How to get greylisting working with the included Postfix SMTP server on OS X Server 10.4
Greylisting, if you’ve not encountered it before, is the process of temporarily rejecting e-mail from an unknown host/sender/recipient combination. Spammers will tend not to bother trying to resend the e-mail later while legitimate servers will.
Read on for more information on how to add this to your arsenal against spam and viruses.This article covers how to implement Greylisting in 10.4 or later. Greylisting can be done with 10.3.9 and earlier but is beyond the scope of this article.
If you’re not familiar with Greylisting, visit both http://greylisting.org/ and http://projects.puremagic.com/greylisting/ and read up.
First, a prerequisite: You must have the Developer Tools installed. If it’s not intstalled, please do so now. It’s located on the 10.4 install DVD. You can also go to http://developer.apple.com/, register an account and download it. It’s free. Once the Developer Tools are installed, come back to this article.
You’re back? Great. Now that the Developer Tools have been installed,
1.) Open Terminal.
2.) Type: sudo -s and press return. Enter your password if prompted.
3.) Type: cpan and type return. If this is the first time you’ve ever used cpan, it will ask if you’re ready for manual configuration. Tell it yes. You can usually just accept the defaults for what it asks. When it asks me for "Policy on building prerequisites (follow, ask or ignore)?" I use follow to avoid being asked about prerequisites but its up to you.
4.) One you’re at the cpan> prompt, type: install IO::Multiplex and press return. Wait while it does its thing.
5.) Once you’re back at the cpan> prompt, type: exit and press return.
6.) Go to http://isg.ee.ethz.ch/tools/postgrey/ and download the current version of Postgrey. Expand the archive.
7.) Return to Terminal and CD into your newly created Postgrey directory. Issue these commands, one line at a time. Hit return after each line.
niutil -create . /groups/postgrey
niutil -createprop . /groups/postgrey gid 25
niutil -create . /users/postgrey
niutil -createprop . /users/postgrey uid 25
niutil -createprop . /users/postgrey gid 25
niutil -createprop . /users/postgrey shell /bin/tcsh
niutil -createprop . /users/postgrey home /tmp
niutil -createprop . /users/postgrey passwd "*"
mkdir /var/spool/postfix/postgrey
cp postgrey /var/spool/postfix/postgrey
cp postgrey_whitelist_clients /etc/postfix/postgrey_whitelist_clients
cp postgrey_whitelist_recipients /etc/postfix/postgrey_whitelist_recipients
chown -R postgrey /var/spool/postfix/postgrey
chgrp -R postgrey /var/spool/postfix/postgrey
chmod -R 755 /var/spool/postfix/postgrey
/var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey
8.) I grabbed Lingon from http://lingon.sourceforge.net/ and used it to to start Postgrey at system start time. I opened Lingon, clicked on Assistant, selected Run a job at startup and placed this into the Job field:
/var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey
I unchecked Start the job only when I login and checked Must run as root & saved it.
9.) Edit /etc/postfix/main.cf with your favorite editor. Find the line that starts with:
smtpd_recipient_restrictions =
Make sure that reject_unauth_destination is in there (if not, please add it. Add a comma to the end of that line and enter it in. No spaces.) Also, find the entry that only says “permit” (not permit_mynetworks or whatever… just plain old permit) and remove it from that line. Finally, add check_policy_service inet:127.0.0.1:10023 to that line as well. Save the changes and close the document.
10.) Then type postfix reload in the Terminal and press return.
You’re almost done: Be sure to read perldoc postgrey for more information on whitelists and further customization like how long to greylist for, what response is sent back to the other side, etc.
In closing, it would also be wise to subscribe to the Postgrey mailing list at http://isg.ee.ethz.ch/tools/postgrey/. The software is updated periodically and it is best to be aware of when this happens so that the appropriate changes can be made on your end. Future upgrades should be as simple as copying the appropriate files into both /var/spool/postfix/postgrey/ and /etc/postfix/ as indicated above then restarting the Postgrey process.
by 
on 10.4.3, there is no ‘smtpd_recipient_restrictions =’ line.
the developer tools seem to be called xcode or some such, installing just the ‘developer tools’ package isn’t enough. (Probably my bad misreading what you meant…)
off to go look into postfix conf file documentation…
Mine contained smtpd_recipient_restrictions = reject_unauth_destination which caused some grief for me (I noticed some stuff in the log.)
If reject_unauth_destination isn’t in there, that makes things simpler because you don’t have it take it out. 🙂
A little tinkering and:
smtpd_recipient_restrictions = permit_mynetworks,check_policy_service inet:127.0.0.1:10023,reject_unauth_destinationseems to make my system happiest, with my local machines able to send mail (without the ‘permit_mynetworks’ they couldn’t), greylisting working, and whatever it is that reject_unauth does. The postfix website wording leaves me unsure still.
Great article! I noticed however on my server (10.4.7) that
step #9 differs a bit from my setup:
/etc/postfix/main.cf with your favorite editor. Find the line that starts
with:
smtpd_recipient_restrictions =
My /etc/postfix/main.cf has smtpd_client_restrictions, instead of
smtpd_recipient_restrictions, and my mail logs indicate all is
working with this line (notice no commas in my config):
smtpd_client_restrictions = permit_mynetworks reject_rbl_client sbl-
xbl.spamhaus.org reject_unauth_destination check_policy_service inet:
127.0.0.1:10023
—
—
regards,
Nils
Just to be totally clear on the solution here:
Symptoms: After installing Postgrey on Mac OS X Server v10.4, e-mails to and from your hosted domains get bumped into the Deferred queue, with an error message resembling the following:
“relay=127.0.0.1[127.0.0.1], delay=1808, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=00303-02, mime_decode-1 FAILED: parsing file(1) results – missing last 1 results at (eval 43) line 155. (in reply to end of DATA command))”
Problem: The version of amavisd that is packaged with OS 10.4 Server (2.3.1) is incompatible with current versions of Net::Server (0.94 at the moment).
Solution: Upgrade amavisd to 2.4 or higher or downgrade Net::Server to 0.90. I would personally recommend downgrading Net::Server, since Apple is likely to include amavisd upgrades as part of future software updates, and that can get really thorny when Software Update tries to forcibly downgrade your amavisd installation.
Procedure:
1. Remove the incompatible version of Net::Server thus:
2. Download the compatible version:
3. Decompress, cd into the folder,
,
,
,
.
4. Restart postfix (I prefer to reboot the server entirely) with
.
5. If you have deferred e-mails, they will get sent automatically after a while, but you can clear them out manually with
.
Just to be totally clear on the solution here:
Symptoms: After installing Postgrey on Mac OS X Server v10.4, e-mails to and from your hosted domains get bumped into the Deferred queue, with an error message resembling the following:
Problem: The version of amavisd that is packaged with OS 10.4 Server (2.3.1) is incompatible with current versions of Net::Server (0.94 at the moment).
Solution: Upgrade amavisd to 2.4 or higher or downgrade Net::Server to 0.90. I would personally recommend downgrading Net::Server, since Apple is likely to include amavisd upgrades as part of future software updates, and that can get really thorny when Software Update tries to forcibly downgrade your amavisd installation.
Procedure:
sudo rm -R /Library/Perl/5.8.6/Net/Serve*curl -O http://mirror.uta.edu/CPAN/authors/id/R/RH/RHANDOM/Net-Server-0.90.tar.gzsudo postfix reloadsudo postfix flush