How to Setup milter-greylist Spam Blocking in Sendmail

Virtually all linux distributions include sendmail as the default MTA. Which is okay – it has been around for a long time, is stable and it works great (although the postfix afficionados might disagree!). But it has nothing built in for spam control which is good; it was not designed for that. So you’ve installed spamassassin and it works good but you still are getting unflagged spam emails through. Perhaps you need to try greylisting.

Greylisting is the process by which all email (unless specifically whitelisted) gets initially rejected yet works within the parameters of the various RFCs to ensure eventual receipt of email. The idea is that spammers will not attempt to reconnect to an email server that has rejected their offerings yet legitimate mail servers will. It isn’t foolproof – spammers are quick to adjust and greylisting has been around a long time. But it does help.

This article is on how to install milter-greylist which was originally written by Emmanuel Dreyfus. I will be concentrating with sendmail here but milter-greylist is also supported with postfix.

First, check your dependencies. From the README:

Build dependencies:
– flex (AT&T lex cannot build milter-greylist sources)
– yacc or bison (some older yacc will fail, use bison instead)
– libmilter (comes with Sendmail, or with the sendmail-devel
package on RedHat, Fedora and SuSE. Debian and Ubuntu have it
in libmilter-dev)
– Any POSIX threads library (Provided by libc on some systems)

Optional dependencies:
– libspf2, libspf_alt or libspf, for SPF support
– libcurl, for URL checks support
– libGeoIP, for GeoIP support
– libbind from BIND 9, for DNSRBL support, except if your system has a thread-safe DNS resolver built-in.

But the configuration process will find anything that you don’t have installed and complain until the dependency is resolved.

Next, download the greylist-milter from http://hcpnet.free.fr/milter-greylist and unpack the tarball. Then read the README file! It includes a wealth of information that isn’t covered in this article especially for installs that want/need to include special features such as SPF support.

And do the usual

./configure
./make
./make install

The standard install will put the binaries in /usr/local/bin, the database and pid file in /var/milter-greylist and the configuration file will be /etc/mail/greylist.conf. Some startup scripts are included in the tarball but they are not installed automatically. You will have to set it up in your /etc/init.d yourself if you want to use one.

You will then need to configure sendmail to actually use the milter. In your sendmail.mc file, add the following (but pay close attention to the warnings in the README file if you are already using other milters in your installation!):

INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock')dnl
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
define(`confMILTER_MACROS_ENVRCPT', `{greylist}')dnl


and reconfigure your sendmail.cf file:

#m4 sendmail.mc > sendmail.cf

Don’t restart your sendmail daemon just yet, however – we still have to modify the configuration for this to work properly.

Open /etc/mail/greylist.conf in your favorite editor (which, of course, is vi, right?).
Uncomment or add the following:

quiet
greylist 7m
dumpfreq 1d
autowhite 10d

In the above configuration, ‘quiet’ will not include a time frame to retry submission. This is good so that there is no way for spammers to know how long they will be blocked. Greylisting will be for 7 minutes after which email from the source will be accepted, database contents will be dumped to the /var/milter-greylist/greylist.db once per day, and, once an email is accepted from a source, that source will be whitelisted for 10 days before being greylisted again.

Also create lists to whitelist your own networks to the configuration file:

list "my network" addr { 127.0.0.1/8 10.230.1.0/24 192.168.1.0/24 }

which will whitelist local, DMZ and internal networks (as an example – yours are probably different). Notice the space between network addresses, not commas.
Along with other external networks that are always trusted:

# Trusted networks to not greylist:
list "trusted" addr {
207.46.0.0/16 # Microsoft
72.33.0.0/16 # UW Madison
}

There is a fairly comprehensive list of ‘broken’ mailer servers in the configuration file that are also always to be whitelisted since greylisting them would most likely result in never getting email from them. You can add to that list as needed as well if you need to.

You will most likely be setting up greylisting as the default, so you may also want to whitelist certain users who never want email to be delayed (various pompous vice presidents, system alert addresses and the like):

# List of users that want whitelisting (if greylisting is the default):
list "white users" rcpt {
vp@domain.com
sysadmin@domain.com
postmaster@domain.com
}

Notice the list names of “my network”, “trusted” and “white users” – you need to add these to the actual whitelisting config line:

# And here is the access list
racl whitelist list "my network"
racl whitelist list "broken mta"
racl whitelist list "trusted"
racl whitelist list "white users"

Note: You can also set this up to whitelist as the default in which case you would also create a “grey users” list of those folk you want to always be subject to greylisting. Those would include errant users who post their work email address all over social network sites, sales web sites and newsletter subscriptions, of course.

And then configure the default operation of milter-greylist:

racl greylist default

(use racl whitelist default if you want whitelisting to be the default operation).

And then fire up your milter-greylist binary either using the /etc/init.d/milter-greylist startup script or by

#milter-greylist -f /etc/mail/greylist.config

at the command line. There are a slew of other command line options (many of which duplicate parameters set in the conf file). See

man milter-greylist

for further details.

And then restart your sendmail daemon and enjoy less spam coming into your mail server.