Weldon Whipple <weldon@whipple.org>. (Updated 10 Aug 2013)
Greylisting requires incoming e-mail to "knock twice" under certain conditions--causing a slight delay in first-time deliveries. When greylisting is in effect, "unlisted" SMTP servers might be required to briefly queue an e-mail message before it can be delivered to your server. After a sender and server have shown that they are serious about the delivery (by later attempting the delivery a second time), their information is stored in a database for a (configurable) period of time, and future e-mail is delivered without delay.
As e-mail arrives, the sender, recipient and incoming server's IP address are searched in the database. If the combination of all three matches an entry in the database, the e-mail is processed immediately. Otherwise, the server returns a "temporary" failure. Spammers and trojans will often treat the temporary failure as permanent and abandon the delivery. (See http://greylisting.org for more information on greylisting.)
Of the greylisting milters I have used, milter-greylist is my favorite. Because it doesn't depend on MySQL or Berkeley DB, it is easy to install and configure.
This document describes how I installed version 2.0 of milter-greylist from the FreeBSD ports collection on 19 Sep 2005. My server was running FreeBSD 5.3-RELEASE, and my sendmail version was 8.13.4.
FreeBSD's sendmail executable is compiled to support milters by default. There should be no need to recompile sendmail to support milters unless you are using a non-standard executable for some reason.
To verify that your sendmail supports MILTERS, issue the following command as root:# sendmail -d0.1 -bt < /dev/null | grep MILTERYou should see a line of output that includes the word "MILTER".
Before you begin, make sure that your FreeBSD ports tree is up-to-date.
I know of some service providers that automatically update the ports tree for their customers. If your provider does that already, you probably don't want to update ports yourself!
I update my ports as follows (as root, of course):# cd # cvsup -L2 -g /root/portsupfilewhere my file named /root/portsupfile looks like:*default tag=. *default release=cvs *default host=cvsup3.freebsd.org *default base=/usr/local/etc/cvsup *default prefix=/usr *default delete *default use-rel-suffix *default compress ports-all
Issue these commands as root:
# cd /usr/ports/mail/milter-greylist # make # make install
If you have installed an earlier version of milter-greylist, the above will tell you about it, asking you to issue the commands "make deinstall" followed by "make reinstall". If that happens to you, issue both commands.
The above commands should install the following:
If the above aren't visible right after the install, you might try issuing the "rehash" command.
Create the initial configuration file by making a copy of the sample, then edit the configuration file with your editor of choice. (These examples will use the editor vi.)
# cd /usr/local/etc/mail # cp greylist.conf.sample greylist.conf # vi greylist.conf
Whitelisting is now (10 Aug 2013) the default. [Thank you, Semen Trygubenko, for informing me of the change of default!] You will need to identify the IP addresses of servers that you want to greylist. (You will probably not want to greylist localhost [127.0.0.1], computers on your local network, and others of your choice.)
Add "racl greylist addr" lines for addresses you want to greylist. If you want to greylist the /24 CIDR network 111.222.333.0, for example, you could add the following line:
racl greylist addr 111.222.333.0/24
Type "man greylist.conf" for more information on the syntax.
At the bottom of the default configuration file is "a list of broken MTA[s] that break with greylisting," each preceded with "acl whitelist addr". Do not delete these unless you have very good reasons!
Edit the file /etc/rc.conf and add the following lines:
miltergreylist_enable="YES"
Edit your sendmail macro configuration (mc) file and insert the following line:
INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock')
Hints:
- If you're new to the FreeBSD procedure for modifying sendmail.cf, click here.
- If you're clueless about where to insert the above lines, try inserting them somewhere after the line that reads DOMAIN(generic) and before the first line that begins MAILER( ...
(If you don't see the DOMAIN or MAILER lines, you're probably editing the wrong file. Re-read how to modify sendmail.cf's on FreeBSD.)- If your sendmail configuration already includes other milters, you might want to search for "INPUT_MAIL_FILTER", "MAIL_FILTER" and/or "confINPUT_MAIL_FILTER" in the cf/README or consult the "Bat" book. Configuring sendmail for multiple milters is beyond the scope of this tutorial.
After you finish editing your mc file, rebuild and install your sendmail.cf with the commands:
# cd /etc/mail # make # make install
Watch for error messages. If you you see errors, be sure to correct them before continuing.
(Don't restart sendmail ... yet.)
Issue the following command (still as root):
# /usr/local/etc/rc.d/milter-greylist start
To verify that the milter is running, try issuing a command something like:# ps -auxww | grep greylistYou should see output something like:smmsp 2687 0.0 0.2 2196 1168 ?? Ss 9:00PM 0:00.01 /usr/local/bin/milter-greylist -P /var/run/milter-greylist.pid -f /usr/local/etc/mail/greylist.conf -p /var/milter-greylist/milter-greylist.sock -u smmsp
Issue the following commands:
# cd /etc/mail # make restart
Try sending mail from another server to your sendmail server. You should see entries similar to the following in /var/log/maillog:
Apr 29 20:51:59 gabriel sm-mta[85507]: j3TKpuvC085507: Milter: to=<michael@whipple.org>, reject=451 4.7.1 Greylisting in action, please come back later
This document is a work in progress. Please send corrections or suggestions to me!