head 1.67; access; symbols milter-greylist-4-5-13:1.67 milter-greylist-4-5-12:1.67 milter-greylist-4-5-11:1.67 milter-greylist-4-5-10:1.67 milter-greylist-4-9-10:1.67 milter-greylist-4-5-8:1.67 milter-greylist-4-5-9:1.67 milter-greylist-4-5-7:1.67 milter-greylist-4-5-6:1.67 milter-greylist-4-5:1.67 milter-greylist-4-5-5:1.67 milter-greylist-4-5-4:1.67 milter-greylist-4-5-3:1.67 milter-greylist-4-5-2:1.67 milter-greylist-4-5-1:1.67 milter-greylist-4-4-3:1.67 milter-greylist-4-4-2:1.67 milter-greylist-4-4-1:1.67 milter-greylist-4-4:1.67 milter-greylist-4-4-rc1:1.67 milter-greylist-4-4-alpha4:1.67 milter-greylist-4-4-alpha3:1.67 milter-greylist-4-4-alpha2:1.66 milter-greylist-4-4-alpha1:1.66 milter-greylist-4-2-7:1.63.2.1 milter-greylist-4-3-9:1.66 milter-greylist-4-2-6:1.63.2.1 milter-gresylit-4-2-6:1.63.2.1 milter-greylist-4-3-8:1.66 milter-greylist-4-3-7:1.66 milter-greylist-4-2-5:1.63.2.1 milter-greylist-4-3-6:1.66 milter-greylist-4-2-4:1.63.2.1 milter-greylist-4-3-5:1.66 milter-greylist-4-3-4:1.66 milter-greylist-4-2-3:1.63 milter-greylist-4-3-3:1.64 rmilter-greylist-4-2-3:1.63 milter-greylist-4-3-2:1.63 milter-greylist-4-3-1:1.63 milter-greylist-2-2-2:1.63 milter-greylist-4-2-2:1.63 milter-greylist-4-2-1:1.63 milter-greylist-4-2:1.63 milter-greylist-4-2-rc1:1.63 milter-greylist-4-2-beta1:1.63 milter-greylist-4-2-branch:1.63.0.2 milter-greylist-4-2-base:1.63 milter-greylist-4-2-0-base:1.63 milter-greylist-4-1-12:1.63 milter-greylist-4-1-11:1.63 milter-greylist-4-1-10:1.63 milter-greylist-4-1-9:1.63 milter-greylist-4-1-8:1.63 milter-greylist-4-1-7:1.63 milter-greylist-4-1-6:1.63 milter-greylist-4-0-1:1.59.2.2 milter-greylist-4-0-1-rc1:1.59.2.2 milter-greylist-4-1-5:1.62 milter-greylist-4-1-4:1.62 milter-greylist-4-1-3:1.61 milter-greylist-4-1-2:1.61 milter-greylist-4-1-1:1.61 milter-greylist-4-0-branch:1.59.0.2 milter-greylist-4-0-base:1.59 milter-greylist-4-0:1.59 milter-greylist-4-0-rc2:1.59 milter-greylist-4-0-rc1:1.58 milter-greylist-4-0-beta4:1.58 milter-greylist-4-0-beta3:1.57 milter-greylist-4-0-beta2:1.53 milter-greylist-4-0-beta1:1.53 milter-greylist-4-0-alpha6:1.53 milter-greylist-4-0-alpha5:1.52 milter-greylist-4-0-alpha4:1.52 milter-greylist-4-0-alpha3:1.52 milter-greylist-4-0-alpha2:1.52 milter-greylist-4-0-alpha1:1.52 milter-greylist-3-1-8:1.52 milter-greylist-3-1-7:1.52 milter-greylist-3-1-6:1.50 milter-greylist-3-1-5:1.49 milter-greylist-3-1-5-alpha1:1.49 milter-greylist-3-0-1-beta1:1.42.2.2 milter-greylist-3-1-4:1.49 milter-greylist-3-1-3:1.44 milter-greylist-3-1-2:1.44 milter-greylist-3-1-1:1.43 milter-greylist-3-0:1.42.2.1 milter-greylist-3-0-rc7:1.42.2.1 milter-greylist-3-0-rc6:1.42.2.1 milter-greylist-3-0-rc5:1.42.2.1 milter-greylist-3-0-rc4:1.42 milter-greylist-3-0-rc3:1.42 milter-greylist-3-0-rc2:1.42 milter-greylist-3-0-rc1:1.42 milter-greylist-3-0-alpha6:1.42 milter-greylist-3-0-branch:1.42.0.2 milter-greylist-3-0-base:1.42 milter-greylist-3-0-alpha5:1.42 milter-greylist-3-0-alpha4:1.42 milter-greylist-3-0-alpha3:1.42 milter-greylist-3-0-alpha2:1.42 milter-greylist-3-0-alpha1:1.41 milter-greylist-2-1-12:1.40 milter-greylist-2-1-11:1.40 milter-greylist-2-1-10:1.40 milter-greylist-2-1-9:1.40 milter-greylist-2-1-9a1:1.40 milter-greylist-2-1-8:1.39 milter-greylist-2-1-7:1.39 milter-greylist-2-1-6:1.38 milter-greylist-2-1-5:1.37 milter-greylist-2-1-4:1.37 milter-greylist-2-1-3:1.37 milter-greylist-2-1-2:1.37 milter-greylist-2-1-1:1.37 milter-greylist-2-0-2:1.36 milter-greylist-2-0-1:1.36 milter-greylist-2-0-1-b1:1.36 milter-greylist-2-0-release:1.34 milter-greylist-2-0-rc5:1.34 milter-greylist-2-0-rc4:1.34 milter-greylist-2-0-rc3:1.34 milter-grey-list-2-0-rc3:1.34 milter-grey-list-2-0-rc2:1.34 milter-grey-list-2-0-rc1:1.34 milter-greylist-2-0-beta7:1.32 milter-greylist-2-0-beta6:1.32 milter-gre-ylist-2-0-beta5:1.32 milter-greylist-2-0-beta5:1.32 milter-greylist-2-0-beta4:1.32 milter-greylist-2-0-beta3:1.32 milter-greylist-2-0-beta2:1.32 milter-greylist-2-0:1.32.0.2 milter-greylist-2-0-base:1.32 milter-greylist-2-0-beta1:1.32 milter-greylist-1-7-5:1.32 before_delayed_tempfail:1.32 milter-greylist-1-7-4:1.31 milter-greylist-1-7-3:1.30 milter-greylist-1-7-2:1.27 milter-greylist-1-6-0:1.24.2.1 milter-greylist-1-7-1:1.24 milter-greylist-1-6rc1:1.24 milter-greylist-1-6:1.24.0.2 milter-greylist-1-6-base:1.24 milter-greylist-1-5-12:1.23 milter-greylist-1-5-11:1.23 milter-greylist-1-5-10:1.22 milter-greylist-1-5-9:1.22 milter-greylist-1-5-8:1.22 milter-greylist-1-5-7:1.22 milter-greylist-1-5-6:1.22 milter-greylist-1-5-5:1.22 milter-greylist-1-5-4:1.22 milter-greylist-1-5-3:1.22 milter-greylist-1-5-2:1.22 milter-greylist-1-5-1:1.21 milter-greylist-1-4:1.21.0.2 milter-greylist-1-4-base:1.21 milter-greylist-1-3-9:1.21 milter-greylist-1-3-8:1.21 milter-greylist-1-3-7:1.21 milter-greylist-1-3-6:1.21 milter-greylist-1-3-5:1.21 milter-greylist-1-3-4:1.21 milter-greylist-1-3-3:1.21 BDB:1.20.0.2 BDB-base:1.20 before_BDB:1.20 milter-greylist-1-2-2:1.17 milter-greylist-1-3-2:1.20 milter-greylist-1-2-1:1.17 milter-greylist-1-2-0:1.17 milter-greylist-1-2:1.17.0.2 milter-greylist-1-2-base:1.17 milter-greylist-1-1-16:1.17 milter-greylist-1-1-15:1.17 milter-greylis-1-1-15:1.17 milter-greylis-1-1-16:1.17 milter-greylist-1-1-14:1.17 milter-greylist-1-1-13:1.17 milter-greylist-1-1-12:1.16 milter-greylist-1-1-11:1.16 milter-greylist-1-1-10:1.16 milter-greylist-1-10rc1:1.15 milter-greylist-1-1-9:1.12 milter-greylist-1-1-8:1.12 milter-greylist-1-1-7:1.11 milter-greylist-1-1-6:1.11 milter-greylist-1-1-5:1.11 milter-greylist-1-1-4:1.11 milter-greylist-1-1-3:1.11 milter-greylist-1-1-2:1.11 milter-greylist-1-0-2:1.8 rmilter-greylist-1-0-1:1.8 milter-greylist-1-0-1:1.8 milter-greylist-1-1-1:1.10 milter-greylist-1-0-base:1.8 milter-greylist-1-0:1.8.0.2 milter-greylist-1-0-0:1.8 milter-greylist-0-27:1.7 milter-greylist-0-26:1.7 milter-greylist-0-25:1.7 milter-greylist-0-24:1.7 milter-greylist-0-23:1.7 milter-greylist-0-22:1.7 milter-greylist-0-21:1.7 milter-greylist-0-20:1.6 milter-greylist-0-19:1.6 milter-greylist-0-18:1.4 milter-greylist-0-17:1.2 milter-greylist-0-16:1.2 milter-greylist-0-15:1.2 milter-greylist-0-14:1.2 milter-greylist-0-13:1.2 milter-greylist-0-12:1.1 milter-greylist-0-11:1.1 milter-greylist-0-10:1.1 milter-greylist-0-9:1.1 milter-greylist-0-8:1.1; locks; strict; comment @# @; 1.67 date 2012.05.05.00.42.32; author manu; state Exp; branches; next 1.66; 1.66 date 2009.09.07.12.56.54; author manu; state Exp; branches; next 1.65; 1.65 date 2009.09.04.13.02.04; author manu; state Exp; branches; next 1.64; 1.64 date 2009.06.29.10.20.00; author manu; state Exp; branches; next 1.63; 1.63 date 2008.09.26.23.35.44; author manu; state Exp; branches 1.63.2.1; next 1.62; 1.62 date 2008.08.03.05.00.06; author manu; state Exp; branches; next 1.61; 1.61 date 2008.03.12.04.36.56; author manu; state Exp; branches; next 1.60; 1.60 date 2007.12.17.12.02.04; author manu; state Exp; branches; next 1.59; 1.59 date 2007.10.23.11.06.03; author manu; state Exp; branches 1.59.2.1; next 1.58; 1.58 date 2007.10.05.10.29.29; author manu; state Exp; branches; next 1.57; 1.57 date 2007.10.03.11.03.12; author manu; state Exp; branches; next 1.56; 1.56 date 2007.10.03.10.52.23; author manu; state Exp; branches; next 1.55; 1.55 date 2007.10.03.10.27.43; author manu; state Exp; branches; next 1.54; 1.54 date 2007.09.25.11.08.09; author manu; state Exp; branches; next 1.53; 1.53 date 2007.05.25.03.46.06; author manu; state Exp; branches; next 1.52; 1.52 date 2007.03.09.04.37.00; author manu; state Exp; branches; next 1.51; 1.51 date 2007.02.22.14.44.45; author manu; state Exp; branches; next 1.50; 1.50 date 2007.02.14.17.16.29; author manu; state Exp; branches; next 1.49; 1.49 date 2007.01.04.05.04.13; author manu; state Exp; branches; next 1.48; 1.48 date 2007.01.03.17.43.49; author manu; state Exp; branches; next 1.47; 1.47 date 2007.01.03.06.14.31; author manu; state Exp; branches; next 1.46; 1.46 date 2007.01.01.12.57.40; author manu; state Exp; branches; next 1.45; 1.45 date 2007.01.01.12.53.19; author manu; state Exp; branches; next 1.44; 1.44 date 2006.12.06.15.02.41; author manu; state Exp; branches; next 1.43; 1.43 date 2006.10.06.09.15.12; author manu; state Exp; branches; next 1.42; 1.42 date 2006.08.20.04.46.09; author manu; state Exp; branches 1.42.2.1; next 1.41; 1.41 date 2006.08.06.20.26.58; author manu; state Exp; branches; next 1.40; 1.40 date 2006.07.28.05.16.07; author manu; state Exp; branches; next 1.39; 1.39 date 2006.07.27.09.12.00; author manu; state Exp; branches; next 1.38; 1.38 date 2006.07.24.22.51.47; author manu; state Exp; branches; next 1.37; 1.37 date 2005.11.30.23.32.12; author manu; state Exp; branches; next 1.36; 1.36 date 2005.10.03.07.58.53; author manu; state Exp; branches; next 1.35; 1.35 date 2005.09.21.11.50.14; author manu; state Exp; branches; next 1.34; 1.34 date 2005.05.19.18.32.19; author manu; state Exp; branches; next 1.33; 1.33 date 2005.05.19.18.30.52; author manu; state Exp; branches; next 1.32; 1.32 date 2004.12.29.21.33.35; author manu; state Exp; branches; next 1.31; 1.31 date 2004.12.17.22.37.43; author manu; state Exp; branches; next 1.30; 1.30 date 2004.12.16.23.08.13; author manu; state Exp; branches; next 1.29; 1.29 date 2004.12.09.22.33.33; author manu; state Exp; branches; next 1.28; 1.28 date 2004.12.09.22.19.40; author manu; state Exp; branches; next 1.27; 1.27 date 2004.12.09.00.06.02; author manu; state Exp; branches; next 1.26; 1.26 date 2004.12.09.00.04.01; author manu; state Exp; branches; next 1.25; 1.25 date 2004.12.06.22.16.06; author manu; state Exp; branches; next 1.24; 1.24 date 2004.11.28.00.33.29; author manu; state Exp; branches 1.24.2.1; next 1.23; 1.23 date 2004.10.14.22.23.53; author manu; state Exp; branches; next 1.22; 1.22 date 2004.06.17.20.03.25; author manu; state Exp; branches; next 1.21; 1.21 date 2004.05.24.22.01.21; author manu; state Exp; branches; next 1.20; 1.20 date 2004.04.30.21.52.25; author manu; state Exp; branches; next 1.19; 1.19 date 2004.04.22.23.12.25; author manu; state Exp; branches; next 1.18; 1.18 date 2004.04.16.20.14.21; author manu; state Exp; branches; next 1.17; 1.17 date 2004.04.12.12.40.21; author manu; state Exp; branches; next 1.16; 1.16 date 2004.04.07.17.24.23; author manu; state Exp; branches; next 1.15; 1.15 date 2004.04.06.14.24.18; author manu; state Exp; branches; next 1.14; 1.14 date 2004.04.04.20.17.37; author manu; state Exp; branches; next 1.13; 1.13 date 2004.04.03.09.26.11; author manu; state Exp; branches; next 1.12; 1.12 date 2004.04.01.21.23.08; author manu; state Exp; branches; next 1.11; 1.11 date 2004.03.30.14.25.32; author manu; state Exp; branches; next 1.10; 1.10 date 2004.03.30.08.21.19; author manu; state Exp; branches; next 1.9; 1.9 date 2004.03.28.14.05.42; author manu; state Exp; branches; next 1.8; 1.8 date 2004.03.25.11.00.24; author manu; state Exp; branches; next 1.7; 1.7 date 2004.03.20.07.19.03; author manu; state Exp; branches; next 1.6; 1.6 date 2004.03.18.10.09.09; author manu; state Exp; branches; next 1.5; 1.5 date 2004.03.18.07.37.06; author manu; state Exp; branches; next 1.4; 1.4 date 2004.03.15.07.43.57; author manu; state Exp; branches; next 1.3; 1.3 date 2004.03.14.21.36.33; author manu; state Exp; branches; next 1.2; 1.2 date 2004.03.10.21.35.45; author manu; state Exp; branches; next 1.1; 1.1 date 2004.03.03.20.00.49; author manu; state Exp; branches; next ; 1.63.2.1 date 2009.09.04.13.03.48; author manu; state Exp; branches; next ; 1.59.2.1 date 2007.12.17.12.03.02; author manu; state Exp; branches; next 1.59.2.2; 1.59.2.2 date 2008.03.12.04.38.25; author manu; state Exp; branches; next ; 1.42.2.1 date 2006.10.06.09.14.39; author manu; state Exp; branches; next 1.42.2.2; 1.42.2.2 date 2007.01.22.22.36.48; author manu; state Exp; branches; next ; 1.24.2.1 date 2004.12.06.22.17.35; author manu; state Exp; branches; next 1.24.2.2; 1.24.2.2 date 2004.12.09.22.34.43; author manu; state Exp; branches; next ; desc @@ 1.67 log @Improve regex examples in documentation @ text @# $Id: README,v 1.66 2009/09/07 12:56:54 manu Exp $ ########################################################################### ====================================== milter-greylist installation notes $Date: 2009/09/07 12:56:54 $ ====================================== Emmanuel Dreyfus Table of contents: ================== 1 Building and installing milter-greylist 2 Configuring Sendmail with milter-greylist 3 Configuring Postfix with milter-greylist 4 Configuring milter-greylist 5 Trying it out for a few users 6 Running it for the whole site 7 Lists and per-ACL settings 8 Dealing with mail farms 9 Working with multiple MXs 10 Using DNSRBL 11 Building with SPF 12 Using DRAC 13 Using URL checks 14 Using LDAP natively 15 Using TLS 16 Using tarpit 17 Custom logs 18 Packaging 19 Things to look at if things get wrong 20 Known problems 21 License Run this command to regenerate a table of contents: sed '/^.====/{g;p;};h;d' README 1 Building and installing milter-greylist ========================================= This section deals with installing milter-greylist from sources. If you want to generate a RPM, see section 16 of this document. First, download the sources. You can get a tarball from http://ftp.espci.fr/pub/milter-greylist or you can check out bleeding edge source from milter-greylist CVS: cvs -danoncvs@@anoncvs.fr.netbsd.org:/milter-greylist co -P milter-greylist Don't forget to set CVS_RSH=ssh if this is not your system default. Build dependencies: - flex (AT&T lex cannot build milter-greylist sources) - yacc or bison (some older yacc will fail, use bison instead) - libmilter (comes with Sendmail, or with the sendmail-devel package on RedHat, Fedora and SuSE. Debian and Ubuntu have it in libmilter-dev) - Any POSIX threads library (Provided by libc on some systems) Optional dependencies: - libspf2, libspf_alt or libspf, for SPF support - libcurl, for URL checks support - libGeoIP, for GeoIP support - libbind from BIND 9, for DNSRBL support, except if your system has a thread-safe DNS resolver built-in. Before building milter-greylist, it might be wise to view the configuration options by running: ./configure -help To build milter-greylist, just do the usual ./configure && make && make install If libpthread and libmilter are not automatically located, use --with-libpthread and --with-libmilter flags to the configure script. If you intend to run milter-greylist under an unprivileged UID, use the --with-user flag. A Makefile is supplied in the distribution in case you run into real trouble with configure and are unable to get it generating a Makefile suited to your system. Of course this Makefile is not likely to work on your system (it is configured for NetBSD-3.0) and it will probably need manual tweaks. On the make install step, the Makefile will install a default config file in /etc/mail/greylist.conf, except if there is already such a file. In that case the original file is preserved. Great care is taken to maintain milter-greylist backward compatibility, so no config file change should be nescessary when upgrading: Just replacing the milter-greylist binary and restarting the milter should be enough. Some startup scripts are available: rc-redhat.sh, rc-debian, rc-gentoo.sh, rc-suse.sh for Linux, rc-bsd.sh for NetBSD and FreeBSD, and rc-solaris.sh for Solaris. They are not installed by default; you have to install the startup script manually if you want to use one. 2 Configuring Sendmail with milter-greylist =========================================== You need a few options in sendmail.cf to use milter-greylist: O InputMailFilters=greylist Xgreylist, S=local:/var/milter-greylist/milter-greylist.sock O Milter.macros.connect=j,{if_addr} O Milter.macros.envfrom=i If you use SPF, DNSRBL or urlchecks, then milter-greylist can spend a lot of time waiting for DNS lookups to complete. This may lead to sendmail reporting timeout errors. If you see such messages, consider setting a timeout larger than the default (see Sendmail's milter documentation for more details on timeout settings): Xgreylist, S=local:/var/milter-greylist/milter-greylist.sock, T=R:1m Note that InputMailFilters and Milter.macros.* options are shared with other milters, and the other milters you have set up may require additionnal macros. Therefore you need to merge what milter-greylist needs with what other milters need. If you just copy the lines proposed in this file, this is likely to break other milters setup. In this section we simply list the macros milter-greylist require. Your default sendmail.cf is likely to already contain the proper Milter.macros.* setup. If you want to bypass greylisting for users that succeeded SMTP AUTH, you also need {auth_authen} in Milter.macros.envfrom: O Milter.macros.envfrom=i, {auth_authen} If you want to bybass greylisting for users that use STARTTLS with a client certificate, you also need {verify} and {cert_subject} in Milter.macros.helo: O Milter.macros.helo={verify},{cert_subject} If you want to use Sendmail access DB as a whitelisting source, you will need {greylist} too. milter-greylist will whitelist a message when the {greylist} macro is defined and set as WHITE. O Milter.macros.envrcpt={greylist} When using access DB as a whitelisting source, you will also need some rules for the ruleset "Local_check_rcpt" which assign a value to the macro {greylist}. Kstorage macro SLocal_check_rcpt R$+ $: $(storage {greylist} $) $&{client_addr} R$+ $: $>A <$1> <+Connect> <$1> R<$+> <$*> $: $(storage {greylist} $@@ $1 $) $2 Alternatively, you can use the following m4 macro definitions if you build sendmail.cf with m4 (contributed by Hubert Ulliac). Here again, confMILTER_MACROS_* are shared with other milters, so you need to merge the definitions with what others milters require. Just copying the lines below is likely to cause other milters to malfunction. INPUT_MAIL_FILTER(`greylist', `S=local:/var/milter-greylist/milter-greylist.sock') define(`confMILTER_MACROS_CONNECT', `j, {if_addr}') define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}') define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}') define(`confMILTER_MACROS_ENVRCPT', `{greylist}') Ivan F. Martinez contributed the milter-greylist.m4 file that includes thoses definitions and will take care of adding the macros required by milter-greylist instead of overwriting what has already been done. This should simplify an automatic generation of sendmail.cf. To add the rules for defining the {greylist} macro via m4, add the following lines to your m4 input file: LOCAL_CONFIG Kstorage macro LOCAL_RULESETS SLocal_check_rcpt R$+ $: $(storage {greylist} $) $&{client_addr} R$+ $: $>A <$1> <+Connect> <$1> R<$+> <$*> $: $(storage {greylist} $@@ $1 $) $2 Note that there must be tabs and no spaces before the "$:"! 3 Configuring Postfix with milter-greylist ========================================== As Postfix currently does not provide milter library, you need to have sendmail sources or development package installed. See http://www.postfix.org/MILTER_README.html#limitations Use --enable-postfix flag when configuring milter-greylist, or you can build an rpm like this: rpmbuild --define "build_postfix 1" -tb milter-greylist-3.1.4.tgz Add the following to postfix main.cf (customize for your needs): milter_default_action = accept milter_connect_macros = j milter_protocol = 3 smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock 4 Configuring milter-greylist ============================= Edit /etc/mail/greylist.conf, and add addr lines for at least localhost and all your local network addresses. Here is an example: racl whitelist addr 127.0.0.0/8 racl whitelist addr 192.0.2.0/24 racl whitelist addr 10.0.0.0/8 Then consider adding addresses of all the friendly networks you get mail from. By friendly networks, we mean networks with no spammers: Universities are usually friendly, some companies are friendly, some others are not, and dial-up and ADSL ISPs are definitively not friendly at all. For the sake of completeness, "racl" stands for RCPT-stage ACL. This rule is evaluated on each of the RCPT stages of the SMTP transaction. milter-greylist also supports "dacl", evaluated once after DATA stage. 5 Trying it out for a few users =============================== Add some rcpt access-lists to /etc/mail/greylist.conf for the users that want to try milter-greylist filtering. Here is an example: racl greylist rcpt John.Doe@@example.net racl greylist rcpt webmaster@@example.net racl greylist rcpt postmaster@@example.net Then finish your ACL with the default rule: here, anything that is not for John.Doe@@example.net, webmaster@@example.net, or postmaster@@example.net will not get greylisted: racl whitelist default Now you can start milter-greylist: milter-greylist -u smmsp -p /var/milter-greylist/milter-greylist.sock If you have trouble with the socket file, check the permissions of the directory where the socket is located. The default directory is /var/milter-greylist and it should be chmod 0755 and owner smmsp, if you are running the milter as smmsp. If permissions are wrong, sendmail will complain to syslog, stating the directory is unsafe. If sendmail complains it cannot connect to the milter because of a connection refused, that either means that the milter is not running, or that the socket location configured in sendmail.cf is not the same as what was given to milter-greylist with the -p flag. Sometimes, milter-greylist has trouble starting up because of a stale socket file in /var/milter-greylist/milter-greylist.sock. Just removing the socket and restarting milter-greylist should fix the problem. You might want to add -v and -D to get more debugging output. The -w flag is used to choose how long we will refuse a given message. If you want to check that things work, try 10 seconds with -w10. The -a option controls auto-whitelisting. Once a (sender IP, sender e-mail, recipient e-mail) tuple has been accepted, it is marked autowhitelisted, and similar tuples will be accepted with no retry for one day. Using -a0 disables this feature. 6 Running it for the whole site =============================== Remove the "racl greylist rcpt ..." lines from /etc/mail/greylist.conf, and replace "racl whitelist default" by racl greylist default Now greylisting is enabled for every recipient. If some of your users don't want greylisting, add a "racl whitelist rcpt" line for them in /etc/mail/greylist.conf. Make sure you put it before "racl greylist default": ordering does matter, as the ACL rules are evaluated on a first match wins basis. If your mail server handles several domains and you want to enable milter-greylist for a whole domain but not for everyone, this is possible, just use a regular expression: racl greylist rcpt /@@example\.net$/ racl whitelist default 7 Lists and per-ACL settings ============================ It is possible to have per-ACL greylisting and autowhitelisting settings: racl greylist rcpt /@@example\.net$/ delay 15m autowhite 3d racl greylist default delay 30m autowhite 1d Here, all messages to domain example.net will have a greylisting delay of 15 minutes and will be autowhitelisted for 3 days, while messages to other domains will be greylisted for 30 minutes and autowhitelisted for one day. milter-greylist is now also able to use lists, which is very useful for factoring rules: list "users" rcpt { user1@@example.com user2@@example.com user3@@example.com } racl greylist list "users" racl whitelist default Here message sent to members of the "users" list will be greylisted, while other messages will not. Theses two advanced features were added in release 2.1.7 and may not be fully stable. 8 Dealing with mail farms ========================= Some Internet service provider such as Hotmail feature mail farms, where several different machines are able to resend an e-mail. The message is likely to be resent from different IP addresses, and this is likely to break with milter-greylist. The -L option is an ad-hoc hack for this problem. It provides milter-greylist a CIDR mask to use when comparing IPv4 addresses. With -L24, the match mask is 255.255.255.0, and any address in a class C network is considered the same. There is also a real fix for the problem: SPF. SPF is a DNS based mechanism that enables domains to publish the identity of machines allowed to send mail on behalf of the domain. milter-greylist knows how to use SPF through libspf or libspf_alt. See section 8 of this document: Building with SPF Another workaround is simply to whitelist the netblocks allocated to mail farms. As any machine in theses IP address ranges are real SMTP servers that will always resend their messages, there is no point in greylisting them. 9 Working with multiple MXs =========================== When running several MXs, the client should try each server after its message gets refused, thus causing greylist entries creation on each MX. Things should work, but with two minor problems: * Some stupid clients don't try all the available MXs. In that situation, it could take some time before the message gets in, as the client might try a different MX each time and wait for several hours between the retries. * After a messages is accepted, its entry is removed for one MX, but not the others. Stale entries remain until being flushed because of a timeout. If a message with the same {IP, from, rcpt} gets in on an MX with a stale entry, it will be accepted immediately, and the X-Greylist header will report it had been delayed for some time. In order to address these issues, milter-greylist is now able to sync the greylist among different MXs. This can be configured in the greylist.conf file, by adding one line per peer MX, like this: peer 192.0.2.17 peer 192.0.2.18 If you have firewalls between your MXs, you should enable TCP connections in both directions between random unprivileged source ports and destination port 5252. 10 Using DNSRBL =============== milter-greylist can use a DNSRBL to decide wether a host should be greylisted or whitelisted. For instance, let us say that you want to greylist any host appearing in the SORBS dynamic pool list (this include DSL and cable pools). You would do this: # if IP 192.0.2.18 is positive, then nslookup of 18.2.0.192.dnsbl.sorbs.net # returns 127.0.0.10 dnsrbl "SORBS DUN" dnsbl.sorbs.net 127.0.0.10 racl greylist dnsrbl "SORBS DUN" You can combine it with variable greylisting delays so that dynamic hosts get a greylisting delay of 12 hours while other hosts only get 15 minutes: dnsrbl "SORBS DUN" dnsbl.sorbs.net 127.0.0.10 racl greylist dnsrbl "SORBS DUN" delay 12h racl greylist default delay 15m This feature was introduced in milter-greylist 2.1.7 and may not be fully stable. You need the --enable-dnsrbl flag to configure to use it. You must link milter-greylist with a thread-safe resolver, else the milter will be unstable (see the explanation in the SPF section). If your resolver is not thread safe, install BIND9, and use --with-libbind. If you know your resolver is thread-safe but configure tells otherwise (because you lack the res_ninit() function), then use --with-thread-safe-resolver. If you install BIND9, make sure it includes libbind.a, since this is what milter-greylist needs. libbind.a is not created in BIND9 default build setup, so you might not have it in a precompiled package. If you cannot find a package that contains libbind.a, then you have to rebuild BIND9 from sources, using the --enable-libbind flag to BIND9's configure. 11 Building with SPF ==================== milter-greylist can use either libspf or libspf2 to perform SPF checks. Use --with-libspf=DIR or --with-libspf2=DIR to enable this feature. DIR must be the base directory where include and lib directories containing the headers and library can be found. If you want to link with an older version of libspf2, you will need one of the following configure flags: For older libspf_alt: --with-libspf_alt=DIR For older libspf2 up to version 1.0: --with-libspf2_10=DIR For newer libspf2: --with-libspf2=DIR WARNING: milter-greylist is a multithreaded program. The external functions it uses must be thread-safe. While libspf and libspf_alt contain only thread-safe code, they use the DNS resolver. By default, the DNS resolver from libc or libresolv is used. If this resolver is not thread-safe, milter-greylist with SPF will quickly crash or hang. You need to make sure that libspf or libspf_alt are linked against a thread-safe DNS resolver. For instance, NetBSD-1.6.2 libc-supplied resolver is from BIND 4, and it is not thread safe. In order to get a stable milter-greylist, you need to link with a BIND 8.2 or higher resolver. When building with libspf_alt-0.4, you might encounter problems if libbind is only available as a static library. It seems to be the default with BIND 8, which causes troubles. BIND 9 is fine. 12 Using DRAC ============= milter-greylist can be built with DRAC (Dynamic Relay Authorization Control) support, by giving the --enable-drac flag to configure. Location of the DRAC DB file can be chosen at build time with --with-dracdb=PATH, and at runtime with the drac db "PATH" configuration file option. If built-in, DRAC can be disabled by the nodrac configuration file option. More information on DRAC can be obtained at http://mail.cc.umanitoba.ca/drac/ 13 Using URL checks =================== ACL can cause URL lookups: urlcheck "mytest" "http://www.example.net/mgl.php?rcpt=%r+ip=%i" 10 racl greylist urlcheck "mytest" For each ACL evaluation will spawn a request to http://www.example.net/mgl.php?rcpt=%r+ip=%i, with %r replaced by recipient e-mail %i replaced by IP address You can also substitute domain, sender address, and various other data, including any sendmail macro. Check the greylist.conf(5) man page for details. The trailing 10 is the maximum number of simultaneous connections you want to have. The mgl.php script is to answer if you get a match by sending back this: milterGreylistStatus: Ok Even better, you can send settings in the reply: milterGreylistStatus: Ok milterGreylistDelay: 1h autowhite, code, ecode, flushaddr and msg can be overloaded. You can even overload the ACL action (ie: turning a greylist ACL into a blacklist action), see the man page for details. Something to note: the reply format is LDIF-like. It was chosen so that the URL could be a ldap:// query, though this has not been experimented yet. 14 Using LDAP natively ====================== It is possible to use URL checks against an LDAP URL, but that method has some drawbacks: - This uses CURL, which must be built with LDAP support - There might be thread-safety problems. A workaround it to use the fork option of urlcheck statement, so that milter-greylist forks a pool of instances to perform queries. This may not be very reliable on some setups. - It is not possible to fallback to another server if the LDAP directory goes down. milter-greylist can also support LDAP natively, using OpenLDAP libraries, if configure --with-openldap is used. Here is an example that pulls a per-user sender whitelist from the directory: ldapconf "ldapi:// ldaps://ldap.example.net" ldapcheck "mytest" "ldap://ldap.example.net/o=example?whitelist?sub?mail=%r" racl whitelist ldapcheck "mytest" $whitelist "%f" racl greylist default The ldapconf statement is used to list LDAP servers. If one goes down, another will be contacted. For ldaps:// URLs, certificate information is taken from system ldap.conf. ldapcheck definition works like urlcheck with the getprop option (see the man page for details). Note that the scheme and host parts of the URL are just ignored: information from ldapconf is used instead. 15 Using TLS ============== Using the "tls" clause, an ACL could match any email that succeeded TLS check in sendmail (STARTTLS giving "verify=OK"). This assumes you already have TLS working in sendmail. racl whitelist tls "DN1" racl whitelist tls "DN2" or list "trusted" tls { "DN1" "DN2" } racl whitelist list "trusted" A DN has a special syntax. If you used the 'update_tls' script provided with sendmail to generate your certificates, your DN should look like this: "/O=Sendmail/OU=Sendmail+20Client/CN=machine.example.net/emailAddress=admin@@machine.example.net" Note that it's the "client" certificate (of the remote server) that is used as (the local) sendmail is acting as server during that transaction. To find the DN of any certificate, you can use the openssl command: $ openssl x509 -noout -issuer < some.crt | cut -d' ' -f2- | sed -e 's/ /+20/g' 15 Using tarpit =============== 'tarpit' is an anti-spam technique by lazy response. racl whitelist tarpit 65s This ACL means that clients that can wait a response in 65s are whitelisted. If the clients access again, they are accepted without lazy response because they are in auto-whitelist. If clients that couldn't wait a lazy response access again, the ACL doesn't match. racl whitelist tarpit 65s racl default greylist Those ACLs means that clients that can wait a lazy response or resend a message are acceptable. racl greylist tarpit 10s This ACL means that clients should wait a response in 10s then pass greylist. If clients that couldn't wait a lazy response access again, the ACL doesn't match. racl greylist tarpit 10s racl default blacklist Those ACLs means that clients should wait a lazy response and pass greylist. Otherwise they are rejected. There is a 'tarpit_scope' configuration parameter. It controls how to count tarpitted time. Available values are 'session' and 'command'. 'session' means that tarpitted time is counted in a SMTP session scope. 'command' means that tarpitted time is counted in an SMTP command (request/response) scope. The default is 'session'. racl whitelist rcpt user1@@example.com tarpit 10s racl whitelist rcpt user2@@example.com tarpit 30s racl whitelist rcpt user3@@example.com tarpit 15s It assumes that a client sends a mail to user1@@example.com, user2@@example.com and user3@@example.com in a SMTP session when those ACLs are used. 'session' case: milter-greylist waits to return a response in 10s for user1@@example.com. Then milter-greylist waits to return a response in 20s for user2@@example.com. 20s is 30s (tarpit time for user2@@example.com) - 10s (tarpit time for user1@@example.com). milter-greylist just wait 20s because milter-greylist had waited 10s. Then milter-greylist doesn't wait to return a response for user3@@example.com because total 30s had waited in this SMTP session. user1@@example.com: tarpit 10s user2@@example.com: tarpit 20s user3@@example.com: not tarpitted 'command' case: milter-greylist waits to return a response in 10s for user1@@example.com. Then milter-greylist waits to return a response in 30s for user2@@example.com. Waited time in the previous SMTP command is not counted. Then milter-greylist doesn't wait to return a response for user3@@example.com because over 10s had waited in other SMTP command. user1@@example.com: tarpit 10s user2@@example.com: tarpit 30s user3@@example.com: not tarpitted 17 Custom logs ============== It is possible to monitor milter-greylist activity with a custom log format. You can choose where the output is sent (file or external command), and the output format. If you have this in greylist.conf: stat ">>/var/log/milter-greylist.log" "%T{%T} %i:%f:%r:%S\n" On each mail, this will give you a line like this in milter-greylist.log: 10:08:04 192.0.2.16:spammer@@evil.com:postmaster@@example.net:reject Another example, to send the data to the local7 facility of syslog, using the external command logger: stat "|logger -p local7.info" "%i:%f:%r:%S\n" Substitutions are the same as in URL checks (%i becomes sender IP, %s becomes sender e-mail, %r becomes recipient, and so on). A few nifty additions: %T{format} is substituted by strftime(3) time format. So %T{%F %T} gives you a date/time in the following format: YYYY-MM-DD HH:MM:SS %S is substituted by the action milter-greylist chose: accept, tempfail or reject %A is substituted by the line number of the ACL that caused the decision 18 Packaging ============ milter-greylist is available from NetBSD pkgsrc and FreeBSD ports. A .spec file is included in the distribution to build an RPM for RedHat Linux. This is achieved by running rpmbuild on milter-greylist source tarball: rpmbuild -tb milter-greylist-3.1.4.tgz. You can define build_user, build_postfix, build_dnsrbl, build_libbind - for example, to build with DNSRBL support and choose smmsp as the user that will run milter-greylist, use rpmbuild --define "build_user smmsp" --define "build_dnsrbl 1" \ -tb milter-greylist-3.1.4.tgz 19 Things to look at if things get wrong ======================================== First, read the milter-greylist(8) and greylist.conf(5) man page! :-) Second, reread the installation notes at the beginning this file! ;-) Each message will get an X-Greylist header indicating either how long the message has been delayed, or that it has been passed through because of whitelisting. It looks something like this: For messages which were delayed because of greylisting: X-Greylist: Delayed for 00:53:21 by milter-greylist-M.m (mail.example.net [192.0.2.16]); Wed, 3 Mar 2004 17:01:06 -0000 For messages which were not delayed because of whitelisting (e.g. they are whitelisted in the configuration file): X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-M.m (mail.example.net [192.0.2.16]); Wed, 3 Mar 2004 17:01:06 -0000 X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-M.m (mail.example.net [192.0.2.16]); Wed, 3 Mar 2004 17:01:06 -0000 For messages which were not delayed because of auto-whitelisting from a previously resent and accepted message: X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-M.m (mail.example.net [192.0.2.16]); Wed, 3 Mar 2004 17:01:06 -0000 where M.m is the major and minor version number of milter-greylist. The file /var/milter-greylist/greylist.db is a dump of the greylist. It is done periodically and is used to restore state after milter-greylist has been restarted. The file contains an entry per line, with four columns: IP address, sender e-mail address, recipient e-mail address, and time when the message will be accepted (in seconds since 00:00:00 01-01-1970). Here is an example: 10.0.23.1 1078344409 Additionally, you can find a human-readable time in the comment at the end of each line. At the end of the file, you will find entries with the keyword AUTO at the end of the line. Theses are auto-whitelisted tuples. The date tells you when the entry will expire. Examining the tail of this file may reveal problems with domains which use multiple MX servers or whose mail is actually served by another site. 20 Known problems ================= If milter-greylist terminates during its operation, first check your system limits with ulimit (sh/ksh/bash) or limit (csh/tcsh). As it stores its complete database in memory, milter-greylist can eat a large amount of memory on a busy mail server. Each incoming connection uses a socket, so file descriptors can easily be exhausted too. Any resource shortage will cause milter-greylist to quit. This is not specific to milter-greylist; all milters do that. When SPF support is compiled in, if milter-greylist hangs and/or crashes regularly, check that you linked your SPF library with a thread-safe resolver. This can be done by running nm(1) on milter-greylist: if nres_init is referenced, you are fine. If res_init is referenced, you are probably at risk. When DNSRBL support is compiled in, you also need to make sure that milter-greylist itself is linked with a thread-safe resolver. On Solaris 2.8, milter-greylist may grow out of memory rather quickly due to some bugs in the pthread nsl and socket libraries. It is strongly recommended that you install the latest revision of patch 108993 (sparc) or 108994 (x86). Solaris 9 and later do not seem to be affected. Solaris patches are available from On Solaris, and on some IRIX releases, the file descriptor field of 's FILE structure is a char, and thus no more than 255 streams can be open at once. This will cause failures in milter-greylist when handling a large number of connections. If you are not sure whether your system is affected or not, check your system headers for the FILE definition. On Solaris, the problem only exists with the 32 bit ABI, so rebuilding milter-greylist with a 64 bit compiler will fix the problem. An alternative is to use the --enable-stdio-hack option to configure On IRIX, milter-greylist has to be compiled with the same ABI as libmilter. If libmilter was built with the MIPSpro compiler, milter-greylist should be too, because of binary incompatibility between gcc and the MIPSpro compilers. This can be achieved by invoking configure with the CC environment variable set to cc. This incompatibility may be fixed in gcc 3.4. 21 License ========== This software is available under a 3 clauses BSD license: Copyright (c) 2004-2007 Emmanuel Dreyfus All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Emmanuel Dreyfus THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. If you run on a non-BSD system, two files with different licenses might be required for building or installing. install-sh has a MIT BSD-like license: Copyright 1991 by the Massachusetts Institute of Technology Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. queue.h has a 4 clause BSD license: Copyright (c) 1991, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The configure script has the following license: Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. If you use the 32 bit ABI on Solaris and have a large traffic, you will need the a workaround for stdio unability to use streams with associated file dexriptor above 255. The files implementing the workaround are fd_pool.c and fd_pool.h, and they have a 3 clause BSD license: Copyright (c) 2007 Johann Klasek All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Johann Klasek THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SpamAssassin binding requires the spamd.c file, which has a 3-clauses BSD licence: Copyright (c) 2008 Manuel Badzong, Emmanuel Dreyfus All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Manuel Badzong THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @ 1.66 log @New tarpit feature (Kouhei Sutou) @ text @d1 1 a1 1 # $Id: README,v 1.65 2009/09/04 13:02:04 manu Exp $ d6 1 a6 1 $Date: 2009/09/04 13:02:04 $ d283 1 a283 1 racl greylist rcpt /.*@@example\.net/ d293 1 a293 1 racl greylist rcpt /.*@@example\.net/ delay 15m autowhite 3d @ 1.65 log @acl -> racl @ text @d1 1 a1 1 # $Id: README,v 1.64 2009/06/29 10:20:00 manu Exp $ d6 1 a6 1 $Date: 2009/06/29 10:20:00 $ d29 6 a34 5 16 Custom logs 17 Packaging 18 Things to look at if things get wrong 19 Known problems 20 License d551 76 d628 1 a628 1 16 Custom logs d654 1 a654 1 17 Packaging d664 2 a665 1 rpmbuild --define "build_user smmsp" --define "build_dnsrbl 1" -tb milter-greylist-3.1.4.tgz d668 1 a668 1 18 Things to look at if things get wrong d718 1 a718 1 19 Known problems d761 1 a761 1 20 License @ 1.64 log @bad section number in readme @ text @d1 1 a1 1 # $Id: README,v 1.63 2008/09/26 23:35:44 manu Exp $ d6 1 a6 1 $Date: 2008/09/26 23:35:44 $ d205 3 a207 3 acl whitelist addr 127.0.0.0/8 acl whitelist addr 192.0.2.0/24 acl whitelist addr 10.0.0.0/8 d215 3 d225 3 a227 3 acl greylist rcpt John.Doe@@example.net acl greylist rcpt webmaster@@example.net acl greylist rcpt postmaster@@example.net d233 1 a233 1 acl whitelist default d267 2 a268 2 Remove the "acl greylist rcpt ..." lines from /etc/mail/greylist.conf, and replace "acl whitelist default" by d270 1 a270 1 acl greylist default d273 1 a273 1 users don't want greylisting, add a "acl whitelist rcpt" line for them d275 1 a275 1 "acl greylist default": ordering does matter, as the ACL rules are d282 2 a283 2 acl greylist rcpt /.*@@example\.net/ acl whitelist default d292 2 a293 2 acl greylist rcpt /.*@@example\.net/ delay 15m autowhite 3d acl greylist default delay 30m autowhite 1d d304 2 a305 2 acl greylist list "users" acl whitelist default d381 1 a381 1 acl greylist dnsrbl "SORBS DUN" d387 2 a388 2 acl greylist dnsrbl "SORBS DUN" delay 12h acl greylist default delay 15m d462 1 a462 1 acl greylist urlcheck "mytest" d510 2 a511 2 acl whitelist ldapcheck "mytest" $whitelist "%f" acl greylist default d529 2 a530 2 acl whitelist tls "DN1" acl whitelist tls "DN2" d535 1 a535 1 acl whitelist list "trusted" @ 1.63 log @Spamassassin support and DATA-stage greylisting (Manuel Badzong) @ text @d1 1 a1 1 # $Id: README,v 1.62 2008/08/03 05:00:06 manu Exp $ d6 1 a6 1 $Date: 2008/08/03 05:00:06 $ d486 1 a486 1 15 Using LDAP natively @ 1.63.2.1 log @acl -> racl @ text @d1 1 a1 1 # $Id: README,v 1.63 2008/09/26 23:35:44 manu Exp $ d6 1 a6 1 $Date: 2008/09/26 23:35:44 $ d205 3 a207 3 racl whitelist addr 127.0.0.0/8 racl whitelist addr 192.0.2.0/24 racl whitelist addr 10.0.0.0/8 a214 3 For the sake of completeness, "racl" stands for RCPT-stage ACL. This rule is evaluated on each of the RCPT stages of the SMTP transaction. milter-greylist also supports "dacl", evaluated once after DATA stage. d222 3 a224 3 racl greylist rcpt John.Doe@@example.net racl greylist rcpt webmaster@@example.net racl greylist rcpt postmaster@@example.net d230 1 a230 1 racl whitelist default d264 2 a265 2 Remove the "racl greylist rcpt ..." lines from /etc/mail/greylist.conf, and replace "racl whitelist default" by d267 1 a267 1 racl greylist default d270 1 a270 1 users don't want greylisting, add a "racl whitelist rcpt" line for them d272 1 a272 1 "racl greylist default": ordering does matter, as the ACL rules are d279 2 a280 2 racl greylist rcpt /.*@@example\.net/ racl whitelist default d289 2 a290 2 racl greylist rcpt /.*@@example\.net/ delay 15m autowhite 3d racl greylist default delay 30m autowhite 1d d301 2 a302 2 racl greylist list "users" racl whitelist default d378 1 a378 1 racl greylist dnsrbl "SORBS DUN" d384 2 a385 2 racl greylist dnsrbl "SORBS DUN" delay 12h racl greylist default delay 15m d459 1 a459 1 racl greylist urlcheck "mytest" d507 2 a508 2 racl whitelist ldapcheck "mytest" $whitelist "%f" racl greylist default d526 2 a527 2 racl whitelist tls "DN1" racl whitelist tls "DN2" d532 1 a532 1 racl whitelist list "trusted" @ 1.62 log @Native LDAP support through OpenLDAP bump to 4.1.4 @ text @d1 1 a1 1 # $Id: README,v 1.61 2008/03/12 04:36:56 manu Exp $ d6 1 a6 1 $Date: 2008/03/12 04:36:56 $ d799 30 a828 1 / @ 1.61 log @Document what package contains libmilter @ text @d1 1 a1 1 # $Id: README,v 1.60 2007/12/17 12:02:04 manu Exp $ d6 1 a6 1 $Date: 2007/12/17 12:02:04 $ d27 7 a33 6 14 Using TLS 15 Custom logs 16 Packaging 17 Things to look at if things get wrong 18 Known problems 19 License d486 34 a519 1 14 Using TLS d548 1 a548 1 15 Custom logs d574 1 a574 1 16 Packaging d587 1 a587 1 17 Things to look at if things get wrong d637 1 a637 1 18 Known problems d680 1 a680 1 19 License @ 1.60 log @Fix typos in documentation (Constantine A. Murenin) @ text @d1 1 a1 1 # $Id: README,v 1.59 2007/10/23 11:06:03 manu Exp $ d6 1 a6 1 $Date: 2007/10/23 11:06:03 $ d53 3 a55 1 - libmilter (comes with Sendmail) @ 1.59 log @Document milter timeout, RPM generation @ text @d1 1 a1 1 # $Id: README,v 1.58 2007/10/05 10:29:29 manu Exp $ d6 1 a6 1 $Date: 2007/10/05 10:29:29 $ d92 1 a92 1 for Solaris. They are not installed by default; you have install the d209 1 a209 1 some other are not, and dial-up and ADSL ISPs are definitively not d582 1 a582 1 It is done on each change and is used to restore state after @ 1.59.2.1 log @Fix typos in documentation (Constantine A. Murenin) @ text @d1 1 a1 1 # $Id: README,v 1.59 2007/10/23 11:06:03 manu Exp $ d6 1 a6 1 $Date: 2007/10/23 11:06:03 $ d92 1 a92 1 for Solaris. They are not installed by default; you have to install the d209 1 a209 1 some others are not, and dial-up and ADSL ISPs are definitively not d582 1 a582 1 It is done periodically and is used to restore state after @ 1.59.2.2 log @Document what package contains libmilter @ text @d1 1 a1 1 # $Id: README,v 1.59.2.1 2007/12/17 12:03:02 manu Exp $ d6 1 a6 1 $Date: 2007/12/17 12:03:02 $ d53 1 a53 3 - libmilter (comes with Sendmail, or with the sendmail-devel package on RedHat, Fedora and SuSE. Debian and Ubuntu have it in libmilter-dev) @ 1.58 log @Typo @ text @d1 1 a1 1 # $Id: README,v 1.57 2007/10/03 11:03:12 manu Exp $ d6 1 a6 1 $Date: 2007/10/03 11:03:12 $ d40 3 d85 4 a88 1 a file. In that case the original file is preserved. d106 8 @ 1.57 log @Warn in README that bison may be required for building @ text @d1 1 a1 1 # $Id: README,v 1.56 2007/10/03 10:52:23 manu Exp $ d6 1 a6 1 $Date: 2007/10/03 10:52:23 $ d722 1 a722 1 fd_pool.c and fd_pool.h, and they have a 3 clause BDE license: @ 1.56 log @Workaround for Solaris 256 stream limitation (Johann E. Klasek) @ text @d1 1 a1 1 # $Id: README,v 1.55 2007/10/03 10:27:43 manu Exp $ d6 1 a6 1 $Date: 2007/10/03 10:27:43 $ d49 1 a49 1 - yacc or bison @ 1.55 log @Fix spelling errors (Nerijus Baliunas) @ text @d1 1 a1 1 # $Id: README,v 1.54 2007/09/25 11:08:09 manu Exp $ d6 1 a6 1 $Date: 2007/09/25 11:08:09 $ d620 1 d634 1 a634 2 Copyright (c) 2004 Emmanuel Dreyfus d661 1 d663 1 a663 2 be required for building or installing. The configure script has a different license as well. d718 32 @ 1.54 log @Add troubleshooting in README (Rogier Maas) @ text @d1 1 a1 1 # $Id: README,v 1.53 2007/05/25 03:46:06 manu Exp $ d6 1 a6 1 $Date: 2007/05/25 03:46:06 $ d223 1 a223 1 sendmail will complain to syslog, syslog stating the directory is unsafe. @ 1.53 log @Document ACL on TLS DN (Fabien Tassin) @ text @d1 1 a1 1 # $Id: README,v 1.52 2007/03/09 04:37:00 manu Exp $ d6 1 a6 1 $Date: 2007/03/09 04:37:00 $ d220 13 a232 1 the directory where the socket is located. @ 1.52 log @Fix whitelisting using access.db @ text @d1 1 a1 1 # $Id: README,v 1.51 2007/02/22 14:44:45 manu Exp $ d6 1 a6 1 $Date: 2007/02/22 14:44:45 $ d27 6 a32 5 14 Custom logs 15 Packaging 16 Things to look at if things get wrong 17 Known problems 18 License d457 30 a486 1 14 Custom logs d512 1 a512 1 15 Packaging d525 1 a525 1 16 Things to look at if things get wrong d575 1 a575 1 17 Known problems d617 1 a617 1 18 License @ 1.51 log @Fix a documentation bug: sender e-mail is %f, not %s @ text @d1 1 a1 1 # $Id: README,v 1.50 2007/02/14 17:16:29 manu Exp $ d6 1 a6 1 $Date: 2007/02/14 17:16:29 $ d122 9 d150 12 @ 1.50 log @Document CVS location in the README @ text @d1 1 a1 1 # $Id: README,v 1.49 2007/01/04 05:04:13 manu Exp $ d6 1 a6 1 $Date: 2007/01/04 05:04:13 $ d441 1 a441 1 stat ">>/var/log/milter-greylist.log" "%T{%T} %i:%s:%f:%S\n" d448 1 a448 1 stat "|logger -p local7.info" "%i:%s:%f:%S\n" @ 1.49 log @Update .spec for Postfix (Nerijus Baliunas) @ text @d1 1 a1 1 # $Id: README,v 1.48 2007/01/03 17:43:49 manu Exp $ d6 1 a6 1 $Date: 2007/01/03 17:43:49 $ d39 7 d53 5 a57 1 - libspf2, libspf_alt or libspf. @ 1.48 log @Document how to use milter-greylist with Postfix (Nerijus Baliunas) @ text @d1 1 a1 1 # $Id: README,v 1.47 2007/01/03 06:14:31 manu Exp $ d6 1 a6 1 $Date: 2007/01/03 06:14:31 $ d138 3 a140 1 Use --enable-postfix flag when configuring milter-greylist. d454 7 a460 3 A .spec file is included in the distribution to build a RPM for RedHat Linux. That is achieved by running rpmbuild on milter-greylist source tarball: rpmbuild -bb milter-greylist-1.7.3.tgz @ 1.47 log @Documentation update @ text @d1 1 a1 1 # $Id: README,v 1.46 2007/01/01 12:57:40 manu Exp $ d6 1 a6 1 $Date: 2007/01/01 12:57:40 $ d15 17 a31 16 2 Configuring sendmail with milter-greylist 3 Configuring milter-greylist 4 Trying it out for a few users 5 Running it for the whole site 6 Lists and per-ACL settings 7 Dealing with mail farms 8 Working with multiple MXs 9 Using DNSRBL 10 Building with SPF 11 Using DRAC 12 Using URL checks 13 Custom logs 14 Packaging 15 Things to look at if things get wrong 16 Known problems 17 License d78 1 a78 1 2 Configuring sendmail with milter-greylist d131 2 d134 14 a147 1 3 Configuring milter-greylist d164 1 a164 1 4 Trying it out for a few users d197 1 a197 1 5 Running it for the whole site d219 1 a219 1 6 Lists and per-ACL settings d247 1 a247 1 7 Dealing with mail farms d272 1 a272 1 8 Working with multiple MXs d303 2 a304 2 9 Using DNSRBL ============== d341 1 a341 1 10 Building with SPF d373 1 a373 1 11 Using DRAC d389 1 a389 1 12 Using URL checks d422 1 a422 1 13 Custom logs d448 1 a448 1 14 Packaging d457 1 a457 1 15 Things to look at if things get wrong d506 2 a507 1 16 Known problems d549 1 a549 1 17 License @ 1.46 log @Use an example with a real IP instead of a.b.c.d, it seems it's easier to understand. @ text @d1 1 a1 1 # $Id: README,v 1.45 2007/01/01 12:53:19 manu Exp $ d6 1 a6 1 $Date: 2007/01/01 12:53:19 $ d26 5 a30 4 13 Packaging 14 Things to look at if things get wrong 15 Known problems 16 License d372 1 d376 55 a430 1 XXX Write me d432 1 a432 1 13 Packaging d438 1 a438 1 source tarball: rpmbuild -bb milter-greylist-1.7.3.tgz d441 1 a441 1 14 Things to look at if things get wrong d490 1 a490 1 15 Known problems d532 1 a532 1 16 License @ 1.45 log @typo @ text @d1 1 a1 1 # $Id: README,v 1.44 2006/12/06 15:02:41 manu Exp $ d6 1 a6 1 $Date: 2006/12/06 15:02:41 $ d294 1 a294 1 # if IP a.b.c.d is positive, then nslookup of d.c.b.a.dnsbl.sorbs.net @ 1.44 log @Add URL check feature Bump to 3.1.2 @ text @d1 1 a1 1 # $Id: README,v 1.43 2006/10/06 09:15:12 manu Exp $ d6 1 a6 1 $Date: 2006/10/06 09:15:12 $ d290 1 a290 1 greylisted or whitelisted. For instance, let us say that you cant to @ 1.43 log @DRAC doc (Matthias Scheler) @ text @d1 1 a1 1 # $Id: README,v 1.42 2006/08/20 04:46:09 manu Exp $ d6 1 a6 1 $Date: 2006/08/20 04:46:09 $ d25 5 a29 4 12 Packaging 13 Things to look at if things get wrong 14 Known problems 15 License d370 7 a376 1 ksh: q: not found d385 1 a385 1 13 Things to look at if things get wrong d434 1 a434 1 14 Known problems d476 1 a476 1 15 License @ 1.42 log @warn about proper macros usage for other milters @ text @d1 1 a1 1 # $Id: README,v 1.41 2006/08/06 20:26:58 manu Exp $ d6 1 a6 1 $Date: 2006/08/06 20:26:58 $ d358 5 a362 4 milter-greylist can be built with DRAC support, by giving the --enable-drac flag to configure. Location of the DRAC DB file can be chosen at build time with --with-dracdb=PATH, and at runtime with the drac db "PATH" configuration file option. d364 1 a364 1 If built-in, DRAC can be disabled by the nodrac configuration file d367 3 a369 2 12 Packaging @ 1.42.2.1 log @DRAC doc (Matthias Scheler) @ text @d1 1 a1 1 # $Id: README,v 1.42 2006/08/20 04:46:09 manu Exp $ d6 1 a6 1 $Date: 2006/08/20 04:46:09 $ d358 4 a361 5 milter-greylist can be built with DRAC (Dynamic Relay Authorization Control) support, by giving the --enable-drac flag to configure. Location of the DRAC DB file can be chosen at build time with --with-dracdb=PATH, and at runtime with the drac db "PATH" configuration file option. d363 1 a363 1 If built-in, DRAC can be disabled by the nodrac configuration file d366 2 a367 3 More information on DRAC can be obtained at http://mail.cc.umanitoba.ca/drac/ ksh: q: not found @ 1.42.2.2 log @Postfix support bump to 3.0.1b1 @ text @d1 1 a1 1 # $Id: README,v 1.42.2.1 2006/10/06 09:14:39 manu Exp $ d6 1 a6 1 $Date: 2006/10/06 09:14:39 $ d15 14 a28 16 2 Configuring Sendmail with milter-greylist 3 Configuring Postfix with milter-greylist 4 Configuring milter-greylist 5 Trying it out for a few users 6 Running it for the whole site 7 Lists and per-ACL settings 8 Dealing with mail farms 9 Working with multiple MXs 10 Using DNSRBL 11 Building with SPF 12 Using DRAC 13 Packaging 14 Things to look at if things get wrong 15 Known problems 16 License d75 1 a75 1 2 Configuring Sendmail with milter-greylist a127 16 3 Configuring Postfix with milter-greylist ========================================== As Postfix currently does not provide milter library, you need to have sendmail sources or development package installed. See http://www.postfix.org/MILTER_README.html#limitations Use --enable-postfix flag when configuring milter-greylist, or you can build an rpm like this: rpmbuild --define "build_postfix 1" -tb milter-greylist-3.1.4.tgz Add the following to postfix main.cf (customize for your needs): milter_default_action = accept milter_connect_macros = j milter_protocol = 3 smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock d129 1 a129 2 4 Configuring milter-greylist d146 1 a146 1 5 Trying it out for a few users d179 1 a179 1 6 Running it for the whole site d201 1 a201 1 7 Lists and per-ACL settings d229 1 a229 1 8 Dealing with mail farms d254 1 a254 1 9 Working with multiple MXs d285 2 a286 2 10 Using DNSRBL =============== d323 1 a323 1 11 Building with SPF d355 1 a355 1 12 Using DRAC d369 1 a369 3 13 Packaging d373 3 a375 7 A .spec file is included in the distribution to build an RPM for RedHat Linux. This is achieved by running rpmbuild on milter-greylist source tarball: rpmbuild -tb milter-greylist-3.1.4.tgz. You can define build_user, build_postfix, build_dnsrbl, build_libbind - for example, to build with DNSRBL support and choose smmsp as the user that will run milter-greylist, use rpmbuild --define "build_user smmsp" --define "build_dnsrbl 1" -tb milter-greylist-3.1.4.tgz d378 1 a378 1 14 Things to look at if things get wrong d427 1 a427 1 15 Known problems d469 1 a469 1 16 License @ 1.41 log @documentation upgrade @ text @d1 1 a1 1 # $Id: README,v 1.40 2006/07/28 05:16:07 manu Exp $ d6 1 a6 1 $Date: 2006/07/28 05:16:07 $ d85 9 d109 5 a113 1 if you build sendmail.cf with m4 (contributed by Hubert Ulliac): d123 3 a125 2 thoses definitions and will simplify an automatic generation of sendmail.cf. @ 1.40 log @Handle FreeBSD DNS resolver that does not have res_ninit @ text @d1 1 a1 1 # $Id: README,v 1.39 2006/07/27 09:12:00 manu Exp $ d6 1 a6 1 $Date: 2006/07/27 09:12:00 $ d295 1 d298 1 a298 1 configure tells otherwise (becaue you lack the res_ninit() function), d301 6 @ 1.39 log @Update doc @ text @d1 1 a1 1 # $Id: README,v 1.38 2006/07/24 22:51:47 manu Exp $ d6 1 a6 1 $Date: 2006/07/24 22:51:47 $ d294 6 a299 1 the milter will be unstable (see the explanation in the SPF section) @ 1.38 log @bump to next release, configure for 3.0 @ text @d1 1 a1 1 # $Id: README,v 1.37 2005/11/30 23:32:12 manu Exp $ d6 1 a6 1 $Date: 2005/11/30 23:32:12 $ d19 10 a28 8 6 Dealing with mail farms 7 Working with multiple MXs 8 Building with SPF 9 Using DRAC 10 Packaging 11 Things to look at if things get wrong 12 Known problems 13 License d187 29 a215 1 6 Dealing with mail farms d240 1 a240 1 7 Working with multiple MXs d271 28 a298 2 8 Building with SPF =================== d329 2 a330 2 9 Using DRAC ============ d341 2 a342 2 10 Packaging =========== d350 2 a351 2 11 Things to look at if things get wrong ======================================= d399 1 a399 1 12 Known problems d416 3 d441 1 a441 1 13 License @ 1.37 log @DRAC support @ text @d1 1 a1 1 # $Id: README,v 1.36 2005/10/03 07:58:53 manu Exp $ d6 1 a6 1 $Date: 2005/10/03 07:58:53 $ d60 1 a60 1 on your system (it is configured for NetBSD-1.6.x) and it will probably @ 1.36 log @Add newer libspf2 support, by Hajimu UMEMOTO @ text @d1 1 a1 1 # $Id: README,v 1.35 2005/09/21 11:50:14 manu Exp $ d6 1 a6 1 $Date: 2005/09/21 11:50:14 $ d22 5 a26 4 9 Packaging 10 Things to look at if things get wrong 11 Known problems 12 License d273 13 a285 1 9 Packaging d294 1 a294 1 10 Things to look at if things get wrong d343 1 a343 1 11 Known problems d382 1 a382 1 12 License @ 1.35 log @Document ABI problems on IRIX @ text @d1 1 a1 1 # $Id: README,v 1.34 2005/05/19 18:32:19 manu Exp $ d6 1 a6 1 $Date: 2005/05/19 18:32:19 $ d243 10 a252 4 milter-greylist can use either libspf or libspf_alt to perform SPF checks. Use --with-libspf=DIR or --with-libspf_alt=DIR to enable this feature. DIR must be the base directory where include and lib directories containing the headers and library can be found. @ 1.34 log @README table of content @ text @d1 1 a1 1 # $Id: README,v 1.33 2005/05/19 18:30:52 manu Exp $ d6 1 a6 1 $Date: 2005/05/19 18:30:52 $ d355 7 @ 1.33 log @README spell check (Martin Paul) @ text @d1 1 a1 1 # $Id: README,v 1.32 2004/12/29 21:33:35 manu Exp $ d6 1 a6 1 $Date: 2004/12/29 21:33:35 $ d14 14 a27 1 Run this command to produce a table of contents: @ 1.32 log @Documentation fixes @ text @d1 1 a1 1 # $Id: README,v 1.31 2004/12/17 22:37:43 manu Exp $ d6 1 a6 1 $Date: 2004/12/17 22:37:43 $ d26 1 a26 1 Optionnal dependencies: d54 3 a56 3 and rc-suse.sh for Linux and rc-bsd.sh for NetBSD and FreeBSD. They are not installed by default; you have install the startup script by hand if you want to use one. d70 1 a70 1 You also need {auth_authen} in Milter.macros.envfrom: d83 1 a83 1 Alternatively, you can use the following m4 macros definitions d93 2 a94 2 Ivan F. Martinez also made the milter-greylist.m4 file that includes thoses definitions and will make easier an automatic generation d103 1 a103 1 localhost and all you local network addresses. Here is an example: d109 2 a110 2 Then consider adding addresses of all the friendly network you get mail from. By friendly network, we mean network with no spammers: d146 1 a146 1 disable this feature. d159 1 a159 1 in /etc/mail/greylist.conf. Make sure you do it before d161 1 a161 1 evaluated on a first match win basis. d184 2 a185 2 There is also a right fix for the problem: SPF. SPF is a DNS based mechanism that enable domains to publish the identity of machines d196 1 a196 1 7 Working with multiple MX d236 1 a236 1 function it uses must be thread-safe. While libspf and libspf_alt d238 1 a238 1 the DNS resolver is used from libc or libresolv. If this resolver d316 1 a316 1 all its database in memory, milter-greylist can eat a large amount of d318 1 a318 1 file descriptors can easily be exhausted too. Any ressource shortage will d337 1 a337 1 when handling a large number of connexions. If you are not sure whether @ 1.31 log @M4 file for easier sendmail.cf generation (Ivan F. Martinez) .spec file for generating RPM (Ivan F. Martinez) @ text @d1 1 a1 1 # $Id: README,v 1.30 2004/12/16 23:08:13 manu Exp $ d6 1 a6 1 $Date: 2004/12/16 23:08:13 $ d29 4 d38 3 a40 1 script. If you intend to run milter-greylist under an unprivileged d55 1 a55 1 not installed by default, you have install the startup script by hand if d112 1 a112 1 some other are not, and dial-up and ADSL ISP are definitively not d136 3 d192 1 a192 1 servers that will always resend their messages, there is no point into d199 1 a199 1 When running several MX, the client should try each server after d201 1 a201 1 on each MX. Things should work, but with two minors problems: d203 1 a203 1 * Some stupid clients don't try all the available MX. In that d208 1 a208 1 * After a messages goes in, its entry is removed for one MX, d211 1 a211 1 gets in on a MX with a stale entry, it will be accepted d215 3 a217 3 In order to address those issues, milter-greylist is now able to sync the greylist among different MX. This can be configured in the greylist.conf file, by adding one line per peer MX, just d222 1 a222 1 If you have firewalls between your MX, you should enable TCP d267 22 a288 2 Each message will get a X-Greylist header indicating how long the message has been delayed. It looks like this: d290 1 a290 2 X-Greylist: Delayed for 00:53:21 by milter-greylist-0.7 (mail.example.net [192.0.2.16]); Wed, 3 Mar 2004 17:01:06 -0000 d308 2 d317 1 a317 1 memory on a busy mail server. Each incoming connexion uses a socket, so d319 1 a319 1 cause milter-greylist to quit. This is not specific to milter-greylist, d322 1 a322 1 When SPF support is compiled in, if milter-greylist hangs and/or crash d325 1 a325 1 nres_init is referenced, you are fine. if res_init is referenced, you d328 1 a328 1 On Solaris 2.8, milter-greylist may grow out of memory pretty quickly d337 3 a339 3 when handling a large amount of connexions. If you are not sure whether your system is affected or not, check your system headers for FILE definition. On Solaris, the problem only exist with the 32 bit ABI, d393 1 a393 1 queue.h has a 4 clauses BSD license: @ 1.30 log @Use Sendmail DB as a whitelist source: if ${greylist} is defined as WHITE, assume whitelist. @ text @d1 1 a1 1 # $Id: README,v 1.29 2004/12/09 22:33:33 manu Exp $ d6 1 a6 1 $Date: 2004/12/09 22:33:33 $ d78 1 a78 1 if you bouild sendmail.cf with m4 (contributed by Hubert Ulliac): d87 5 d244 10 a253 1 9 Things to look at if things get wrong d281 1 a281 1 10 Known problems d313 1 a313 1 11 License @ 1.29 log @flex needed. AT&T lex won't work @ text @d1 1 a1 1 # $Id: README,v 1.28 2004/12/09 22:19:40 manu Exp $ d6 1 a6 1 $Date: 2004/12/09 22:19:40 $ d72 5 d85 1 @ 1.28 log @rc-suse.sh @ text @d1 1 a1 1 # $Id: README,v 1.27 2004/12/09 00:06:02 manu Exp $ d6 1 a6 1 $Date: 2004/12/09 00:06:02 $ d21 1 a21 1 - lex or flex @ 1.27 log @Documentation update @ text @d1 1 a1 1 # $Id: README,v 1.26 2004/12/09 00:04:01 manu Exp $ d6 1 a6 1 $Date: 2004/12/09 00:04:01 $ d47 4 a50 3 Some startup scripts are available: rc-redhat.sh, rc-debian, and rc-gentoo.sh for Linux and rc-bsd.sh for NetBSD and FreeBSD. They are not installed by default, you have install the startup script by hand if you want to use one. @ 1.26 log @Documentation cleanup @ text @d1 1 a1 1 # $Id: README,v 1.25 2004/12/06 22:16:06 manu Exp $ d6 1 a6 1 $Date: 2004/12/06 22:16:06 $ d101 2 a102 2 Add some rcpt lines to /etc/mail/greylist.conf for the users that want to try milter-greylist filtering. Here is an example: d110 1 a110 1 postmaster@@example.net will not get greylisted: it is whitielisted: @ 1.25 log @Added a known problem section @ text @d1 1 a1 1 # $Id: README,v 1.24 2004/11/28 00:33:29 manu Exp $ d6 1 a6 1 $Date: 2004/11/28 00:33:29 $ d27 1 a27 1 - libspf_alt or libspf. d47 1 a47 1 Two startup scripts are available: rc-redhat.sh, rc-debian, and rc-gentoo.sh d85 1 a85 1 all you local network addresses. Here is an example: d87 3 a89 2 addr 192.0.2.0/24 addr 10.0.0.0/8 d104 3 a106 3 rcpt John.Doe@@example.net rcpt webmaster@@example.net rcpt postmaster@@example.net d108 3 a110 2 Then start milter-greylist with the -T option, which will make greylisting effective only for the users listed in the rcpt lines. d112 5 a116 1 milter-greylist -T -u smmsp -p /var/milter-greylist/milter-greylist.sock d131 2 a132 2 Remove the rcpt lines from /etc/mail/greylist.conf, and run milter-greylist without the -T option: d134 1 a134 1 milter-greylist -u smmsp -p /var/milter-greylist/milter-greylist.sock d136 5 a140 4 If some of your users don't want greylisting, add a rcpt line for them in /etc/mail/greylist.conf. Without the -T option, rcpt lines will prevent greylisting for the corresponding users: every message will get to them without any delay, including spam. d144 1 a144 1 possible: just use a regular expression and run in testmode: d146 2 a147 1 rcpt /.*@@example\.net/ @ 1.24 log @Gentoo startup sript (milters@@free.fr) rc-linux.sh was renamed rc-redhat.sh @ text @d1 1 a1 1 # $Id: README,v 1.23 2004/10/14 22:23:53 manu Exp $ d6 1 a6 1 $Date: 2004/10/14 22:23:53 $ d193 1 a193 1 If you have firewalls between your MX? you should enable TCP d251 4 d263 20 d284 2 a285 2 10 License ========= @ 1.24.2.1 log @Added a known problems section @ text @d1 1 a1 1 # $Id: README,v 1.25 2004/12/06 22:16:06 manu Exp $ d6 1 a6 1 $Date: 2004/12/06 22:16:06 $ d193 1 a193 1 If you have firewalls between your MX, you should enable TCP a250 4 10 Known problems ================= a258 20 When SPF support is compiled in, if milter-greylist hangs and/or crash regularly, check that you linked your SPF library with a thread-safe resolver. This can be done by running nm(1) on milter-greylist: if nres_init is referenced, you are fine. if res_init is referenced, you are probably at risk. On Solaris 2.8, milter-greylist may grow out of memory pretty quickly due to some bugs in the pthread nsl and socket libraries. It is strongly recommended that you install the latest revision of patch 108993 (sparc) or 108994 (x86). Solaris 9 and later do not seem to be affected. Solaris patches are available from On Solaris, and on some IRIX releases, the file descriptor field of 's FILE structure is a char, and thus no more than 255 streams can be open at once. This will cause failures in milter-greylist when handling a large amount of connexions. If you are not sure whether your system is affected or not, check your system headers for FILE definition. On Solaris, the problem only exist with the 32 bit ABI, so rebuilding milter-greylist with a 64 bit compiler will fix the problem. d260 2 a261 2 11 License ========== @ 1.24.2.2 log @flex required in the doc @ text @d1 1 a1 1 # $Id: README,v 1.24.2.1 2004/12/06 22:17:35 manu Exp $ d6 1 a6 1 $Date: 2004/12/06 22:17:35 $ d21 1 a21 1 - flex (AT&T lex cannot build milter-greylist sources) @ 1.23 log @Document ressource shortage for memory and file descriptor Remove oudated documentation about IPv6 @ text @d1 1 a1 1 # $Id: README,v 1.22 2004/06/17 20:03:25 manu Exp $ d6 1 a6 1 $Date: 2004/06/17 20:03:25 $ d47 3 a49 3 Two startup scripts are available: rc-linux.sh for Linux and rc-bsd.sh for NetBSD and FreeBSD. They are not installed by default, you have install the startup script by hand if you want to use one. @ 1.22 log @Add a template Makefile to manually tweak if configure fails @ text @d1 1 a1 1 # $Id: README,v 1.21 2004/05/24 22:01:21 manu Exp $ d6 1 a6 1 $Date: 2004/05/24 22:01:21 $ d224 1 a224 11 9 Working with IPv6 =================== milter-greylist does not know about IPv6 yet. This is not a real problem since spamming from IPv6 addresses is not a real-life issue yet. Any mail sent from a non-IPv4 address (this include message generated locally and mail sent from IPv6 addresses), will be whitelisted. 10 Things to look at if things get wrong d251 8 d260 1 a260 1 11 License @ 1.21 log @define(`confINPUT_MAIL_FILTERS', `greylist') is useless @ text @d1 1 a1 1 # $Id: README,v 1.20 2004/04/30 21:52:25 manu Exp $ d6 1 a6 1 $Date: 2004/04/30 21:52:25 $ d36 6 @ 1.20 log @Support STARTTLS (Contribution from Matthieu Herrb) @ text @d1 1 a1 1 # $Id: README,v 1.19 2004/04/22 23:12:25 manu Exp $ d6 1 a6 1 $Date: 2004/04/22 23:12:25 $ a72 1 define(`confINPUT_MAIL_FILTERS', `greylist') @ 1.19 log @enable TCP connections in both directions between random > unprivileged source ports and destination port 5252 @ text @d1 1 a1 1 # $Id: README,v 1.18 2004/04/16 20:14:21 manu Exp $ d6 1 a6 1 $Date: 2004/04/16 20:14:21 $ d60 5 d71 1 @ 1.18 log @List build dependenvies in README @ text @d1 1 a1 1 # $Id: README,v 1.17 2004/04/12 12:40:21 manu Exp $ d6 1 a6 1 $Date: 2004/04/12 12:40:21 $ d181 4 @ 1.17 log @Upgrade documentation @ text @d1 1 a1 1 # $Id: README,v 1.16 2004/04/07 17:24:23 manu Exp $ d6 1 a6 1 $Date: 2004/04/07 17:24:23 $ d20 11 a30 1 Just do the usual ./configure && make && make install @ 1.16 log @Warning word on libspf_alt and the -lbind problem @ text @d1 1 a1 1 # $Id: README,v 1.15 2004/04/06 14:24:18 manu Exp $ d6 1 a6 1 $Date: 2004/04/06 14:24:18 $ d199 8 d208 2 a209 1 9 Things to look at if things get wrong d212 1 a212 1 First, read the milter-greylist(8) man page! :-) d236 2 a237 1 10 License @ 1.15 log @m4 macros from Hubert Ulliac @ text @d1 1 a1 1 # $Id: README,v 1.14 2004/04/04 20:17:37 manu Exp $ d6 1 a6 1 $Date: 2004/04/04 20:17:37 $ d193 5 @ 1.14 log @Update the doc about thread-safety @ text @d1 1 a1 1 # $Id: README,v 1.13 2004/04/03 09:26:11 manu Exp $ d6 1 a6 1 $Date: 2004/04/03 09:26:11 $ d49 9 @ 1.13 log @Initialisation scripts @ text @d1 1 a1 1 # $Id: README,v 1.12 2004/04/01 21:23:08 manu Exp $ d6 1 a6 1 $Date: 2004/04/01 21:23:08 $ d128 2 a129 3 how to use SPF through libspf_alt. configure --with-libspf_alt to enable that feature. libspf (the "not alt" version) might be supported as well in a future release if I manage to get it working. d164 23 a186 1 8 Things to look at if things get wrong d213 1 a213 1 9 License @ 1.12 log @Update the documentation for regular expressions @ text @d1 1 a1 1 # $Id: README,v 1.11 2004/03/30 14:25:32 manu Exp $ d6 1 a6 1 $Date: 2004/03/30 14:25:32 $ d30 4 @ 1.11 log @SPF support @ text @d1 1 a1 1 # $Id: README,v 1.10 2004/03/30 08:21:19 manu Exp $ d6 1 a6 1 $Date: 2004/03/30 08:21:19 $ d100 6 @ 1.10 log @Upgrade doc for SMTP AUTH @ text @d1 1 a1 1 # $Id: README,v 1.9 2004/03/28 14:05:42 manu Exp $ d6 1 a6 1 $Date: 2004/03/28 14:05:42 $ d114 7 @ 1.9 log @Add match mask (-L option) @ text @d1 1 a1 1 # $Id: README,v 1.8 2004/03/25 11:00:24 manu Exp $ d6 1 a6 1 $Date: 2004/03/25 11:00:24 $ d39 6 a44 1 O Milter.macros.connect=i,j,{if_addr} @ 1.8 log @Tel about mail farms @ text @d1 1 a1 1 # $Id: README,v 1.7 2004/03/20 07:19:03 manu Exp $ d6 1 a6 1 $Date: 2004/03/20 07:19:03 $ d105 9 a113 5 An upcoming version will have a subnet matching feature to solve this problem. In the meantime, the workaround is simply to whitelist the netblocks allocated to mail farms. As any machine in theses IP address ranges are real SMTP servers that will always resend their messages, there is no point into greylisting them. @ 1.7 log @Print the message Id with the logs @ text @d1 1 a1 1 # $Id: README,v 1.6 2004/03/18 10:09:09 manu Exp $ d6 1 a6 1 $Date: 2004/03/18 10:09:09 $ d82 1 d97 16 a112 1 6 Working with multiple MX d139 1 a139 1 7 Things to look at if things get wrong d166 1 a166 1 7 License @ 1.6 log @license cleanup in README @ text @d1 1 a1 1 # $Id: README,v 1.5 2004/03/18 07:37:06 manu Exp $ d6 1 a6 1 $Date: 2004/03/18 07:37:06 $ d39 1 a39 1 O Milter.macros.connect=j, {if_addr} @ 1.5 log @Update documentation for whitelisting @ text @d1 1 a1 1 # $Id: README,v 1.4 2004/03/15 07:43:57 manu Exp $ d6 1 a6 1 $Date: 2004/03/15 07:43:57 $ d181 58 @ 1.4 log @bad CR @ text @d1 1 a1 1 # $Id: README,v 1.3 2004/03/14 21:36:33 manu Exp $ d6 1 a6 1 $Date: 2004/03/14 21:36:33 $ d77 4 d146 3 @ 1.3 log @Update the dump rate @ text @d1 1 a1 1 # $Id: README,v 1.2 2004/03/10 21:35:45 manu Exp $ d6 1 a6 1 $Date: 2004/03/10 21:35:45 $ d37 3 a39 3 O InputMailFilters=greylist Xgreylist, S=local:/var/milter-greylist/milter-greylist.sock O Milter.macros.connect=j, {if_addr} @ 1.2 log @Update the doc @ text @d1 1 a1 1 # $Id: README,v 1.1 2004/03/03 20:00:49 manu Exp $ d6 1 a6 1 $Date: 2004/03/03 20:00:49 $ d131 1 a131 1 It is done every 5 minutes and is used to restore state after d138 3 @ 1.1 log @README file to explain how-to install @ text @d1 1 a1 1 # $Id$ d6 1 a6 1 $Date$ d28 1 a28 1 file in /etc/mail/greylist.except, except if there is already such d45 1 a45 1 Edit /etc/mail/greylist.except, and add addr lines for at least d48 2 a49 1 addr 192.0.2.0/24 addr 10.0.0.0/8 d61 1 a61 1 Add some rcpt lines to /etc/mail/greylist.except for the users that d64 3 a66 2 rcpt John.Doe@@example.net rcpt webmaster@@example.net rcpt postmaster@@example.net d81 1 a81 1 Remove the rcpt lines from /etc/mail/greylist.except, and run d87 1 a87 1 them in /etc/mail/greylist.except. Without the -T option, rcpt d92 28 a119 1 6 Things to look at if things get wrong @