Greylisting is a technique that will help in preventing spam entering your inbox. Greylisting is related to whitelisting and blacklisting. Every time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a “try again later”-message (This happens at the SMTP layer and is transparent to the end user). This, in the short run, means that all mail gets delayed at least until the sender tries again – but this is where spam loses out! Most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later. For more information on the workings of greylisting you could read: Greylisting.org
I’ve choosen SQLGrey as it is a good solution and it is very simple to install and operate. SQLGrey is written in Perl which is available on every Mac and uses MySQL for datastorage, but to get it working we will need to add some mandatory Perl modules.
As not many people use Perl on a daily basis it would be good to update the CPAN installation. Execute the following command and accept all the default values:
sudo perl -MCPAN -e 'install Bundle::CPAN'
Next the MySQL module:
sudo perl -MCPAN 'install Bundle::DBD::mysql'
Next are the Net::Server and IO::Multiplex modules:
sudo perl -MCPAN -e 'install Net::Server'
sudo perl -MCPAN -e 'install IO::Multiplex'
When all the Perl modules are installed we are ready to ceate the database for SQLGrey.
Startup a mysql session and enter the following commands to create the SQLGrey database and user:
CREATE DATABASE sqlgrey; GRANT ALL ON sqlgrey.* TO sqlgrey@localhost identified by 'sqlgreypassword';
At the first startup of SQLGrey the tables and all will be created automatically. Next step is creating a dedicated user called ‘sqlgrey’ for running the SQLGrey daemon.
sudo dscl . -create /Users/_sqlgrey sudo dscl . -create /Users/_sqlgrey UserShell /usr/bin/false sudo dscl . -create /Users/_sqlgrey UniqueID 103 sudo dscl . -create /Users/_sqlgrey PrimaryGroupID 27 sudo dscl . -create /Users/_sqlgrey NFSHomeDirectory /var/empty sudo dscl . -passwd /Users/_sqlgrey ''
If you’ve downloaded SQLGrey from sourceforge please unpack it and ‘cd’ into the source directory. First we need to make some changes to the Makefile to make sure that everything gets installed in the proper directories:
INSTALL = install ETCDIR = $(ROOTDIR)/etc CONFDIR = $(ETCDIR)/sqlgrey SBINDIR = $(ROOTDIR)/sbin BINDIR = $(ROOTDIR)/bin INITDIR = $(ETCDIR)/init.d MANDIR = $(ROOTDIR)/share/man/man1
When you’ve changed this run the following command (the optional -e ROOTDIR stuff makes sure that everything is installed in /usr/local as we try to do with all the other installations):
sudo make -e ROOTDIR=/usr/local install
Next you need to edit the configuration file called ‘
sqlgrey.conf‘ in the directory ‘
/etc/sqlgrey/‘. I only show you the changes that are different from the default settings:
conf_dir = /usr/local/etc/sqlgrey user = _sqlgrey group = _postfix db_type = mysql db_name = sqlgrey db_host = localhost db_port = default db_user = sqlgrey db_pass = sqlgreypassword admin_mail = firstname.lastname@example.org
Next you need to create some extra files in the configuration directory for whitelist purposes:
sudo touch /usr/local/etc/sqlgrey/clients_ip_whitelist.local sudo touch /usr/local/etc/sqlgrey/clients_fqdn_whitelist.local
To test if everything is configured correctly you could startup SQLGrey from the command line using (which makes sure you use the correct config file):
sudo /usr/local/sbin/sqlgrey -f /usr/local/etc/sqlgrey/sqlgrey.conf -d &
You should see some logging appear in the
/var/log/mail.log file, the database tabes should be created and a .pid file should appear in
If everything looks allright you can change the postfix configuration to use the greylisting option. You’ll need to edit ‘
main.cf‘ in ‘
/usr/local/etc/postfix‘ please change the section with ‘
smtpd_recipient_restrictions‘ and add the line as shown below. Please note the difference when using DSpam:
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, warn_if_reject, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:2501, #added line permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, warn_if_reject, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:2501, #added line check_client_access pcre:/usr/local/etc/postfix/dspam_filter_access
To activate the changes in postfix run the command:
sudo /usr/local/sbin/postfix reload
You now can test the complete setup by sending yourself an email using an external mail server like gmail.
I had to add the following domains to the file
clients_fqdn_whitelist.local to make sure that these domains were able to deliver their email:
*.apple.com *.google.com *.ebay.com