual \s-1SMTP\s0 servers, this works well if the \s-1IP\s0 is fixed too. When using a floating \s-1IP\s0 address, the AWLs are defeated, but it should be the least common case by far. .PP Why do we put the domain in the \s-1AWL\s0 and not the \s-1IP\s0 only ? If we did only store \s-1IP\s0 addresses, polluting the \s-1AWL\s0 would be far too easy. It would only take one correctly configured \s-1MTA\s0 sending one e\-mail from one \s-1IP\s0 one single time to put it in a whitelist used whatever future mails from this \s-1IP\s0 look like. .PP With this \s-1AWL\s0 system, one single mail can only allow whitelisting of mails from a single sender from the same \s-1IP\s0... .SH "INSTALLATION" .IX Header "INSTALLATION" .IP "\(bu" 4 Create a \f(CW\*(C`sqlgrey\*(C'\fR user. This will be the user the daemon runs as. .IP "\(bu" 4 When using a full-fledge \s-1SGBD\s0 (MySQL and PostgreSQL, not SQLite), create a 'sqlgrey' db user and a 'sqlgrey' database. Grant access to the newly created database to sqlgrey. .IP "\(bu" 4 Use the packaged init script to start sqlgrey at boot and start it manually. .SH "CONFIGURATION" .IX Header "CONFIGURATION" .SS "General" .IX Subsection "General" .IP "\(bu" 4 Start by adding check_policy_service after reject_unauth_destination in /etc/postfix/main.cf : .Sp .Vb 4 \& smtpd_recipient_restrictions = \& ... \& reject_unauth_destination \& check_policy_service inet:127.0.0.1:2501 .Ve .IP "\(bu" 4 Be aware that some servers do not behave correctly and do not resend mails (as required by the standard) or use unique return addresses. This is the reason why you should maintain whitelists for them. .Sp SQLgrey comes with a comprehensive whitelisting system. It can even be configured to fetch up-to-date whitelists from a repository. See the \s-1HOWTO\s0 for the details. .SS "Disabling greylisting for some users" .IX Subsection "Disabling greylisting for some users" If you want to disable greylisting for some users you can configure Postfix like this: .PP /etc/postfix/sqlgrey_recipient_access: i_like_spam@ee.ethz.ch \s-1OK\s0 .PP Then you'll add a check_recipient_access in main.cf before the check_policy_service : smtpd_recipient_restrictions = ... reject_unauth_destination check_client_access hash:/etc/postfix/sqlgrey_client_access check_recipient_access hash:/etc/postfix/sqlgrey_recipient_access check_policy_service inet:127.0.0.1:10023 .SH "SEE ALSO" .IX Header "SEE ALSO" See for a description of what greylisting is and for a description of how Postfix policy servers work. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (c) 2004 by Lionel Bouton. .SH "LICENSE" .IX Header "LICENSE" This program is free software; you can redistribute it and/or modify it under the terms of the \s-1GNU\s0 General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP This program is distributed in the hope that it will be useful, but \s-1WITHOUT\s0 \s-1ANY\s0 \s-1WARRANTY\s0; without even the implied warranty of \&\s-1MERCHANTABILITY\s0 or \s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0. See the \&\s-1GNU\s0 General Public License for more details. .PP You should have received a copy of the \s-1GNU\s0 General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, \s-1MA\s0 02111\-1307 \s-1USA\s0 .SH "AUTHOR" .IX Header "AUTHOR" Lionel\ Bouton\