Contribute  :  Advanced Search  :  Directory  :  Forum  :  FAQ's  :  My Downloads  :  Links  :  Polls  
AFP548 Changing the world one server at a time.

advanced search 

Sections

Home
AFP548 Site News (104/2)
Articles (266/27)
Apple (45/2)
Extended KB (3/1)
Ask AFP548 (16/37)
Reviews (5/1)
Security (16/2)
Tips (130/8)
Third Party Applications (51/5)
Odds and Ends (27/1)
Podcasts (2/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

Poll

Do you have an offsite disaster recovery site?
Yes, a full backup data center!
Yes, a remote server!
Yes, um, I take the tapes home.
No! My company won't pay for it!
No! DR is for saps!
Results
339 votes | 1 comments
Welcome to AFP548
Tuesday, February 09 2010 @ 09:19 am CST
   

Greylisting on 10.4

Sunday, November 27 2005 @ 11:58 pm CST
Contributed by: jxself
Views: 14,717
ArticlesHow to get greylisting working with the included Postfix SMTP server on OS X Server 10.4

Greylisting, if you've not encountered it before, is the process of temporarily rejecting e-mail from an unknown host/sender/recipient combination. Spammers will tend not to bother trying to resend the e-mail later while legitimate servers will.

Read on for more information on how to add this to your arsenal against spam and viruses.

This article covers how to implement Greylisting in 10.4 or later. Greylisting can be done with 10.3.9 and earlier but is beyond the scope of this article.

If you're not familiar with Greylisting, visit both http://greylisting.org/ and http://projects.puremagic.com/greylisting/ and read up.

First, a prerequisite: You must have the Developer Tools installed. If it's not intstalled, please do so now. It's located on the 10.4 install DVD. You can also go to http://developer.apple.com/, register an account and download it. It's free. Once the Developer Tools are installed, come back to this article.

You're back? Great. Now that the Developer Tools have been installed,

1.) Open Terminal.

2.) Type: sudo -s and press return. Enter your password if prompted.

3.) Type: cpan and type return. If this is the first time you've ever used cpan, it will ask if you're ready for manual configuration. Tell it yes. You can usually just accept the defaults for what it asks. When it asks me for "Policy on building prerequisites (follow, ask or ignore)?" I use follow to avoid being asked about prerequisites but its up to you.

4.) One you're at the cpan> prompt, type: install IO::Multiplex and press return. Wait while it does its thing.

5.) Once you're back at the cpan> prompt, type: exit and press return.

6.) Go to http://isg.ee.ethz.ch/tools/postgrey/ and download the current version of Postgrey. Expand the archive.

7.) Return to Terminal and CD into your newly created Postgrey directory. Issue these commands, one line at a time. Hit return after each line.

niutil -create . /groups/postgrey
niutil -createprop . /groups/postgrey gid 25
niutil -create . /users/postgrey
niutil -createprop . /users/postgrey uid 25
niutil -createprop . /users/postgrey gid 25
niutil -createprop . /users/postgrey shell /bin/tcsh
niutil -createprop . /users/postgrey home /tmp
niutil -createprop . /users/postgrey passwd "*"
mkdir /var/spool/postfix/postgrey
cp postgrey /var/spool/postfix/postgrey
cp postgrey_whitelist_clients /etc/postfix/postgrey_whitelist_clients
cp postgrey_whitelist_recipients /etc/postfix/postgrey_whitelist_recipients
chown -R postgrey /var/spool/postfix/postgrey
chgrp -R postgrey /var/spool/postfix/postgrey
chmod -R 755 /var/spool/postfix/postgrey
/var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey

8.) I grabbed Lingon from http://lingon.sourceforge.net/ and used it to to start Postgrey at system start time. I opened Lingon, clicked on Assistant, selected Run a job at startup and placed this into the Job field:

/var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey

I unchecked Start the job only when I login and checked Must run as root & saved it.

9.) Edit /etc/postfix/main.cf with your favorite editor. Find the line that starts with:

smtpd_recipient_restrictions =

Make sure that reject_unauth_destination is in there (if not, please add it. Add a comma to the end of that line and enter it in. No spaces.) Also, find the entry that only says "permit" (not permit_mynetworks or whatever... just plain old permit) and remove it from that line. Finally, add check_policy_service inet:127.0.0.1:10023 to that line as well. Save the changes and close the document.

10.) Then type postfix reload in the Terminal and press return.

You're almost done: Be sure to read perldoc postgrey for more information on whitelists and further customization like how long to greylist for, what response is sent back to the other side, etc.

In closing, it would also be wise to subscribe to the Postgrey mailing list at http://isg.ee.ethz.ch/tools/postgrey/. The software is updated periodically and it is best to be aware of when this happens so that the appropriate changes can be made on your end. Future upgrades should be as simple as copying the appropriate files into both /var/spool/postfix/postgrey/ and /etc/postfix/ as indicated above then restarting the Postgrey process.
 

What's Related

Story Options

Advertising

Greylisting on 10.4 | 14 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Greylisting on 10.4
Authored by: sixty4k on Thursday, December 22 2005 @ 06:22 pm CST
on 10.4.3, there is no 'smtpd_recipient_restrictions =' line.

the developer tools seem to be called xcode or some such, installing just the 'developer tools' package isn't enough. (Probably my bad misreading what you meant...)

off to go look into postfix conf file documentation...
Greylisting on 10.4
Authored by: Anonymous on Thursday, March 30 2006 @ 04:20 pm CST
I followed the instructions and it all seemed to worked briljantly. Well at least until I restarted amivisd by altering some setting. Amivisd (spam en virus scanner, version2.2.0 included with OS) generated a terrible error about broken pipes etc leaving my server to deny all incoming mail.

After Some investigation I found the fresh Net::Server module version 0.92 was the problem. After removing the Net directory from /Library/Perl/5.8.6 and a restart of mail services all is working again.
Greylisting on 10.4
Authored by: Anonymous on Wednesday, May 10 2006 @ 06:28 pm CDT
There is a problem with the instructions as the NET::Server software is incompatible with OS X 10.4 Server.

The problem with the instructions is the install CPAN command "Net::Server IO::Multiplex"

This CPAN command should be "install IO::Multiplex"

The previous comments for this issue would have been great if I had a little more understanding of what was happening. So I thought that I would add this comment to let you know what you will experience if you follow the original instructions and install Net::Server IO::Multiplex, your mail will queue up and will not be sent...

If you follow the instructions from previous comment "removing the Net directory from /Library/Perl/5.8.6 and a restart of mail services all is working again" Yippeee....

Thanks for all your help to those kind people that helped
Greylisting on 10.4
Authored by: nilsel on Monday, October 02 2006 @ 06:39 am CDT
Great article! I noticed however on my server (10.4.7) that step #9 differs a bit from my setup:

/etc/postfix/main.cf with your favorite editor. Find the line that starts with: smtpd_recipient_restrictions =

My /etc/postfix/main.cf has smtpd_client_restrictions, instead of smtpd_recipient_restrictions, and my mail logs indicate all is working with this line (notice no commas in my config):
smtpd_client_restrictions = permit_mynetworks reject_rbl_client sbl- xbl.spamhaus.org reject_unauth_destination check_policy_service inet: 127.0.0.1:10023

---
--
regards,
Nils

Greylisting on 10.4
Authored by: Anonymous on Monday, March 10 2008 @ 01:28 am CDT
For 10.5 install, consider this thread at Apple
 Copyright © 2010 AFP548
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.49 seconds