nav-left cat-right
cat-right

Postgrey

3.10 Postgrey

Postgrey is a charming little piece of work by David Schweikert that cut down my email spam by 90%. For real. Maybe 95%. The first time I installed it, I actually spent the better part of an entire day watching the mail logs scroll by, rejecting spam after spam. It was a beautiful sight. The theory is simple: A good portion of spammers use distributed bot networks (ie. infected Windows machines) to send out spam. By sending out a control signal, the "bot-master" can have an infected computer process and send a piece of spam. You could describe these bots as using a "pump and dump" method. They connect to a mail server, dump out a spam, and disappear into the void. With a network of thousands of machines, it's easy for a spammer to send a large number of spams very quickly without using a centralized location that can be blocked.

The way Postgrey works is that every time your server receives an incoming email connection, it says "Hey, I'm busy here. Try again later", even if it's not busy. This is a perfectly acceptable response in the gloomy world of mail protocols. Any valid email server doing the sending will simply think "Hmm, looks like Blake's server is busy. I'll queue that piece of mail and try it again in a few minutes." Here's the key point: spam bots aren't valid email servers. Most don't even wait around for a response after they've hurled their spam at you. They won't try again. In the meantime, when Yahoo's valid server comes back and says "Hey, I'm back, can you take this mail yet?", Postgrey recognizes that Yahoo tried a previous delivery, and thinks "Odds are you're not a spammer. Sure, I'll take that."

It's genius. Some spammers are adapting to this technique, but by doing so, they have to sacrifice a significant portion of their spamming resources in order to get their mail to you (they have to queue mail, wait for re-trys, etc). So it's win-win, even if you do still get the occasional spam. I'm serious when it cuts back 90% though. It's an amazing difference.

There's a downside of course, and that is that all mail deliveries are delayed, even valid ones. This means that Postgrey may not be a viable solution for a large business or one that deals with extremely time-sensitive email. If that's the case, more traditional filtering methods will have to be used. For me however, it works and it works well.

So here we go. See http://www.howtoforge.com/greylisting_postfix_postgrey for more.

3.10.1 Install Postgrey

First we configure yum to be able to work with the Dag package repository, as the postgrey packages can be found there.

  • sudo su -
  • cd /etc/yum.repos.d
  • vi Dag.repo

Paste the following and save:

#The Dag package repository where Postgrey resides, among others.
[Dag]
name=Dag APT Repository
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled=1

Now:

  • yum check-update
  • yum install postgrey

You may have to install a GPG key for some of the Perl packages that come as dependencies.

This install happily creates the 'postgrey' user to run itself under, and once again to my delight, includes a chkconfig startup script for us in /etc/init.d/postgrey, so we can use my ever-favourite service commands to start and stop postgrey.

At this point I'll disable the Dag repository again so that yum doesn't check it every time. I'd rather just use the official repositories for most things. Do a sudo vi /etc/yum.repos.d/Dag.repo and set:

enabled=0

3.10.2 Configuring Postgrey

The service script references a source file for run-time options, located in /etc/sysconfig/postgrey. You may want to adjust the default greylisting delay of 10 minutes to something smaller. This reduces the effectiveness of greylisting, but also reduces delivery delay. Find your balance. I also tweak the default greylist text that gets logged in the mail log. Therefore, the entire contents of my /etc/sysconfig/postgrey file contains:

OPTIONS="--inet=127.0.0.1:60000 --delay=300 --greylist-text=\"Temporarily grey-listed. Try again shortly.\""

We also need to tell Postfix to consult the Postgrey service whenever it received an email. The following option set in the Postfix main configuration file /etc/postfix/main.cf will do it (note that it's only the last line that activates Postgrey, the rest are other restrictions you may or may not want):

#Activate greylisting service
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:60000

That's it! Start up Postgrey and reload Postfix's configuration file:

  • service postgrey start
  • service postfix reload

Don't forget to turn the Postgrey service on as well.

  • chkconfig postgrey on

Run a tail -f /var/log/maillog and send yourself an email. Note the rejection message that scrolls by. Send yourself another one and it'll get through instantly, as Postgrey will recognize the combination of to/from addresses and the sending email server signature. Don't despair about the first email… it'll get through soon, generally within an hour, usually less.

Suck on it, spammers.

« Prev: PostfixIndexNext: Dovecot »
  • Digg
  • del.icio.us
  • DotNetKicks
  • Slashdot
  • StumbleUpon