CentOS 7のPostfixにpostgreyを導入

迷惑メール対策にpostgreyを導入してみました｡
CentOS 7ではepel repositoryをインストールすればyumで簡単にインストールできます｡

Postgrey – Postfix Greylisting Policy Server
https://postgrey.schweikert.ch/
Postfix + postgrey を使ったグレイリスティングでスパム対策をしてみる
http://server-setting.info/centos/postfix-postgrey-spam-setting.html

動作としては初めてのメールサーバからの要求はグレイリストに登録して､受信拒否(code=450)します｡通常はその後再送してくるので､その時に受信処理が行われます｡
スパムメールの送信者は殆ど再送しないのでブロックできるとのことですが､相手が再送するまで受信できないので｢送ったよ～｣｢届かないよ～｣が発生します｡
事前に分かればホワイトリストに追加しておけばいいのですが｡

ただ稀にまともなドメインのようでも再送しないメールサーバがあったりするので､そうなるとホワイトリストに登録しない限り受信できません｡
ちなみにPostfix 2.10.1(yum)のデフォルトでは300秒で再送されます｡

環境
･CentOS Linux release 7.3.1611 (Core)
･Kernel 3.10.0-514.16.1.el7.x86_64
･Postfix 2.10.1
･Postgrey 1.34

インストール

# yum -y install epel-release

# yum info postgrey
Available Packages
Name        : postgrey
Arch        : noarch
Version     : 1.34
Release     : 12.el7
Size        : 47 k
Repo        : epel/x86_64
Summary     : Postfix Greylisting Policy Server
URL         : http://postgrey.schweikert.ch/
License     : GPLv2+
Description : Postgrey is a Postfix policy server implementing greylisting. When a request
            : for delivery of a mail is received by Postfix via SMTP, the triplet CLIENT_IP /
            : SENDER / RECIPIENT is built. If it is the first time that this triplet is
            : seen, or if the triplet was first seen less than 5 minutes, then the mail gets
            : rejected with a temporary error. Hopefully spammers or viruses will not try
            : again later, as it is however required per RFC.

# yum -y install postgrey
(snip)
Installed:
  postgrey.noarch 0:1.34-12.el7

Dependency Installed:
  perl-BerkeleyDB.x86_64 0:0.51-4.el7           perl-Digest-HMAC.noarch 0:1.03-5.el7         perl-Digest-MD5.x86_64 0:2.52-3.el7
  perl-IO-Multiplex.noarch 0:1.13-6.el7         perl-Net-DNS.x86_64 0:0.72-6.el7             perl-Net-Server.noarch 0:2.007-2.el7
  perl-Sys-Syslog.x86_64 0:0.33-3.el7

Complete!

# yum -y install epel-release

# yum info postgrey

Available Packages

Name : postgrey

Arch : noarch

Version : 1.34

Release : 12.el7

Size : 47 k

Repo : epel/x86_64

Summary : Postfix Greylisting Policy Server

URL : http://postgrey.schweikert.ch/

License : GPLv2+

Description : Postgrey is a Postfix policy server implementing greylisting. When a request

: for delivery of a mail is received by Postfix via SMTP, the triplet CLIENT_IP /

: SENDER / RECIPIENT is built. If it is the first time that this triplet is

: seen, or if the triplet was first seen less than 5 minutes, then the mail gets

: rejected with a temporary error. Hopefully spammers or viruses will not try

: again later, as it is however required per RFC.

# yum -y install postgrey

(snip)

Installed:

postgrey.noarch 0:1.34-12.el7

Dependency Installed:

perl-BerkeleyDB.x86_64 0:0.51-4.el7 perl-Digest-HMAC.noarch 0:1.03-5.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7

perl-IO-Multiplex.noarch 0:1.13-6.el7 perl-Net-DNS.x86_64 0:0.72-6.el7 perl-Net-Server.noarch 0:2.007-2.el7

perl-Sys-Syslog.x86_64 0:0.33-3.el7

Complete!

設定ファイル

yumでインストールすると設定ファイルは/etc/postfixにインストールされます｡

# ls -l /etc/postfix/
-rw-r--r--  1 root root  8343 May  5  2011 postgrey_whitelist_clients
-rw-r--r--  1 root root    59 Feb  7  2014 postgrey_whitelist_clients.local
-rw-r--r--  1 root root   188 May  5  2011 postgrey_whitelist_recipients

# ls -l /etc/postfix/

-rw-r--r-- 1 root root 8343 May 5 2011 postgrey_whitelist_clients

-rw-r--r-- 1 root root 59 Feb 7 2014 postgrey_whitelist_clients.local

-rw-r--r-- 1 root root 188 May 5 2011 postgrey_whitelist_recipients

･postgrey_whitelist_clients
ホワイトリストのデフォルト設定｡海外のドメインが殆どです｡個人的には空にしてもいいかも｡
･postgrey_whitelist_clients.local
サイトのホワイトリスト｡ここに前もってpostgreyのチェックを行わないドメインを登録します｡
･postgrey_whitelist_recipients
受信許可アドレスのホワイトリスト｡ここに記載してあるアドレス宛はpostgreyのチェックを行わない｡

main.cfの設定

postgreyを経由するようにmain.cfを設定します｡

smtpd_recipient_restrictions =
        permit_mynetworks,
        ..................
        reject_unauth_destination,
        check_policy_service inet:127.0.0.1:10023

smtpd_recipient_restrictions =

permit_mynetworks,

..................

reject_unauth_destination,

check_policy_service inet:127.0.0.1:10023

reject_unauth_destinationの後にcheck_policy_service inet:127.0.0.1:10023を追記します｡これはpostgreyがデフォルトでポート10023で動作しています｡

ポート10023で待受設定(2017/05/06追記)

/etc/sysconfig/postgreyに明示的に待ち受けポート10023を追加します｡

# vi /etc/sysconfig/postgrey
# cat /etc/sysconfig/postgrey
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60"

# vi /etc/sysconfig/postgrey

# cat /etc/sysconfig/postgrey

POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60"

postgreyの起動

postgreyの自動起動設定と起動です｡

# systemctl enable postgrey
Created symlink from /etc/systemd/system/multi-user.target.wants/postgrey.service to /usr/lib/systemd/system/postgrey.service.

# systemctl start postgrey
# netstat -at --numeric-port | grep 10023
tcp        0      0 localhost:10023         0.0.0.0:*               LISTEN

# systemctl enable postgrey

Created symlink from /etc/systemd/system/multi-user.target.wants/postgrey.service to /usr/lib/systemd/system/postgrey.service.

# systemctl start postgrey

# netstat -at --numeric-port | grep 10023

tcp 0 0 localhost:10023 0.0.0.0:* LISTEN

postfixの再起動

postfixの再起動します｡

# systemctl restart postfix

1	# systemctl restart postfix

これでメールログにpostgreyが記録されれば動作しています｡

postfix/smtpd[2962]: NOQUEUE: reject: RCPT from unknown[xxx.xxx.xxx.xxx]: 450 4.2.0 : Recipient address rejected: Greylisted,……

postgeryのポート変更などオプション設定は/etc/sysconfig/postgreyに記述します｡

# cat /etc/sysconfig/postgrey
POSTGREY_OPTS="--delay=60"

1 2	# cat /etc/sysconfig/postgrey POSTGREY_OPTS="--delay=60"

デフォルトでは–delay=60が記載されています｡
これは拒否後に60秒経過してから再送してきたメールを受信することになります｡ちなみにpostgreyでのデフォルトは5分です｡

Greylisting HOWTO
https://wiki.centos.org/HowTos/postgrey

By default, the amount of time by which Postgrey will reject new messages is set to 5 minutes but we can change this using the –delay switch. There is a trade off in that the longer the time the more chance of rejecting spam but also the longer legitimate mail will be delayed for the first time. It might be worth initially setting this value to 1 minute (60 seconds) and subsequently increasing the value once Postgrey has built a database of regular mail contacts for your server. Setting your delay to values larger than 300 Seconds ( 5 Minutes ) is really not recommended. To manually set the delay (in seconds), we need to create the Postgrey configuration file at /etc/sysconfig/postgrey and append the –delay switch as shown below (see ‘man postgrey’ for a full list of options):

以下超意訳
時間が長いほどスパムの拒否率は向上するけど､正規のメールの到着がその分遅延することになります｡
最初は1分ぐらいにして､データベースが充実してきたら値を大きくするのが最善かもしれませんが､ただ5分以上にするのはお勧めしません｡

POSTGREY(8)                           Postgrey Policy Server for Postfix                           POSTGREY(8)

NAME
       postgrey - Postfix Greylisting Policy Server

SYNOPSIS
       postgrey [options...]

        -h, --help              display this help and exit
            --version           output version information and exit
        -v, --verbose           increase verbosity level
            --syslog-facility   Syslog facility to use (default mail)
        -q, --quiet             decrease verbosity level
        -u, --unix=PATH         listen on unix socket PATH
        -i, --inet=[HOST:]PORT  listen on PORT, localhost if HOST is not specified
        -d, --daemonize         run in the background
            --pidfile=PATH      put daemon pid into this file
            --user=USER         run as USER (default: postgrey)
            --group=GROUP       run as group GROUP (default: postgrey)
            --dbdir=PATH        put db files in PATH (default: /var/spool/postfix/postgrey)
            --delay=N           greylist for N seconds (default: 300)
            --max-age=N         delete entries older than N days since the last time
                                that they have been seen (default: 35)
            --retry-window=N    allow only N days for the first retrial (default: 2)
                                append 'h' if you want to specify it in hours
            --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)
            --greylist-text=TXT response when a mail is greylisted
                                (default: Greylisted + help url, see below)
            --lookup-by-subnet  strip the last 8 bits from IP addresses (default)
            --lookup-by-host    do not strip the last 8 bits from IP addresses
            --privacy           store data using one-way hash functions
            --hostname=NAME     set the hostname (default: `hostname`)
            --exim              don't reuse a socket for more than one query (exim compatible)
            --whitelist-clients=FILE     default: /etc/postfix/postgrey_whitelist_clients
            --whitelist-recipients=FILE  default: /etc/postfix/postgrey_whitelist_recipients
            --auto-whitelist-clients=N   whitelist host after first successful delivery
                                         N is the minimal count of mails before a client is
                                         whitelisted (turned on by default with value 5)
                                         specify N=0 to disable.
            --listen-queue-size=N        allow for N waiting connections to our socket
            --x-greylist-header=TXT      header when a mail was delayed by greylisting
                                         default: X-Greylist: delayed <seconds> seconds by postgrey-<version> at <server>; <date>

        Note that the --whitelist-x options can be specified multiple times,
        and that per default /etc/postfix/postgrey_whitelist_clients.local is
        also read, so that you can put there local entries.

DESCRIPTION
       Postgrey is a Postfix policy server implementing greylisting.

       When a request for delivery of a mail is received by Postfix via SMTP, the triplet "CLIENT_IP" /
       "SENDER" / "RECIPIENT" is built. If it is the first time that this triplet is seen, or if the triplet
       was first seen less than delay seconds (300 is the default), then the mail gets rejected with a
       temporary error. Hopefully spammers or viruses will not try again later, as it is however required per
       RFC.

       Note that you shouldn't use the --lookup-by-host option unless you know what you are doing: there are a
       lot of mail servers that use a pool of addresses to send emails, so that they can change IP every time
       they try again. That's why without this option postgrey will strip the last byte of the IP address when
       doing lookups in the database.

   Installation
       o   Create a "postgrey" user and the directory where to put the database dbdir (default:
           "/var/spool/postfix/postgrey")

       o   Write an init script to start postgrey at boot and start it. Like this for example:

            postgrey --inet=10023 -d

           contrib/postgrey.init in the postgrey source distribution includes a LSB-compliant init script by
           Adrian von Bidder for the Debian system.

       o   Put something like this in /etc/main.cf:

            smtpd_recipient_restrictions =
                          permit_mynetworks
                          ...
                          reject_unauth_destination
                          check_policy_service inet:127.0.0.1:10023

       o   Install the provided postgrey_whitelist_clients and postgrey_whitelist_recipients in /etc/postfix.

       o   Put in /etc/postfix/postgrey_whitelist_recipients users that do not want greylisting.

   Whitelists
       Whitelists allow you to specify client addresses or recipient address, for which no greylisting should
       be done. Per default postgrey will read the following files:

        /etc/postfix/postgrey_whitelist_clients
        /etc/postfix/postgrey_whitelist_clients.local
        /etc/postfix/postgrey_whitelist_recipients

       You can specify alternative paths with the --whitelist-x options.

       Postgrey whitelists follow similar syntax rules as Postfix access tables.  The following can be
       specified for recipient addresses:

       domain.addr
                 "domain.addr" domain and subdomains.

       name@     "name@.*" and extended addresses "name+blabla@.*".

       name@domain.addr
                 "name@domain.addr" and extended addresses.

       /regexp/  anything that matches "regexp" (the full address is matched).

       The following can be specified for client addresses:

       domain.addr
                 "domain.addr" domain and subdomains.

       IP1.IP2.IP3.IP4
                 IP address IP1.IP2.IP3.IP4. You can also leave off one number, in which case only the first
                 specified numbers will be checked.

       IP1.IP2.IP3.IP4/MASK
                 CIDR-syle network. Example: 192.168.1.0/24

       /regexp/  anything that matches "regexp" (the full address is matched).

   Auto-whitelisting clients
       With the option --auto-whitelist-clients a client IP address will be automatically whitelisted if the
       following conditions are met:

       o   At least 5 successfull attempts of delivering a mail (after greylisting was done). That number can
           be changed by specifying a number after the --auto-whitelist-clients argument. Only one attempt per
           hour counts.

       o   The client was last seen before --max-age days (35 per default).

   Greylist Action
       To set the action to be returned to postfix when a message fails postgrey's tests and should be
       deferred, use the --greylist-action=ACTION option.

       By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to check the rest of the
       restrictions and defer the message only if it would otherwise be accepted.  A delay action of 451
       causes postfix to always defer the message with an SMTP reply code of 451 (temp fail).

       See the postfix manual page access(5) for a discussion of the actions allowed.

   Greylist Text
       When a message is greylisted, an error message like this will be sent at the SMTP-level:

        Greylisted, see http://postgrey.schweikert.ch/help/example.com.html

       Usually no user should see that error message and the idea of that URL is to provide some help to
       system administrators seeing that message or users of broken mail clients which try to send mails
       directly and get a greylisting error. Note that the default help-URL contains the original recipient
       domain (example.com), so that domain-specific help can be presented to the user (on the default page it
       is said to contact postmaster@example.com)

       You can change the text (and URL) with the --greylist-text parameter. The following special variables
       will be replaced in the text:

       %s  How many seconds left until the greylisting is over (300).

       %r  Mail-domain of the recipient (example.com).

   Greylist Header
       When a message is greylisted, an additional header can be prepended to the header section of the mail:

        X-Greylist: delayed %t seconds by postgrey-%v at %h; %d

       You can change the text with the --x-greylist-header parameter. The following special variables will be
       replaced in the text:

       %t  How many seconds the mail has been delayed due to greylisting.

       %v  The version of postgrey.

       %d  The date.

       %h  The host.

   Privacy
       The --privacy option enable the use of a SHA1 hash function to store IPs and emails in the greylisting
       database.  This will defeat straight forward attempts to retrieve mail user behaviours.

   SEE ALSO
       See <http://www.greylisting.org/> for a description of what greylisting is and
       <http://www.postfix.org/SMTPD_POLICY_README.html> for a description of how Postfix policy servers work.

COPYRIGHT
       Copyright (c) 2004-2007 by ETH Zurich. All rights reserved.  Copyright (c) 2007 by Open Systems AG. All
       rights reserved.

LICENSE
       This program is free software; you can redistribute it and/or modify it under the terms of the GNU
       General Public License as published by the Free Software Foundation; either version 2 of the License,
       or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
       the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
       Public License for more details.

       You should have received a copy of the GNU General Public License along with this program; if not,
       write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

AUTHOR
       David Schweikert <david@schweikert.ch>

perl v5.16.3                                      2014-02-07                                       POSTGREY(8)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

POSTGREY(8) Postgrey Policy Server for Postfix POSTGREY(8)

NAME

postgrey - Postfix Greylisting Policy Server

SYNOPSIS

postgrey [options...]

-h, --help display this help and exit

--version output version information and exit

-v, --verbose increase verbosity level

--syslog-facility Syslog facility to use (default mail)

-q, --quiet decrease verbosity level

-u, --unix=PATH listen on unix socket PATH

-i, --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified

-d, --daemonize run in the background

--pidfile=PATH put daemon pid into this file

--user=USER run as USER (default: postgrey)

--group=GROUP run as group GROUP (default: postgrey)

--dbdir=PATH put db files in PATH (default: /var/spool/postfix/postgrey)

--delay=N greylist for N seconds (default: 300)

--max-age=N delete entries older than N days since the last time

that they have been seen (default: 35)

--retry-window=N allow only N days for the first retrial (default: 2)

append 'h' if you want to specify it in hours

--greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT)

--greylist-text=TXT response when a mail is greylisted

(default: Greylisted + help url, see below)

--lookup-by-subnet strip the last 8 bits from IP addresses (default)

--lookup-by-host do not strip the last 8 bits from IP addresses

--privacy store data using one-way hash functions

--hostname=NAME set the hostname (default: `hostname`)

--exim don't reuse a socket for more than one query (exim compatible)

--whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients

--whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients

--auto-whitelist-clients=N whitelist host after first successful delivery

N is the minimal count of mails before a client is

whitelisted (turned on by default with value 5)

specify N=0 to disable.

--listen-queue-size=N allow for N waiting connections to our socket

--x-greylist-header=TXT header when a mail was delayed by greylisting

default: X-Greylist: delayed <seconds> seconds by postgrey-<version> at <server>; <date>

Note that the --whitelist-x options can be specified multiple times,

and that per default /etc/postfix/postgrey_whitelist_clients.local is

also read, so that you can put there local entries.

DESCRIPTION

Postgrey is a Postfix policy server implementing greylisting.

When a request for delivery of a mail is received by Postfix via SMTP, the triplet "CLIENT_IP" /

"SENDER" / "RECIPIENT" is built. If it is the first time that this triplet is seen, or if the triplet

was first seen less than delay seconds (300 is the default), then the mail gets rejected with a

temporary error. Hopefully spammers or viruses will not try again later, as it is however required per

RFC.

Note that you shouldn't use the --lookup-by-host option unless you know what you are doing: there are a

lot of mail servers that use a pool of addresses to send emails, so that they can change IP every time

they try again. That's why without this option postgrey will strip the last byte of the IP address when

doing lookups in the database.

Installation

o Create a "postgrey" user and the directory where to put the database dbdir (default:

"/var/spool/postfix/postgrey")

o Write an init script to start postgrey at boot and start it. Like this for example:

postgrey --inet=10023 -d

contrib/postgrey.init in the postgrey source distribution includes a LSB-compliant init script by

Adrian von Bidder for the Debian system.

o Put something like this in /etc/main.cf:

smtpd_recipient_restrictions =

permit_mynetworks

...

reject_unauth_destination

check_policy_service inet:127.0.0.1:10023

o Install the provided postgrey_whitelist_clients and postgrey_whitelist_recipients in /etc/postfix.

o Put in /etc/postfix/postgrey_whitelist_recipients users that do not want greylisting.

Whitelists

Whitelists allow you to specify client addresses or recipient address, for which no greylisting should

be done. Per default postgrey will read the following files:

/etc/postfix/postgrey_whitelist_clients

/etc/postfix/postgrey_whitelist_clients.local

/etc/postfix/postgrey_whitelist_recipients

You can specify alternative paths with the --whitelist-x options.

Postgrey whitelists follow similar syntax rules as Postfix access tables. The following can be

specified for recipient addresses:

domain.addr

"domain.addr" domain and subdomains.

name@ "name@.*" and extended addresses "name+blabla@.*".

name@domain.addr

"name@domain.addr" and extended addresses.

/regexp/ anything that matches "regexp" (the full address is matched).

The following can be specified for client addresses:

domain.addr

"domain.addr" domain and subdomains.

IP1.IP2.IP3.IP4

IP address IP1.IP2.IP3.IP4. You can also leave off one number, in which case only the first

specified numbers will be checked.

IP1.IP2.IP3.IP4/MASK

CIDR-syle network. Example: 192.168.1.0/24

/regexp/ anything that matches "regexp" (the full address is matched).

Auto-whitelisting clients

With the option --auto-whitelist-clients a client IP address will be automatically whitelisted if the

following conditions are met:

o At least 5 successfull attempts of delivering a mail (after greylisting was done). That number can

be changed by specifying a number after the --auto-whitelist-clients argument. Only one attempt per

hour counts.

o The client was last seen before --max-age days (35 per default).

Greylist Action

To set the action to be returned to postfix when a message fails postgrey's tests and should be

deferred, use the --greylist-action=ACTION option.

By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to check the rest of the

restrictions and defer the message only if it would otherwise be accepted. A delay action of 451

causes postfix to always defer the message with an SMTP reply code of 451 (temp fail).

See the postfix manual page access(5) for a discussion of the actions allowed.

Greylist Text

When a message is greylisted, an error message like this will be sent at the SMTP-level:

Greylisted, see http://postgrey.schweikert.ch/help/example.com.html

Usually no user should see that error message and the idea of that URL is to provide some help to

system administrators seeing that message or users of broken mail clients which try to send mails

directly and get a greylisting error. Note that the default help-URL contains the original recipient

domain (example.com), so that domain-specific help can be presented to the user (on the default page it

is said to contact postmaster@example.com)

You can change the text (and URL) with the --greylist-text parameter. The following special variables

will be replaced in the text:

%s How many seconds left until the greylisting is over (300).

%r Mail-domain of the recipient (example.com).

Greylist Header

When a message is greylisted, an additional header can be prepended to the header section of the mail:

X-Greylist: delayed %t seconds by postgrey-%v at %h; %d

You can change the text with the --x-greylist-header parameter. The following special variables will be

replaced in the text:

%t How many seconds the mail has been delayed due to greylisting.

%v The version of postgrey.

%d The date.

%h The host.

Privacy

The --privacy option enable the use of a SHA1 hash function to store IPs and emails in the greylisting

database. This will defeat straight forward attempts to retrieve mail user behaviours.

RootLinks Co., Ltd.

CentOS 7のPostfixにpostgreyを導入

Leave a Reply Cancel Reply

2017年4月
日	月	火	水	木	金	土
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

RootLinks Co., Ltd.

CentOS 7のPostfixにpostgreyを導入

Related posts:

Leave a Reply Cancel Reply