Based on Debian 10 "Buster" environment.

milter-greylist

milter-greylist will provide the greylisting and some additional functionalities. If simply applying the greylisting to every connection, there will be serious side effects. This milter-greylist can be configured when to use greylisting.

Install

# apt install milter-greylist

Configuration

To run milter-greylist

Unfortunately, there is a long-lasting issue. To make milter-greylist work with Postfix, some tewaks are required.

The socket location in conf file and default file has to be changed from the example.
/etc/milter-greylist/greylist.conf

# For sendmail use the following two lines
#socket "/var/run/milter-greylist/milter-greylist.sock"   # Comment out sendmail configuration
#user "smmsp"                                             # Comment out sendmail configuration

# For Postfix uncomment the following two lines and comment out the
# sendmail ones above.
#socket "/var/run/milter-greylist/milter-greylist.sock" 660
socket "/var/spool/postfix/milter-greylist/milter-greylist.sock" 660  # Add socket location
#user "postfix"

/etc/default/milter-greylist
In addition to SOCKET line, enabling to start is required.

# Change to one to enable milter-greylist
# Don't forget to edit the configuration file 
# /etc/milter-greylist/greylist.conf
ENABLED=1

# PIDFILE="/var/run/milter-greylist.pid"
SOCKET="/var/spool/postfix/milter-greylist/milter-greylist.sock"
# USER="root"

Greylisting configuration

milter-greylist has many capabilities. `man milter-greylist` will give you what it will do, and `man greylist.conf` will give you the full explanation.
In this case, configure /etc/milter-greylist/greylist.conf to act as follows.

  • Log to syslog
  • Localhost is whitelisted
  • Servers with "SPF pass" will be whitelisted
    • Except for "SPF self": This is milter-greylist original SPF result. If SPF test is pass with the bad record, for example "+all", milter-greylist will detect it as "SPF self".
  • Every mail other than above will be greylisted.
  • Greylist interval time is 2minutes
# Log milter-greylist activity to a file
#stat ">>/var/milter-greylist/greylist.log" \
#      "%T{%Y/%m/%d %T} %d [%i] %f -> %r %S (ACL %A) %Xc %Xe %Xm %Xh\n"
# Same, sent to syslog
stat "|logger -p local7.info" \
      "%T{%Y/%m/%d %T} %d [%i] %f -> %r %S (ACL %A) %Xc %Xe %Xm %Xh"

* snip *

# Your own network, which should not suffer greylisting
list "my network" addr { 127.0.0.1/8 10.0.0.0/8 192.0.2.0/24 ::1/128}    # Add IPv6

* snip *

# GeoIP: Need location to eliminate error logs (even if you don't use)
geoipdb "/usr/share/GeoIP/GeoIP.dat"

# Add global address for this server to enable "SPF self"
localaddr xxx.xxx.xxx.xxx

# Add greylist default
greylist 2m

# And here is the access list
racl whitelist list "my network"
racl greylist spf self
racl whitelist spf pass
racl greylist default

Now, milter-greylist should be ready to start.

# systemctl restart milter-greylist

Configure Postfix

Configure Postfix to use milter-greylist as one of the milters.
Add the following line to /etc/postfix/main.cf

# milter
smtpd_milters = unix:/milter-greylist/milter-greylist.sock

To connect to the milter-greylist socket, Postfix has to join the group greylist.

# adduser postfix greylist
# systemctl restart postfix

Test

Now Postfix should transfer the mail to milter-greylist before Dovecot. Send a mail and see the logs and received mail headers if the milter-greylist is working.
For trouble shooting, there is log level parameter in /etc/milter-greylist/greylist.conf

# Be verbose (or use -v flag)
verbose

Authentication-Results header

The milter-greylist does check SPF, but doesn't provide the "Authentication-Result" header. If you need this standard header, it can be added with some "addheader" tricks.
To add the 7 standard SPF result, add racl lines.

racl whitelist list "my network"
racl continue spf self addheader "Authentication-Results: %Mj; spf=softfail smtp.mailfrom=%f"
racl continue spf pass addheader "Authentication-Results: %Mj; spf=pass smtp.mailfrom=%f"
racl continue spf softfail addheader "Authentication-Results: %Mj; spf=softfail smtp.mailfrom=%f"
racl continue spf fail addheader "Authentication-Results: %Mj; spf=fail smtp.mailfrom=%f"
racl continue spf none addheader "Authentication-Results: %Mj; spf=none smtp.mailfrom=%f"
racl continue spf neutral addheader "Authentication-Results: %Mj; spf=neutral smtp.mailfrom=%f"
racl continue spf error addheader "Authentication-Results: %Mj; spf=temperror smtp.mailfrom=%f"
racl continue spf unknown addheader "Authentication-Results: %Mj; spf=permerror smtp.mailfrom=%f"
racl greylist spf self
racl whitelist spf pass
racl whitelist domain google.com
racl whitelist domain outbound.protection.outlook.com
racl greylist default

Update History

2020-03-28

  • Add explanation to enable Authentication-Results header.