{"id":2769,"date":"2018-06-12T08:32:40","date_gmt":"2018-06-12T08:32:40","guid":{"rendered":"https:\/\/tst-amo.net.ua\/blog\/?p=2769"},"modified":"2018-06-12T19:43:18","modified_gmt":"2018-06-12T19:43:18","slug":"postgrey-postfix","status":"publish","type":"post","link":"https:\/\/tst-amo.net.ua\/blog\/?p=2769","title":{"rendered":"Postgrey + Postfix"},"content":{"rendered":"<p><img decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/wiki.centos.org\/HowTos\/postgrey?action=AttachFile&amp;do=get&amp;target=postgrey-en.png\" \/><\/p>\n<p>\u041e\u0431\u043d\u043e\u0432\u043b\u044f\u0435\u043c \u043f\u043e\u0440\u0442\u044b:<\/p>\n<pre># portsnap fetch update<\/pre>\n<p>\u0423\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u043c \u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0432 \u0430\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443:<\/p>\n<pre># portmaster mail\/postgrey\r\n# echo 'postgrey_enable=\"YES\"' &gt;&gt; \/etc\/rc.conf<\/pre>\n<p>\u0421\u0442\u0430\u0440\u0442\u0443\u0435\u043c \u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u043c:<\/p>\n<pre># service postgrey start\r\n# service postgrey status<\/pre>\n<p>\u0420\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u0443\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0439 \u0444\u0430\u0439\u043b Postfix, \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0432 \u0441\u0435\u043a\u0446\u0438\u0438\u00a0<span style=\"color: #ff0000;\">smtpd_recipient_restrictions\u00a0<\/span>\u043f\u043e\u0441\u043b\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u00a0<span style=\"color: #ff0000;\">reject_unauth_destination<\/span><strong>:<\/strong><\/p>\n<pre># ee \/usr\/local\/etc\/postfix\/main.cf\r\n.....\r\nsmtpd_recipient_restrictions =\r\n   check_client_access hash:\/usr\/local\/etc\/postfix\/blacklist-IP\r\n   permit_mynetworks\r\n   permit_sasl_authenticated\r\n   check_recipient_access hash:\/usr\/local\/etc\/postfix\/recipient-list\r\n   reject_non_fqdn_recipient\r\n   reject_unauth_destination\r\n   <span style=\"color: #ff0000;\">check_policy_service inet:127.0.0.1:10023<\/span>\r\n   reject_unknown_recipient_domain\r\n   reject_unverified_recipient\r\n   permit\r\n.....<\/pre>\n<ul>\n<li><strong>\/usr\/local\/etc\/postfix\/postgrey_whitelist_clients<\/strong>\u00a0&#8211; \u0432\u043d\u043e\u0441\u0438\u043c \u0432 \u044d\u0442\u043e\u0442 \u0441\u043f\u0438\u0441\u043e\u043a \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0435 \u0434\u043e\u043c\u0435\u043d\u044b. \u041f\u043e\u0447\u0442\u0430 \u0441 \u044d\u0442\u0438\u0445 \u0434\u043e\u043c\u0435\u043d\u043e\u0432 \u0431\u0443\u0434\u0435\u0442 \u043f\u0440\u0438\u043d\u0438\u043c\u0430\u0442\u044c\u0441\u044f, \u043c\u0438\u043d\u0443\u044f\u00a0<strong>Greylist<\/strong>;<\/li>\n<li><strong>\/usr\/local\/etc\/postfix\/postgrey_whitelist_recipients<\/strong>\u00a0 &#8211;\u00a0 e-mail \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439, \u0434\u043b\u044f \u043a\u043e\u0442\u043e\u0440\u044b\u0445\u00a0<strong>Greylist<\/strong>\u00a0\u0431\u0443\u0434\u0435\u0442 \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d.<\/li>\n<\/ul>\n<p class=\"rtejustify\">\u041f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c Postfix:<\/p>\n<pre># service postfix restart<\/pre>\n<p>\u041e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c \u0441\u0435\u0431\u0435 \u043f\u0438\u0441\u044c\u043c\u043e \u0438 \u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0432 \u043b\u043e\u0433\u0430\u0445 \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e \u0442\u0430\u043a\u043e\u0439 \u0432\u044b\u0432\u043e\u0434:<\/p>\n<pre>...: Recipient address rejected: Greylisted, see http:\/\/postgrey.schweikert.ch\/help\/tst-amo.net.ua.html (in reply to RCPT TO command))<\/pre>\n<h4 id=\"head-78d9f739ec1f00c2e2a2d3e11fabc2b2f4bb5ce6\">Whitelisting<\/h4>\n<p class=\"line874\">In postgrey its possible to whitelist senders as well as recipients. All that needs doing in order to whitelist a host is to add its fully qualified domain name or its ip address to the \/etc\/postfix\/postgrey_whitelist_clients.local file. eg:<span id=\"line-148\" class=\"anchor\"><\/span><span id=\"line-149\" class=\"anchor\"><\/span><\/p>\n<pre>192.168.1.10\r\n<span id=\"line-151\" class=\"anchor\"><\/span>mydesktop.office.mydomain.com\r\n<span id=\"line-152\" class=\"anchor\"><\/span><\/pre>\n<p class=\"line874\">Now all email recieved from either 192.168.1.10 or mydesktop.office.mydomain.com will not be greylisted, it will be accepted immediately ( as long as its valid, and passes all postfix rules ). On the other hand if you want to whitelist a recipient you can add their username part of the email address to the \/etc\/postfix\/postgrey_whitelist_recipients file. eg:<span id=\"line-154\" class=\"anchor\"><\/span><span id=\"line-155\" class=\"anchor\"><\/span><\/p>\n<pre>postmaster@\r\n<span id=\"line-157\" class=\"anchor\"><\/span>abuse@\r\n<span id=\"line-158\" class=\"anchor\"><\/span>theboss@\r\n<span id=\"line-159\" class=\"anchor\"><\/span><\/pre>\n<p class=\"line874\">Now all emails being received for any of these email address&#8217; wont be greylisted, and all email will be accepted right away. Note that postgrey already comes with whitelist setup for postmaster and abuse.<\/p>\n<h4 id=\"head-70ed10e62fb7da94deb39a987e1e4e205c2ae2c5\">Reporting<\/h4>\n<p class=\"line874\">Postgrey includes a reporting tool call postgreyreport. Its installed by default when you install the postgrey rpm. Postgreyreport will parse a maillog ( read from STDIN ), compare it with the postgrey db and output details on all &#8216;fatal&#8217; greylist entries. A host is considered to be &#8216;fatally&#8217; greylisted when it does not retry within 300 seconds from its first attempt at email delivery for a specific destination. Postgreyreport uses the complete triple as a candidate. You can tune this delay of 300 seconds using the command line option &#8211;delay, however 300 is a good benchmark. Most mail servers will retry within 300 seconds.<span id=\"line-113\" class=\"anchor\"><\/span><span id=\"line-114\" class=\"anchor\"><\/span><\/p>\n<p class=\"line874\">Basic usage :<span id=\"line-115\" class=\"anchor\"><\/span><span id=\"line-116\" class=\"anchor\"><\/span><\/p>\n<pre>cat \/var\/log\/maillog | postgreyreport --delay=300\r\n<span id=\"line-118\" class=\"anchor\"><\/span><\/pre>\n<p class=\"line874\">Depending on how busy your server is, the report can get quite large. To get only the top 20 sources getting greylisted out &#8211; you can use something like this :<span id=\"line-120\" class=\"anchor\"><\/span><span id=\"line-121\" class=\"anchor\"><\/span><\/p>\n<pre>cat \/var\/log\/maillog | postgreyreport | awk '{print $1}' | sort | uniq -c | sort -nr | head -n20\r\n<span id=\"line-123\" class=\"anchor\"><\/span><\/pre>\n<p class=\"line874\">To get a list of the top 20 email address that the greylisted sources are sending email to :<span id=\"line-125\" class=\"anchor\"><\/span><span id=\"line-126\" class=\"anchor\"><\/span><\/p>\n<pre>cat \/var\/log\/maillog | postgreyreport | awk '{print $4}'  | sort  | uniq -c | sort -nr | head -n20\r\n<span id=\"line-128\" class=\"anchor\"><\/span><\/pre>\n<p class=\"line874\">To get a list of all options that postgreyreport supports and their functions:<span id=\"line-130\" class=\"anchor\"><\/span><span id=\"line-131\" class=\"anchor\"><\/span><\/p>\n<pre>postgreyreport -h<\/pre>\n<p><a href=\"http:\/\/muff.kiev.ua\/content\/postgrey-serye-spiski-dlya-postfix\">http:\/\/muff.kiev.ua\/content\/postgrey-serye-spiski-dlya-postfix<\/a><br \/>\n<a href=\"https:\/\/wiki.centos.org\/HowTos\/postgrey\">https:\/\/wiki.centos.org\/HowTos\/postgrey<\/a><\/p>\n<div class=\"pdfprnt-buttons pdfprnt-buttons-post pdfprnt-bottom-right\"><a href=\"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=wpv2posts2769&print=pdf\" class=\"pdfprnt-button pdfprnt-button-pdf\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/tst-amo.net.ua\/blog\/wp-content\/plugins\/pdf-print\/images\/pdf.png\" alt=\"image_pdf\" title=\"View PDF\" \/><\/a><a href=\"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=wpv2posts2769&print=print\" class=\"pdfprnt-button pdfprnt-button-print\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/tst-amo.net.ua\/blog\/wp-content\/plugins\/pdf-print\/images\/print.png\" alt=\"image_print\" title=\"Print Content\" \/><\/a><\/div>","protected":false},"excerpt":{"rendered":"<p>\u041e\u0431\u043d\u043e\u0432\u043b\u044f\u0435\u043c \u043f\u043e\u0440\u0442\u044b: # portsnap fetch update \u0423\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u043c \u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0432 \u0430\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443: # portmaster mail\/postgrey # echo &#8216;postgrey_enable=&#8221;YES&#8221;&#8216; &gt;&gt; \/etc\/rc.conf \u0421\u0442\u0430\u0440\u0442\u0443\u0435\u043c \u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u043c: # service postgrey start # service postgrey status \u0420\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u0443\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0439 \u0444\u0430\u0439\u043b Postfix, \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0432 \u0441\u0435\u043a\u0446\u0438\u0438\u00a0smtpd_recipient_restrictions\u00a0\u043f\u043e\u0441\u043b\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u00a0reject_unauth_destination: # ee \/usr\/local\/etc\/postfix\/main.cf &#8230;.. smtpd_recipient_restrictions = check_client_access hash:\/usr\/local\/etc\/postfix\/blacklist-IP permit_mynetworks permit_sasl_authenticated check_recipient_access hash:\/usr\/local\/etc\/postfix\/recipient-list reject_non_fqdn_recipient reject_unauth_destination check_policy_service inet:127.0.0.1:10023 reject_unknown_recipient_domain &#8230;<\/p>\n<p><a href=\"https:\/\/tst-amo.net.ua\/blog\/?p=2769\" class=\"more-link\">Continue reading &lsquo;Postgrey + Postfix&rsquo; &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,7,122,117],"tags":[],"class_list":["post-2769","post","type-post","status-publish","format-standard","hentry","category-freebsd","category-mail","category-postgrey","category-spam"],"_links":{"self":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2769"}],"collection":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2769"}],"version-history":[{"count":6,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2769\/revisions"}],"predecessor-version":[{"id":2778,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2769\/revisions\/2778"}],"wp:attachment":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}