en cz  
2012-01-04

Version 2.1 released

2012-01-01

Version 2.0 released

2011-08-30

Version 1.0 released

RSS
Greylisting is simple and powerfull technique for fighting against spam. Most of spam e-mails is being sent in-mass and on single shot basis - the sender tries only once to send the message, if it fails, he doesn't try to send the e-mail again. Normal behavior of a common SMTP server is a bit different, in case of any error it is able to send the message more times, until it is delivered properly.

Greylisting benefits from this difference, on every e-mail it looks at 3 basic data:

  • IP address of SMTP server sending the e-mail
  • e-mail address of sender
  • e-mail address of recipient

If our SMTP server notices this triplet of data for the first time, the e-mail is not accepted for delivery and the sending server is being noticed with a temporary error (usualy SMTP code 450 followed by an error message). The sending server should wait some reasonable time and then try to send the message again. If our server knows abut the triplet already, the e-mail is accepted for delivery. Although this algorithm is being often very discused with a lot of arguments for and against it, if helps against receiving spam messages very well, but of course not on 100%.

This software is a simple greylisting tool for SMTP server Postfix. An MD5 sum is being created from the basic data triplet and then being together with a time stamp saved to a database. Based on configured times is every e-mail accepted or declined. In case of any script error the e-mail is accepted as a prevetion of data lost in case of database malfunction etc.

The software is written in Perl programming language. Data storage can be a MySQL database of common files. The data don't need any other care, software cleans it up by itself. The program is ready for the Linux platform, but it should work on other platforms too.

This software can be distributed and modified freely under the terms of GPL license.

Requirements (most Linux distributions already contains proper packages, so probably you don't need to install them manually):

In case you want to use MySQL database as data storage, you need these (should be available in most Linux distributions too):

Installation is simple, just unpack the downloaded file, one directory containing two files will be created (one file for filesystem as data storage, the other one for database as data storage). Place one of them to any directory in your system, so that Postfix can execute it, for example:

# tar xzf greylisting-x.y.tar.gz
# mv greylisting-x.y /usr/local/bin/greylisting.pl

Next, you have to setup Postfix file master.cf (usualy in /etc/postfix):

127.0.0.1:10027 inet n n n - - spawn
  user=nobody argv=/usr/local/bin/greylisting.pl

Final settings in Postfix: at the end of configuration directive smtpd_recipient_restrictions in the main.cf file (usualy in /etc/postfix) you have to add check_policy_service, final value can look like this:

smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:10027

Note:
After postfix configuration is changed, you have to let the postfix re-read it (i. e. postfix reload)

You can configure the program simple by editing it (use your favourite text editor). The main configuration variable %config contains some configuration directives.

Basic directives:

  • request_needed - can be set to yes, 1, true or no, 0, false, in case it is set to yes, then a special line request=smtpd_access_policy must be defined in communication between Postfix and greylisting script (setting this to negative value can be usefull for manual testing)
  • greylisting_delay - number of seconds, when an e-mail is being declined after first appearance of basic data triplet
  • greylisting_lifetime - number of seconds, when the data triplet is obsolete (counted from last appearance of basic data triplet)
  • greylisting_message - message to be sent to sending server in case of declining the message, string %d will be replaced with seconds to wait until the e-mail will be accepted
  • log_file - filename with log messages from the script, if this will be empty of given file cannot be created, the script will not log anything - be careful, the file has to have correct permissions, so that Postfix can write into it (usualy user nobody)

Directives for database as data storage:

  • db_db - database name
  • db_host - address of database server
  • db_user - database user
  • db_passwd - password of database user
  • db_table_prefix - database table prefix
  • db_sufix_length - length of database table sufix

    Note:
    Program creates and maintains the tables in database just by itself. The name of table is created with the string db_table_prefix followed by some first letters (db_sufix_length) of counted MD5. For example, with db_table_prefix set to 'id_', db_sufix_length set to 3 and MD5 a86850deb2742ec3cb41518e26aa2d89, the table name will be 'id_a86'. The number of created tables will not exceed 16db_sufix_length

Directives for filesystem as data storage:

  • data_file - template for filename where data will be stored

    Note:
    Program creates directories and files (and maintains data) just by itself. The name of the file is based on the data_file template - that is just a normal file name, but it may contain $1, $2 .. etc. .. $9. In this template, every appearance of such string will be replaced with corresponding character of counted MD5. For example, with data_file set to '/var/greylisting/$1/$1$2.txt' and MD5 a86850deb2742ec3cb41518e26aa2d89 the file will by '/var/greylisting/a/a8.txt'.

Whitelisting directives:

  • whitelist_clients - space separated list of IP addresses of servers, from which all e-mails will be accepted
  • whitelist_senders - space separated list of e-mail addresses of senders, from which all e-mails will be accepted
  • whitelist_recipients - space separated list of e-mail addresses of recipients, for which all e-mails will be accepted

    Note:
    Every e-mail address in list of senders or recipients can be set as a full e-mail address (kamil.novak@nekde.tld), just domain part of address (@nekde.tld - all e-mails with this domains match) or just user (kamil.novak@ - this user with any domain matches). In the list of IP addresses just IP address should be set.

    Examples:
    'whitelist_clients' => '127.0.0.1 192.168.0.2',
    'whitelist_senders' => '@kyberdigi.cz kamil@',
    'whitelist_recipients' => 'kamil.novak@nekde.tld',

IP blocks directives:

  • prefix_default - default network prefix length
  • prefix_exceptions - space separated list of IP blocks
  • prefix_default_ipv6 - default network prefix length for IPv6 addresses
  • prefix_exceptions_ipv6 - space separated list of IP blocks for IPv6 addresses

    Note:
    Some big corporations use more than one server to send out one e-mail. Because of this, some e-mails might never come through - the IP address of sender can be allways different. The solution is to use the IP adress of a network instead of single IP address of the sender. The network block is being defined with a network prefix length. If the sending server should be allways in a network with prefix length 24 bits, the prefix_default has to be set to 24. To e-mails comming up from 192.0.2.1, 192.0.2.2, ... 192.0.2.255 will be allways assigned IP address 192.0.2.0.

    A list of exceptions can be defined, for example prefix_default can be set to 24 and prefix_exceptions can be set to 192.0.2.32/28 192.0.2.48/29, IP address will be assigned to servers as follows:
    from 192.0.2.0 to 192.0.2.31 the IP address will be 192.0.2.0
    from 192.0.2.32 to 192.0.2.47 the IP address will be 192.0.2.32
    from 192.0.2.48 to 192.0.2.55 the IP address will be 192.0.2.48
    from 192.0.2.49 to 192.0.2.255 the IP address will be 192.0.2.0

    These directives are available in version 2.0 or higher.

    Directives for IPv6 are available in version 2.1 or higher.

Select version:

Version:
Date:
Size:
MD5:
Direct link:

There are no known bugs at this moment. In case you find some, please let me know at mccohy@kyberdigi.cz.

2012-01-04

Version 2.1

  • added configuration directives prefix_default_ipv6 and prefix_exceptions_ipv6

2012-01-01

Version 2.0

  • added configuration directives prefix_default and prefix_exceptions

2011-08-30

Initial release 1.0