|o||As soon as a CLIENT IP / SENDER is accepted, it is added to an AWL. The couple expires when it isnt seen for more than awl-age days (60 is the default).|
If group-domain-level SENDERs (2 is the default) from the same
domain or more use the same CLIENT IP, another AWL is used based on a
CLIENT IP / DOMAIN couple.
This couple expires after awl-age days too. This AWL is meant to be used
on high throughput sites in order to :
It can be disabled by setting group-domain-level to 0.
When a SMTP client has been accepted once, if the IP isnt dynamic, greylisting the IP again is only a waste of time when it sends another e-mail. As we already know that this IP runs an RFC-compliant MTA (at least the 4xx error code handling) and will get the new e-mail through anyway.
In the case of mail relays, these AWLs works very well as the same senders and mail domains are constantly coming through the same IP addresses -> the e-mails are quickly accepted on the first try. In the case of individual SMTP servers, this works well if the IP is fixed too. When using a floating IP address, the AWLs are defeated, but it should be the least common case by far.
Why do we put the domain in the AWL and not the IP only ? If we did only store IP addresses, polluting the AWL would be far too easy. It would only take one correctly configured MTA sending one e-mail from one IP one single time to put it in a whitelist used whatever future mails from this IP look like.
With this AWL system, one single mail can only allow whitelisting of mails from a single sender from the same IP...
o Create a sqlgrey user. This will be the user the daemon runs as. o When using a full-fledge SGBD (MySQL and PostgreSQL, not SQLite), create a sqlgrey db user and a sqlgrey database. Grant access to the newly created database to sqlgrey. o Use the packaged init script to start sqlgrey at boot and start it manually.
o Start by adding check_policy_service after reject_unauth_destination in /etc/postfix/main.cf :
smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service inet:127.0.0.1:2501
o Be aware that some servers do not behave correctly and do not resend mails (as required by the standard) or use unique return addresses. This is the reason why you should maintain whitelists for them.
SQLgrey comes with a comprehensive whitelisting system. It can even be configured to fetch up-to-date whitelists from a repository. See the HOWTO for the details.
If you want to disable greylisting for some users you can configure Postfix like this:
Then youll add a check_recipient_access in main.cf before the check_policy_service :
See <http://www.greylisting.org/> for a description of what greylisting is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a description of how Postfix policy servers work.
Copyright (c) 2004 by Lionel Bouton.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Lionel Bouton <email@example.com>
|perl v5.20.3||SQLGREY (1)||2016-04-04|