{"id":375,"date":"2012-08-18T17:50:13","date_gmt":"2012-08-18T17:50:13","guid":{"rendered":""},"modified":"2017-02-22T07:58:29","modified_gmt":"2017-02-22T06:58:29","slug":"postscreen-greylisting-postfix","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/postscreen-greylisting-postfix\/","title":{"rendered":"Postscreen – Greylisting in Postfix"},"content":{"rendered":"

Greylisting is well known antispam technique. It’s idea is basing on fact, that spamming hosts (zombies) do not have time for re-transmission and are trying to send maximum amount of spam in shortest time period. This is achieved by connections to different mail servers and submission of message even without wait for server’s response. In opposition to that, legitimate mail servers presents themselves and waits for server’s response, and then beginning mail submission. If they receive temporary error code (4xx) from server, they will try to submit mail again after defined time period (e.g. 5 minutes)
\n
\nImplementation of Greylisting brings tangible benefits for mail system. Greylisting is able to filter even above 90% incoming traffic to mail server, and it’s done on session level, which is huge benefit for system performance, because no resources are wasted for mail processing. General rule is to filter junk mail as soon as possible, so if we can filter this on session level we shouldn’t waste time and resources to antivirus and antispam. Cons of Greylisting is that incoming messages have few minutes of latency, because client’s server needs to repeat transmission. False positives are very rare and mostly comes from misconfiguration of sending server.
\nOne of wide known and used solutions for Greylisting is Postgrey – Postfix Greylisting Policy Server<\/a> written by David Schweikert<\/a>. This is a Perl software, which we successfully used for few years. Actually we switched to Postscreen<\/a> which is embedded in new version of Postfix.
\nPostscreen configuration is simple and well described in Postscreen HOWTO<\/a>. To enable this mechanism and see how it works without enabling Greylisting you need only to add few lines to Postfix configuration (in main.cf<\/code>) and modify master.cf<\/code> – smtp<\/code> service needs to be changed to be served by postscreen<\/code>. See below:<\/p>\n

\r\n#smtp      inet  n       -       -       -       -       smtpd\r\nsmtp      inet  n       -       -       -       1       postscreen\r\nsmtpd     pass  -       -       -       -       -       smtpd\r\ndnsblog   unix  -       -       -       -       0       dnsblog\r\ntlsproxy  unix  -       -       -       -       0       tlsproxy\r\n<\/pre>\n
Create postscreen_access.cidr<\/code> file and add to main.cf<\/code>:<\/p>\n
\r\npostscreen_blacklist_action = ignore\r\npostscreen_access_list =\r\n        permit_mynetworks\r\n        cidr:\/etc\/postfix\/postscreen_access.cidr\r\n\r\npostscreen_greet_action = ignore\r\npostscreen_greet_banner = Spammers may talk now :)\r\n<\/pre>\n
For test purpose the action is set to ignore<\/code>, so there is no impact on system, but if you do telnet mydomain.tld 25<\/code> you will see greeting like this:<\/p>\n
\r\nTrying ...\r\nConnected to mydomain.tld.\r\nEscape character is '^]'.\r\n220-Spammers may talk now :)\r\n<\/pre>\n
And after few seconds you will receive second line:<\/p>\n
\r\n220 mydomain.tld ESMTP Postfix\r\n<\/pre>\n
Why after few seconds? That’s because legitimate server will wait for this line, but spammers in most cases will not wait for server’s answer but will start to submit messages. If you will change ignore<\/code> to enforce<\/code> or drop<\/code> – Postscreen will start to drop these type of connections. The difference between enforce<\/code> and drop<\/code> is that enforce<\/code> will wait until tests will be finished, logging helo\/sender\/recipient information and rejecting with 550 code, while drop<\/code> rejects immediately with 521 code. I recommend to use enforce<\/code>, especially on beginning, to have information about sender and recipient in logs to be able to check if there is no false positives.
\nIn this stage you can also enable DNSBL, with settings are like below, client must be listed in zen.spamhause.org<\/code> (factor 2) and in one of other DNSBL to reach threshold of 3 and be rejected. Of course factors and DNSBL servers you can set at your own.<\/p>\n
\r\npostscreen_dnsbl_action = enforce\r\npostscreen_dnsbl_threshold = 3\r\npostscreen_dnsbl_sites =\r\n        zen.spamhaus.org*2\r\n        bl.spamcop.net*1\r\n        b.barracudacentral.org*1\r\n<\/pre>\n
You should see similar entries in log after Postfix restart:<\/p>\n
\r\nAug 17 15:30:40 mydomain.tld postfix\/postscreen[31984]: CONNECT from [41.205.39.169]:4308\r\nAug 17 15:30:40 mydomain.tld postfix\/dnsblog[32089]: addr 41.205.39.169 listed by domain zen.spamhaus.org as 127.0.0.11\r\nAug 17 15:30:40 mydomain.tld postfix\/dnsblog[32089]: addr 41.205.39.169 listed by domain zen.spamhaus.org as 127.0.0.4\r\nAug 17 15:30:40 mydomain.tld postfix\/dnsblog[32088]: addr 41.205.39.169 listed by domain b.barracudacentral.org as 127.0.0.2\r\nAug 17 15:30:40 mydomain.tld postfix\/dnsblog[32088]: addr 41.205.39.169 listed by domain bl.spamcop.net as 127.0.0.2\r\nAug 17 15:30:46 mydomain.tld postfix\/postscreen[31984]: DNSBL rank 4 for [41.205.39.169]:4308\r\nAug 17 15:30:49 mydomain.tld postfix\/postscreen[31984]: NOQUEUE: reject: RCPT from [41.205.39.169]:4308: 550 5.7.1 Service unavailable; client [41.205.39.169] blocked using zen.spamhaus.org; from=..., to=..., proto=ESMTP, helo=\r\nAug 17 15:30:49 mydomain.tld postfix\/postscreen[31984]: HANGUP after 3.2 from [41.205.39.169]:4308 in tests after SMTP handshake\r\nAug 17 15:30:49 mydomain.tld postfix\/postscreen[31984]: DISCONNECT [41.205.39.169]:4308\r\n<\/pre>\n
A client which will not reach a threshold defined in postscreen_dnsbl_threshold<\/code>, will obtain a status PASS NEW<\/code>:<\/p>\n
\r\nAug 17 16:12:43 mydomain.tld postfix\/postscreen[2391]: CONNECT from [173.232.32.14]:45116\r\nAug 17 16:12:43 mydomain.tld postfix\/dnsblog[2416]: addr 173.232.32.14 listed by domain b.barracudacentral.org as 127.0.0.2\r\nAug 17 16:12:49 mydomain.tld postfix\/postscreen[2391]: PASS NEW [173.232.32.14]:45116\r\nAug 17 16:22:26 mydomain.tld postfix\/smtpd[2919]: connect from unknown[173.232.29.251]\r\nAug 17 16:22:26 mydomain.tld postfix\/smtpd[2919]: 69AD180A94: client=unknown[173.232.29.251]\r\n<\/pre>\n
A client which was already noticed as legitimate and wants to submit another message will pass with status PASS OLD<\/code>:<\/p>\n
\r\nAug 17 16:51:53 mydomain.tld postfix\/postscreen[4493]: CONNECT from [213.134.151.158]:45226\r\nAug 17 16:51:59 mydomain.tld postfix\/postscreen[4493]: PASS OLD [213.134.151.158]:45226\r\nAug 17 16:52:00 mydomain.tld postfix\/smtpd[4496]: connect from mail.silfarm.com.pl[213.134.151.158]\r\nAug 17 16:52:00 mydomain.tld postfix\/smtpd[4496]: 41B1780295: client=mail.silfarm.com.pl[213.134.151.158]\r\n<\/pre>\n
Postscreen has also ability known as deep_protocol_test<\/code>. Detailed description you can find in documentation<\/a>. If client will pass these tests then it’s added to temporary whitelist, but this time is rejected with temporary failure error code 4XX. If client will connect once again then will be allowed to submission. Embedded in Postscreen SMTP engine doesn’t have AUTH, XCLIENT and XFORWARD implementation. Support for AUTH can be implemented in newer versions. In the meantime, when these services needs to be available on port 25, you shouldn’t enable deep protocol test. But good practice is to configure submission on port 587 (with TLS) or 465 with SSL, so deep_protocol_test<\/code> can be enabled and should not have impact on mail system. To enable it you need to add some configuration directives to (main.cf<\/code>):<\/p>\n
\r\n\r\npostscreen_pipelining_action = enforce\r\npostscreen_pipelining_enable = yes\r\n\r\npostscreen_non_smtp_command_action = enforce\r\npostscreen_non_smtp_command_enable = yes\r\n\r\npostscreen_bare_newline_action = enforce\r\npostscreen_bare_newline_enable = yes\r\n<\/pre>\n
After Postfix restart is worthwhile – as always – to check logs and observe if system is working as expected. Description of particular tests is in mentioned documentation.<\/p>","protected":false},"excerpt":{"rendered":"
Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.Greylisting jest...<\/p>\n","protected":false},"author":1,"featured_media":550,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[110],"tags":[112,22,34,111],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2012\/07\/mysza.gif?fit=130%2C91&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-63","jetpack-related-posts":[{"id":374,"url":"https:\/\/drfugazi.eu.org\/en\/mail-system-implementation\/","url_meta":{"origin":375,"position":0},"title":"Mail system implementation","author":"drfugazi","date":"Thursday August 16th, 2012","format":false,"excerpt":"My experience, which I gained during implementation of different systems shows, that implementation should be done in stages. Then, at each stage you can see if it works, if there are some fields to improve and then go to the next stage of implementation. Mail system implementation is not exception.\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":232,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-dostarczania-poczty-w-oparciu-o-ldap\/","url_meta":{"origin":375,"position":1},"title":"Konfiguracja dostarczania poczty w oparciu o LDAP","author":"drfugazi","date":"Saturday December 18th, 2010","format":false,"excerpt":"Ostatnio pisa\u0142em o konfiguracji uwierzytelniania u\u017cytkownik\u00f3w w katalogu LDAP aby mogli odbiera\u0107 i wysy\u0142a\u0107 poczt\u0119. Teraz czas na konfiguracj\u0119 Postfixa aby t\u0119 poczt\u0119 dostarcza\u0142 do w\u0142a\u015bciwych domen i skrzynek. Je\u015bli kompilujecie\/instalujecie Postfixa samodzielnie, to nale\u017cy pami\u0119ta\u0107 o wkompilowaniu wsparcia dla LDAP oraz wskazaniu \u015bcie\u017cki do bibliotek LDAP. Ja p\u00f3jd\u0119 na\u2026","rel":"","context":"In \"LDAP\"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/tag\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":231,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-uwierzytelniania-poczty-w-ldap\/","url_meta":{"origin":375,"position":2},"title":"Konfiguracja uwierzytelniania poczty w LDAP","author":"drfugazi","date":"Friday December  3rd, 2010","format":false,"excerpt":"Zak\u0142adam, \u017ce Dovecot i Postfix ju\u017c dzia\u0142aj\u0105 i mo\u017cna odebra\u0107 i wys\u0142a\u0107 poczt\u0119 loguj\u0105c si\u0119 na u\u017cytkownika systemowego (patrz poprzednie wpisy). Nadszed\u0142 zatem czas na uruchomienie uwierzytelniania w naszym katalogu LDAP (patrz konfiguracja LDAP). Wykorzystanie LDAPa do uwierzytelniania u\u017cytkownik\u00f3w pozwala na elastyczne zarz\u0105dzanie hostingiem poczty i nie tylko. LDAP jest\u2026","rel":"","context":"In \"Dovecot\"","block_context":{"text":"Dovecot","link":"https:\/\/drfugazi.eu.org\/en\/tag\/dovecot\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":373,"url":"https:\/\/drfugazi.eu.org\/en\/budowa-systemu-pocztowego\/","url_meta":{"origin":375,"position":3},"title":"Building mail system","author":"drfugazi","date":"Monday August 13th, 2012","format":false,"excerpt":"This description is based on my experience, which I gained during mail system implementation on University of Silesia (Katowice\/Poland). In the first stage there was about 3 000 of users, now the system is handling about 40 k of mail users. Whole system (exluding Sophos AV) is based on Open\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":226,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja-systemu-pocztowego-na-ubuntu\/","url_meta":{"origin":375,"position":4},"title":"Instalacja systemu pocztowego na Ubuntu","author":"drfugazi","date":"Friday November 19th, 2010","format":false,"excerpt":"Zak\u0142adam, \u017ce system jest zainstalowany i posiada podstawow\u0105 konfiguracj\u0119 z uruchomion\u0105 us\u0142ug\u0105 SSH. Po zalogowaniu przyst\u0119pujemy do instalacji pakietu dovecot-postfix, kt\u00f3ry opisany jest jako w pe\u0142ni funkcjonalny serwer pocztowy: drfugazi@charr:~% sudo aptitude install dovecot-postfix [sudo] password for drfugazi: Czytanie list pakiet\u00f3w... Gotowe Budowanie drzewa zale\u017cno\u015bci Odczyt informacji o stanie... Gotowe\u2026","rel":"","context":"In \"Dovecot\"","block_context":{"text":"Dovecot","link":"https:\/\/drfugazi.eu.org\/en\/tag\/dovecot\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":356,"url":"https:\/\/drfugazi.eu.org\/en\/postfix-2\/","url_meta":{"origin":375,"position":5},"title":"Postfix","author":"drfugazi","date":"Friday June 29th, 2012","format":false,"excerpt":"Postfix is Wietse Venema's mail server that started life at IBM research as an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and secure. The outside has a definite Sendmail-ish flavor, but the inside is completely different. Built from source code, Postfix can run\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/375"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=375"}],"version-history":[{"count":4,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/375\/revisions"}],"predecessor-version":[{"id":695,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/375\/revisions\/695"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media\/550"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}