Installing milter-greylist from FreeBSD Ports

Weldon Whipple <weldon@whipple.org>. (Updated 10 Aug 2013)


Contents

Introduction

Greylisting requires incoming e-mail to "knock twice" under certain conditions--causing a slight delay in first-time deliveries. When greylisting is in effect, "unlisted" SMTP servers might be required to briefly queue an e-mail message before it can be delivered to your server. After a sender and server have shown that they are serious about the delivery (by later attempting the delivery a second time), their information is stored in a database for a (configurable) period of time, and future e-mail is delivered without delay.

As e-mail arrives, the sender, recipient and incoming server's IP address are searched in the database. If the combination of all three matches an entry in the database, the e-mail is processed immediately. Otherwise, the server returns a "temporary" failure. Spammers and trojans will often treat the temporary failure as permanent and abandon the delivery. (See http://greylisting.org for more information on greylisting.)

Of the greylisting milters I have used, milter-greylist is my favorite. Because it doesn't depend on MySQL or Berkeley DB, it is easy to install and configure.

This document describes how I installed version 2.0 of milter-greylist from the FreeBSD ports collection on 19 Sep 2005. My server was running FreeBSD 5.3-RELEASE, and my sendmail version was 8.13.4.

FreeBSD's sendmail executable is compiled to support milters by default. There should be no need to recompile sendmail to support milters unless you are using a non-standard executable for some reason.

To verify that your sendmail supports MILTERS, issue the following command as root:

# sendmail -d0.1 -bt < /dev/null | grep MILTER
You should see a line of output that includes the word "MILTER".

Before you begin, make sure that your FreeBSD ports tree is up-to-date.

I know of some service providers that automatically update the ports tree for their customers. If your provider does that already, you probably don't want to update ports yourself!
I update my ports as follows (as root, of course):

# cd
# cvsup -L2 -g /root/portsupfile
where my file named /root/portsupfile looks like:

*default tag=.
*default release=cvs
*default host=cvsup3.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default delete
*default use-rel-suffix
*default compress

ports-all

Step-by-Step Instructions

1. Install milter-greylist from ports

Issue these commands as root:


# cd /usr/ports/mail/milter-greylist
# make
# make install 
If you have installed an earlier version of milter-greylist, the above will tell you about it, asking you to issue the commands "make deinstall" followed by "make reinstall". If that happens to you, issue both commands.

The above commands should install the following:

  1. The milter-greylist executable /usr/local/bin/milter-greylist
  2. A startup file (to start milter-greylist when the server restarts) named /usr/local/etc/rc.d/milter-greylist
  3. A README file (with more detailed instructions than this tutorial) at /usr/local/share/doc/milter-greylist/README
  4. A sample configuration file named /usr/local/etc/mail/greylist.conf.sample
  5. Documentation displayed when you issue the man milter-greylist and man greylist.conf commands.
If the above aren't visible right after the install, you might try issuing the "rehash" command.

2. Edit the milter-greylist configuration file

Create the initial configuration file by making a copy of the sample, then edit the configuration file with your editor of choice. (These examples will use the editor vi.)


# cd /usr/local/etc/mail
# cp greylist.conf.sample greylist.conf
# vi greylist.conf

Whitelisting is now (10 Aug 2013) the default. [Thank you, Semen Trygubenko, for informing me of the change of default!] You will need to identify the IP addresses of servers that you want to greylist. (You will probably not want to greylist localhost [127.0.0.1], computers on your local network, and others of your choice.)

Add "racl greylist addr" lines for addresses you want to greylist. If you want to greylist the /24 CIDR network 111.222.333.0, for example, you could add the following line:


racl greylist addr 111.222.333.0/24
Type "man greylist.conf" for more information on the syntax.

At the bottom of the default configuration file is "a list of broken MTA[s] that break with greylisting," each preceded with "acl whitelist addr". Do not delete these unless you have very good reasons!

3. Enable milter-greylist in /etc/rc.conf

Edit the file /etc/rc.conf and add the following lines:


miltergreylist_enable="YES"

4. Modify sendmail.cf

Edit your sendmail macro configuration (mc) file and insert the following line:


INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock')
Hints:
  1. If you're new to the FreeBSD procedure for modifying sendmail.cf, click here.
  2. If you're clueless about where to insert the above lines, try inserting them somewhere after the line that reads DOMAIN(generic) and before the first line that begins MAILER( ...

    (If you don't see the DOMAIN or MAILER lines, you're probably editing the wrong file. Re-read how to modify sendmail.cf's on FreeBSD.)
  3. If your sendmail configuration already includes other milters, you might want to search for "INPUT_MAIL_FILTER", "MAIL_FILTER" and/or "confINPUT_MAIL_FILTER" in the cf/README or consult the "Bat" book. Configuring sendmail for multiple milters is beyond the scope of this tutorial.

After you finish editing your mc file, rebuild and install your sendmail.cf with the commands:


# cd /etc/mail
# make
# make install

Watch for error messages. If you you see errors, be sure to correct them before continuing.

(Don't restart sendmail ... yet.)

5. Start the milter

Issue the following command (still as root):


# /usr/local/etc/rc.d/milter-greylist start
To verify that the milter is running, try issuing a command something like:

# ps -auxww | grep greylist
You should see output something like:

smmsp   2687  0.0  0.2  2196 1168  ??  Ss    9:00PM   0:00.01
/usr/local/bin/milter-greylist -P /var/run/milter-greylist.pid -f /usr/local/etc/mail/greylist.conf 
-p /var/milter-greylist/milter-greylist.sock -u smmsp

6. Restart sendmail

Issue the following commands:


# cd /etc/mail
# make restart

7. Verify the installation

Try sending mail from another server to your sendmail server. You should see entries similar to the following in /var/log/maillog:


Apr 29 20:51:59 gabriel sm-mta[85507]: j3TKpuvC085507: Milter: to=<michael@whipple.org>, reject=451 4.7.1
Greylisting in action, please come back later

Feedback

This document is a work in progress. Please send corrections or suggestions to me!