From the Greylist into the Whitelist
You don't have to worry about moving items from the greylist to the whitelist.
spamlogd will take care of that for you. If you're setting this up for the first time, start
To ensure that
spamlogd starts at boot, add a line to
spamlogd updates the
spamd database (/var/db/spamd). When it sees a successful connection,
spamd in turn uses this database to decide whether someone is on the whitelist or greylist. To provide
spamlogd with the information it needs, you must log your mail server activity. See lines 13 and 14 in my example PF rules. Read all the details in
spamlogd does not start, it is probably because
pflogd is not running. Start it. This is how
spamlogd looks when it is running:
# ps auwx | grep spamlogd root 94345 ?? Ss 11:36AM 0:00.00 /usr/local/libexec/spamlogd root 94349 p2 S+ 11:36AM 0:00.00 grep spamlogd
A Sample Greylisting
It's helpful to send a message from a non-whitelisted server and demonstrate how the server moves from the greylist to the whitelist. I will be sending from
email@example.com. For your information, zip runs Sendmail and nyi runs Postfix. In both cases, that is completely irrelevant to greylisting.
Here is an extract from the sending mailserver. I guess I should point out that this server is in New Zealand and the one I'm sending to is in New York.
Nov 9 06:30:06 zip sm-mta: kA8HThYO059822: to=<firstname.lastname@example.org>, ctladdr=<email@example.com> (1001/1001), delay=00:00:20, xdelay=00:00:20, mailer=esmtp, pri=30391, relay=nyi.example.org. [188.8.131.52], dsn=4.3.0, stat=Deferred: 451 Temporary failure, please try again later.
A new host,
zip.example.org, previously unknown to
nyi.example.org, attempted to send email.
spamd on nyi correctly asked zip to try again. The mail queue on zip should show something like:
$ mailq /var/spool/mqueue (1 request) -----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient----------- kA8HThYO059822 34 Thu Nov 9 06:29 <firstname.lastname@example.org> (Deferred: 451 Temporary failure, please try again later.) <email@example.com> Total requests: 1
Looking at the logs on nyi, I see this in /var/log/spamd:
Nov 8 12:29:58 nyi spamd: 184.108.40.206: connected (1/0) Nov 8 12:29:59 nyi spamd: (GREY) 220.127.116.11: <firstname.lastname@example.org> -> <email@example.com> Nov 8 12:29:59 nyi spamd: 18.104.22.168: disconnected after 1 seconds.
Furthermore, you can see that zip is greylisted:
$ spamdb | grep nz GREY|22.214.171.124|<firstname.lastname@example.org>|<email@example.com>|1163006999|1163021399|1163021399|1|0
I waited. Shortly thereafter, zip tried again, and again
spamd asked it to try again. Here is the log entry from zip, the sending mailserver:
Nov 9 06:43:02 zip sm-mta: kA8HThYO059822: to=<firstname.lastname@example.org>, ctladdr=<email@example.com> (1001/1001), delay=00:13:16, xdelay=00:00:05, mailer=esmtp, pri=120391, relay=nyi.example.org. [126.96.36.199], dsn=4.3.0, stat=Deferred: 451 Temporary failure, please try again later.
Checking on nyi, I looked in the spamd database again:
$ spamdb | grep 188.8.131.52 GREY|184.108.40.206|<firstname.lastname@example.org>|<email@example.com>|1163006999|1163021399|1163021399|2|0
There it was, clear as day. The entry has been greylisted. The three numeric fields indicate timestamps related to this host. The 2 means the host has attempted delivery twice. The 0 means the host has not yet delivered any mail.
Why was the second attempt not allowed?
spamd has three time parameters related to greylisting. See the man page for better definitions. The values shown are the defaults.
passtime: if after this time period,
spamlogdsees a retried delivery, it will move the server to the whitelist (25 minutes).
greyexp: entries on the greylist will be removed if there have been no retries within this period (4 hours).
whiteexp: entries on the whitelist are removed if there has been no mail activity in this time period (36 days).
passtime value (see
man spamd) is 25 minutes. A host will remain greylisted for at least 25 minutes before it can move to the whitelist. What will move it to the whitelist? A retry after
passtime minutes. This requires three delivery attempts; the third will succeed if it occurs after the
passtime period and before the
greyexp period terminates. By default, the sending mailserver will be greylisted for 25 minutes, and then has until four hours after the first delivery attempt to try again. After the greylisting period expires, the sending host must go through the greylisting process again.