A lot of mail server admins have been forced to implement some form of spam checks at the SMTP level.
Some of the implementations are quite demented and probably do more harm than good, whereas others are extremely sane.
Greylisting, however, seems to be a very good idea.
Basically the concept is based on spammers' idiocy or lack of patience (take your pick). Most spammers use bruteforce methods to send as much mail at one time. Delivery rates don't really matter. If you think about the number of viagra ads they've got to send out at one time you can see why that would be the case
A properly configured mailserver, however, "cares" if mail is delivered or not and so will keep retrying (up to a certain limit and depending on the SMTP response).
A mail server using greylisting will basically tell servers sending mail to it to go away for X seconds before allowing them to resend the mail and actually accepting it.
An example SMTP transaction with greylisting enabled:
Oct 7 00:24:47 sicilia postfix/smtpd[15309]: connect from xxx.blacknight.ie[217.xxx.xxx.xx]
Oct 7 00:24:47 sicilia postfix/smtpd[15309]: NOQUEUE: reject: RCPT from xx.blacknight.ie[217.xxx.xxx.xx]: 450 : Client host rejected: Greylisted for 300 seconds (see http://isg.ee.ethz.ch/tools/postgrey/help); from= to= proto=ESMTP helo=
Oct 7 00:24:47 sicilia postfix/smtpd[15309]: disconnect from xx.blacknight.ie[217.xxx.xxx.xx]
300 seconds later the sending mail server can try again and the mail will be accepted.
If the sender were a spammer they probably wouldn't retry.
Getting this working on Ubuntu with postfix is very easy:
apt-get install postgrey
This installs the greylisting daemon for postfix and starts it.
You should be able to see that it is running with the following command:
netstat -anp | grep 60000
It should return something like:
tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN 14321/postgrey.pid
The final step of the configuration is to add a couple of lines to postfix's main.cf:
smtpd_recipient_restrictions =
reject_unauth_destination
check_policy_service inet:127.0.0.1:60000
Don't forget to reload postfix:
/etc/init.d/postfix reload
You can whitelist your own network or any trusted mail servers by editing /etc/postgrey/whitelist_clients
This seems to work for me, but your mileage may vary
I'd been reading about greylisting, and your article gave me the push that I needed. I installed postgrey on my main web server and I'm amazed at how effective it is. The server load is much lower now, because Spamassassin barely has any work to do. The amount of Spam that actually makes it to the Spam filter is at least 90% lower than it used to be.
Greylisting is useful, but you have to be very careful with setting up your whitelist or you could end up delaying legitimate mail too much
You forgot '=' in check_policy_service directive. Replace line,
check_policy_service inet:127.0.0.1:60000
with
check_policy_service = inet:127.0.0.1:60000
Actually, he didn't forget the =. He forgot the comma between reject_unauth_destination and check_policy_service.
Derek and A.Gurcan: neither are necessary. No comma is needed because main.cf accepts indented multi-line configurations.