2012-01-04
Version 2.1 released
2012-01-01
Version 2.0 released
2011-08-30
Version 1.0 released
|
Greylisting is simple and powerfull technique for fighting against
spam. Most of spam e-mails is being sent in-mass and on single shot
basis - the sender tries only once to send the message, if it fails,
he doesn't try to send the e-mail again. Normal behavior of a common
SMTP server is a bit different, in case of any error it is able to send
the message more times, until it is delivered properly.
Greylisting benefits from this difference, on every e-mail it looks at
3 basic data:
- IP address of SMTP server sending the e-mail
- e-mail address of sender
- e-mail address of recipient
If our SMTP server notices this triplet of data for the first time,
the e-mail is not accepted for delivery and the sending server is being
noticed with a temporary error (usualy SMTP code 450 followed
by an error message). The sending server should wait some reasonable time
and then try to send the message again. If our server knows abut the triplet
already, the e-mail is accepted for delivery. Although this algorithm is
being often very discused with a lot of arguments for and against it,
if helps against receiving spam messages very well, but of course not
on 100%.
This software is a simple greylisting tool for SMTP server
Postfix.
An MD5 sum is being created from the basic data triplet
and then being together with a time stamp saved to a database. Based on
configured times is every e-mail accepted or declined. In case of any
script error the e-mail is accepted as a prevetion of data lost
in case of database malfunction etc.
The software is written in Perl
programming language. Data storage can be a MySQL
database of common files. The data don't need any other care,
software cleans it up by itself. The program is ready for the Linux
platform, but it should work on other platforms too.
This software can be distributed and modified freely under the terms of
GPL license.
|
Requirements (most Linux distributions already contains proper packages,
so probably you don't need to install them manually):
In case you want to use MySQL database as data storage, you need these
(should be available in most Linux distributions too):
Installation is simple, just unpack the downloaded file, one directory
containing two files will be created (one file for filesystem as data storage,
the other one for database as data storage). Place one of them to any
directory in your system, so that Postfix can execute it, for example:
# tar xzf greylisting-x.y.tar.gz
# mv greylisting-x.y /usr/local/bin/greylisting.pl
Next, you have to setup Postfix file master.cf (usualy
in /etc/postfix):
127.0.0.1:10027 inet n n n - - spawn
user=nobody argv=/usr/local/bin/greylisting.pl
Final settings in Postfix: at the end of configuration directive smtpd_recipient_restrictions
in the main.cf file (usualy in /etc/postfix) you have to add
check_policy_service, final value can look like this:
smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:10027
Note:
After postfix configuration is changed, you have
to let the postfix re-read it (i. e. postfix reload)
You can configure the program simple by editing it (use your favourite text
editor). The main configuration variable %config contains some
configuration directives.
Basic directives:
- request_needed - can be set to yes, 1, true
or no, 0, false, in case it is set to yes, then a special
line request=smtpd_access_policy must be defined in
communication between Postfix and greylisting script (setting this to
negative value can be usefull for manual testing)
- greylisting_delay - number of seconds, when an e-mail is being
declined after first appearance of basic data triplet
- greylisting_lifetime - number of seconds, when the data triplet
is obsolete (counted from last appearance of basic data triplet)
- greylisting_message - message to be sent to sending server
in case of declining the message, string %d will be replaced
with seconds to wait until the e-mail will be accepted
- log_file - filename with log messages from the script, if
this will be empty of given file cannot be created, the script will
not log anything - be careful, the file has to have correct
permissions, so that Postfix can write into it (usualy user nobody)
Directives for database as data storage:
- db_db - database name
- db_host - address of database server
- db_user - database user
- db_passwd - password of database user
- db_table_prefix - database table prefix
- db_sufix_length - length of database table sufix
Note:
Program creates and maintains the tables in database
just by itself. The name of table is created with the string db_table_prefix
followed by some first letters (db_sufix_length) of counted MD5.
For example, with db_table_prefix set to 'id_', db_sufix_length
set to 3 and MD5 a86850deb2742ec3cb41518e26aa2d89,
the table name will be 'id_a86'. The number of created tables
will not exceed 16db_sufix_length
Directives for filesystem as data storage:
- data_file - template for filename where data will be stored
Note:
Program creates directories and files (and maintains
data) just by itself. The name of the file is based on the data_file
template - that is just a normal file name, but it may contain
$1, $2 .. etc. .. $9. In this template,
every appearance of such string will be replaced with corresponding
character of counted MD5. For example, with data_file set to
'/var/greylisting/$1/$1$2.txt' and MD5 a86850deb2742ec3cb41518e26aa2d89
the file will by '/var/greylisting/a/a8.txt'.
Whitelisting directives:
- whitelist_clients - space separated list of IP
addresses of servers, from which all e-mails will be accepted
- whitelist_senders - space separated list of e-mail
addresses of senders, from which all e-mails will be accepted
- whitelist_recipients - space separated list of e-mail
addresses of recipients, for which all e-mails will be accepted
Note:Every e-mail address in list of senders or recipients
can be set as a full e-mail address ( kamil.novak@nekde.tld),
just domain part of address ( @nekde.tld - all e-mails
with this domains match) or just user ( kamil.novak@
- this user with any domain matches). In the list of IP
addresses just IP address should be set.
Examples:
'whitelist_clients' => '127.0.0.1 192.168.0.2',
'whitelist_senders' => '@kyberdigi.cz kamil@',
'whitelist_recipients' => 'kamil.novak@nekde.tld',
IP blocks directives:
- prefix_default - default network prefix length
- prefix_exceptions - space separated list of IP blocks
- prefix_default_ipv6 - default network prefix length for IPv6 addresses
- prefix_exceptions_ipv6 - space separated list of IP blocks for IPv6 addresses
Note:Some big corporations use more than one server
to send out one e-mail. Because of this, some e-mails might never
come through - the IP address of sender can be allways different.
The solution is to use the IP adress of a network instead of single IP
address of the sender. The network block is being defined with a network
prefix length. If the sending server should be allways in a network with
prefix length 24 bits, the prefix_default has to be set to 24.
To e-mails comming up from 192.0.2.1, 192.0.2.2, ...
192.0.2.255 will be allways assigned IP address 192.0.2.0.
A list of exceptions can be defined, for example prefix_default can be
set to 24 and prefix_exceptions can be set to 192.0.2.32/28
192.0.2.48/29, IP address will be assigned to servers as follows:
from 192.0.2.0 to 192.0.2.31 the IP address will be 192.0.2.0
from 192.0.2.32 to 192.0.2.47 the IP address will be 192.0.2.32
from 192.0.2.48 to 192.0.2.55 the IP address will be 192.0.2.48
from 192.0.2.49 to 192.0.2.255 the IP address will be 192.0.2.0
These directives are available in version 2.0 or higher.
Directives for IPv6 are available in version 2.1 or higher.
There are no known bugs at this moment. In case you find some, please let me know at
mccohy@kyberdigi.cz.
2012-01-04
Version 2.1
- added configuration directives prefix_default_ipv6 and prefix_exceptions_ipv6
2012-01-01
Version 2.0
- added configuration directives prefix_default and prefix_exceptions
2011-08-30
Initial release 1.0
|
