Greylisting is the process by which all email (unless specifically whitelisted) gets initially rejected yet works within the parameters of the various RFCs to ensure eventual receipt of email. The idea is that spammers will not attempt to reconnect to an email server that has rejected their offerings yet legitimate mail servers will. It isn’t foolproof – spammers are quick to adjust and greylisting has been around a long time. But it does help.

This article is on how to install milter-greylist which was originally written by Emmanuel Dreyfus. I will be concentrating with sendmail here but milter-greylist is also supported with postfix.

First, check your dependencies. From the README:

But the configuration process will find anything that you don’t have installed and complain until the dependency is resolved.

Optional dependencies: – libspf2, libspf_alt or libspf, for SPF support – libcurl, for URL checks support – libGeoIP, for GeoIP support – libbind from BIND 9, for DNSRBL support, except if your system has a thread-safe DNS resolver built-in.

Next, download the greylist-milter from http://hcpnet.free.fr/milter-greylist and unpack the tarball. Then read the README file! It includes a wealth of information that isn’t covered in this article especially for installs that want/need to include special features such as SPF support.

And do the usual

The standard install will put the binaries in /usr/local/bin, the database and pid file in /var/milter-greylist and the configuration file will be /etc/mail/greylist.conf. Some startup scripts are included in the tarball but they are not installed automatically. You will have to set it up in your /etc/init.d yourself if you want to use one.

You will then need to configure sendmail to actually use the milter. In your sendmail.mc file, add the following (but pay close attention to the warnings in the README file if you are already using other milters in your installation!):

and reconfigure your sendmail.cf file:

Don’t restart your sendmail daemon just yet, however – we still have to modify the configuration for this to work properly.

Open /etc/mail/greylist.conf in your favorite editor (which, of course, is vi, right?). Uncomment or add the following:

In the above configuration, ‘quiet’ will not include a time frame to retry submission. This is good so that there is no way for spammers to know how long they will be blocked. Greylisting will be for 7 minutes after which email from the source will be accepted, database contents will be dumped to the /var/milter-greylist/greylist.db once per day, and, once an email is accepted from a source, that source will be whitelisted for 10 days before being greylisted again.

Also create lists to whitelist your own networks to the configuration file:

which will whitelist local, DMZ and internal networks (as an example – yours are probably different). Notice the space between network addresses, not commas. Along with other external networks that are always trusted:

There is a fairly comprehensive list of ‘broken’ mailer servers in the configuration file that are also always to be whitelisted since greylisting them would most likely result in never getting email from them. You can add to that list as needed as well if you need to.

You will most likely be setting up greylisting as the default, so you may also want to whitelist certain users who never want email to be delayed (various pompous vice presidents, system alert addresses and the like):

Notice the list names of “my network”, “trusted” and “white users” – you need to add these to the actual whitelisting config line:

Note: You can also set this up to whitelist as the default in which case you would also create a “grey users” list of those folk you want to always be subject to greylisting. Those would include errant users who post their work email address all over social network sites, sales web sites and newsletter subscriptions, of course.

And then configure the default operation of milter-greylist:

(use racl whitelist default if you want whitelisting to be the default operation).

And then fire up your milter-greylist binary either using the /etc/init.d/milter-greylist startup script or by

at the command line. There are a slew of other command line options (many of which duplicate parameters set in the conf file). See

for further details.

And then restart your sendmail daemon and enjoy less spam coming into your mail server.