Debian 8 – Greylisting – fight Spam with Postgrey and Postfix on Debian

Greylisting – fight Spam with Postgrey and Postfix on Debian and Ubuntu

Ever heard of greylisting?

There are numerous ways to prevent spam from reaching your inbox, the most popular is probably SpamAssassin. Greylisting will not replace spam filtering software like SA but it will serve as a powerful first hurdle for spam thus reducing the amount of spam entering the system at all. It should rather be seen as an addition to all the other anti spam features of Postfix.

Apart from the obvious benefit of reducing the amount of spam in your inbox, it will give your virus scanner and SpamAssassing less work to do. Both spam filtering and virus scanning is a CPU intensive business and stopping spam in the door will potentially save you money due to reduced hardware requirements.

Greylisting in short means that when someone wants to deliver a mail to your mail server it will simply reply -Please come back later-?. That is something all RFC-compliant mail servers do and when they do come back the mail is accepted. Most spammers and spam software are not compliant and not patient enough to try again. You will be surprised to see how effective this is. Anyway, follow the links below to really learn about it. There are as always pros and cons so do your homework before you put it on a production server.

Greylisting.org
Greylisting on Wikipedia

There are several implementations of greylisting and it can be done with most any server. I will show you how to do it on a Debian with Postfix running as MTA with Postgrey. The steps from this guide will work for all Debian versions from Debian 3.1 (sarge) to 8 (jessie).

Install Postgrey

I assume you have a working Postfix installation.

If you use apt-get to install Postgrey the requirements will be handled automagically. However, if you install from source you will have to check it manually.

Requirements for Postgrey are:

  • Perl >= 5.6.0
  • Net::Server (Perl Module)
  • IO::Multiplex (Perl Module)
  • BerkeleyDB (Perl Module)
  • Berkeley DB >= 4.1 (Library)

I’ll recommend installing the Postgrey package with apt.

First, we install the Postgrey package with:

apt-get -y install postgrey

This will install the Postgrey server on your machine. You might want to change some settings. The most annoying thing with greylisting is that it impose a delay on the delivery of mails. If you find the 5-minute delay, that is the default, to be a little too long you can set it to 1 minute. You can change this by editing /etc/default/postgrey. Change the default:

POSTGREY_OPTS="--inet=127.0.0.1:10023"

to:

POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60"

However, I would suggest changing the defaults only after you have verified that everything works as expected. It is also worth noticing that a shorter delay will reduce the efficiency of the greylisting. Increasing the delay to an hour will be harder on spam but also harder on your users patience. 🙂

Now start the Postgrey policy server with:

service postgrey start

The Postgrey policy service should now be up and running on port 10023.

Now let’s configure Postfix to use Postgrey.

Configure Postfix

The Postfix configuration files are located in /etc/postfix. Edit /etc/postfix/main.cf and add check_policy_service inet:127.0.0.1:10023 to the smtpd_recipient_restrictions. It should look something like this:

smtpd_recipient_restrictions = permit_sasl_authenticated,
           permit_mynetworks,
           reject_unauth_destination,
           check_policy_service inet:127.0.0.1:10023

Now all we have to do is to reload the Postfix configuration with:

postfix reload

Simple and nice. Sit back and enjoy the absence of spam 🙂