Postfix policy daemons

graypold

graypold is a standalone graylisting server written in Perl. It can use a PostgreSQL or MySQL database backend. It listens on five local unix sockets (usally in /var/run) to provide different functions:

The socket graypold_graylist.sock provides standard graylisting
SASL authenticated users can prevent graylisting for reply mails when Postfix records outgoing mail with the graypold_sent.sock socket
You can reliable count mails with the graypold_mailcount.sock socket.
graypold_spf_helo.sock allows you to check the HELO/EHLO hostname of the sending server against SPF
Whether the sending mail server is allowed to send on behalf of the sender's domain or not, can be checked with the graypold_spf.sock.

Download

graypold-11.tar.bz2 released 2024-03-13
graypold-10.tar.bz2 released 2022-04-28
graypold-0.9.tar.bz2 released 2022-03-16
graypold-0.8.tar.bz2 released 2021-10-14
graypold-0.7.tar.bz2 released 2018-04-08
graypold-0.6.tar.bz2 released 2014-12-09
graypold-0.5.tar.bz2 released 2014-12-07
graypold-0.4.tar.bz2 released 2013-12-02
graypold-0.3.tar.bz2 released 2013-11-27
graypold-0.2.tar.bz2 released 2012-02-18
graypold-0.1.tar.bz2 released 2008-04-27

Installation

Download and extract the latest version of graypold
Call make test in order to check whether you have all required Perl modules installed. You need at least:
- RRDs (part of rrdtool)
- Mail::SPF
- DBI along with DBD::Pg or DBD::mysql
Call make install. You now have:
- /usr/local/lib/graylib.pm
- /usr/local/sbin/graypold.pl
- /usr/local/libexec/graycron.pl
- /usr/local/etc/rc.d/graypold (on FreeBSD), or /etc/init.d/graypold (on Linux)
On FreeBSD: Add graypold_enable="YES" to /etc/rc.conf
On Linux: Use the distribution specific tools to have /etc/init.d/graypold run during system boot
Create an unprivileged user:
On FreeBSD: pw useradd graylist -d /nonexistent -s /usr/sbin/nologin -c "Graylisting Daemon"
On Linux: useradd -d /nonexistent -s /usr/sbin/nologin -c "Graylisting Daemon" -M graylist

Override defaults from /usr/local/lib/graylib.pm in /usr/local/etc/graypol.conf, eg.

dbtype           = Mysql
dbhost           = localhost
dbuser           = grayuser
dbpass           = foobar
rrdfile_graylist = /var/lib/gray.rrd
picpath          = /home/www/pages/graystats

Create database tables and indexes:

For PostgreSQL: psql -U graylist -d graylist -f postgresql.graypol.sql
For MySQL: mysql -ugraylist -p graylist < mysql.graypol.sql

For SQLite:

sqlite3 /var/db/graylist/graylist.sqlite < sqlite.graylist.sql
sqlite3 /var/db/graylist/mailcount.sqlite < sqlite.mailcount.sql
sqlite3 /var/db/graylist/spf.sqlite < sqlite.spf.sql
chown -Rv graylist /var/db/graylist

Adjust main.cf:

If you want graylisting:

smtpd_recipient_restrictions =
        ...
        check_policy_service unix:/var/run/graypold_graylist.sock

If you want mailcounting:

smtpd_end_of_data_restrictions =
        ...
        check_policy_service unix:/var/run/graypold_mailcount.sock

Optionally, if you want to have all recipient addresses reported by the mailcount module (the number of recipients gets always counted):

smtpd_recipient_restrictions =
        ...
        check_policy_service unix:/var/run/graypold_mailcount.sock,
        permit_sasl_authenticated,
        ...

If you want SASL authenticated users, who are sending mails, to unlock graylisting in the opposite direction:

smtpd_recipient_restrictions =
        ...
        check_policy_service unix:/var/run/graypold_sent.sock,
        permit_sasl_authenticated,
        ...

If you want to check SPF for the HELO hostname of the sending mailserver:

smtpd_helo_restrictions =
	...
	check_policy_service unix:/var/run/graypold_spf_helo.sock,
	...

If you want to check SPF whether the sending mailserver is allowed to send mails on behalf of the envelope from address:
```
smtpd_sender_restrictions =
	...
	check_policy_service unix:/var/run/graypold_spf.sock,
	...
```

Create these cronjobs:

* * * * * /usr/local/libexec/graycron.pl permit
*/5 * * * * /usr/local/libexec/graycron.pl graph
0 * * * * /usr/local/libexec/graycron.pl clean
0 0 * * * /usr/local/libexec/graycron.pl scrub

Call /usr/local/etc/rc.d/graypold start
Call postfix reload

To bypass graylisting for a certain sender and recipient, add an entry like this to the table graylist:

INSERT INTO graylist (hostname, ip, username, sender, recipient, count, instance, ts_entry, ts_latest, ts_ok)
VALUES ('', '::', '', 'sender@domain.tld', 'recipient@domain.tld', 0, '', now(), now(), now());

Likewise, to bypass graylisting for a recipient, add an entry like this to the table graylist:

INSERT INTO graylist (hostname, ip, username, sender, recipient, count, instance, ts_entry, ts_latest, ts_ok)
VALUES ('', '::', '', '',                  'recipient@domain.tld', 0, '', now(), now(), now());

delaypol

delaypol prolongs several stages of the smtp dialog to their maximum values allowed by rfc 2821. If somebody insists that your mail server is not rfc-conform, you can calm down his servers by using delaypol on your server (I know, it is an idiotic asshole tool. Don't use it!).

Download

delaypol.pl (released 2007-04-28)

Installation

Move delaypol.pl to /usr/local/libexec/
Put ip addresses or even ip ranges that you want to throttle into /usr/local/etc/postfix/delayed_clients.cidr

Add the following entry to your master.cf:

delaypol        unix    -       n       n       -       -       spawn
	user=nobody argv=/usr/local/libexec/delaypol.pl

Adopt these lines into your main.cf:

smtpd_helo_restrictions        = check_policy_service unix:private/delaypol
smtpd_sender_restrictions      = check_policy_service unix:private/delaypol
smtpd_client_restrictions      = check_policy_service unix:private/delaypol
smtpd_recipient_restrictions   = check_policy_service unix:private/delaypol
smtpd_data_restrictions        = check_policy_service unix:private/delaypol
smtpd_end_of_data_restrictions = check_policy_service unix:private/delaypol

Call postfix restart

Old stuff

These two scripts are the predecessors of graypold. They are started by the postfix spawn tool:

graypol.pl uses PostgreSQL
mygraypol.pl uses MySQL.