Whitelisting senders from greylisting.

A big bump to this question. From an administrators point of view the greylisting function in 10.6 is a godsend. However, trying to handle complaints from my users about delayed emails combined with Apples total lack of documentation on this subject is making me seriously consider disabling it.

Does anyone know if there is a way to whitelist senders or recipients allowing mail to bypass the greylist? Can anyone offer a detailed explanation about how greylisting should work and learn over time?

I started digging around at postfix.org. Looks like adding these lines to Postfix's main.cf (line 667) wil enable an exceptions list for the greylist filter. Can a resident Postfix wizard confirm if this is in fact the case? I'd rather not blindly modify my main.cf file.

From www.postfix.org/SMTPD POLICYREADME.html

"Greylisting all your mail

If you turn on greylisting for all mail you will almost certainly want to make exceptions for mailing lists that use one-time sender addresses, because such mailing lists can pollute your greylist database relatively quickly.

1 /etc/postfix/main.cf:
2 smtpd recipientrestrictions =
3 reject unlistedrecipient
4 ...
5 reject unauthdestination
6 check senderaccess hash:/etc/postfix/sender_access
7 check policyservice unix:private/policy
8 ...
9
10 /etc/postfix/sender_access:
11 securityfocus.com OK
12 ..."

I am not an expert at greylisting either and only slightly more comfortable editing the main.cf. I found the same instructions at postfix.org and followed them.

I opened /etc/postfix/main.cf and changed the smtp recipientrestictions as instructed

/etc/postfix/main.cf
smtpd recipientrestrictions = permit saslauthenticated
permit_mynetworks
reject unauthdestination
# I am greylisting all mail so I want a whitelist
check senderaccess hash:/etc/postfix/sender_access
check policyservice unix:private/policy permit

I created a file at /etc/postfix/sender_access and added one domain.

/etc/postfix/sender_access
tekserve.com OK

Then I had to run sudo postmap /etc/postfix/sender_access to create the hash file, and sudo postfix reload. Then I set my logging to informational so I could watch the rejects. I have to test it out some more, but so far no mail from tekserve.com is getting the helo reject.

A couple of other things that may be useful. The greylist.pl file is in /usr/libexec/postfix and the greylist.db is in /var/lib/postfix. The greylist.pl file states that the database will be renamed if it becomes corrupted, which is a nice feature. I was also concerned about the size of the greylist.db but it is still only a few MB.

Greylisting has been a terrific feature for one of my clients with a 400% drop in spam. I look forward to the good folks at osx.topicdesk.com to shed further light on how it all works.

The "policy" as called in /etc/postfix/main.cf corresponds to that setup in /etc/postfix/master.cf
where you will find:

policy unix - n n - - spawn
user=nobody:mail argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl

Always backup either file before ever making any changes of any kind.

There is a great deal [!] you can do via advanced configuration of main.cf, for example custom restrictions (restriction classes), and other settings not put in place by default by Apple.

I suggest looking for past posts by myself or Pterobyte especially, in terms of things you can do to better your rejection of spam, but double-check anything against the Postfix in 10.6 server (v. 2.5.5)

I recommend the Book of Postfix as well as the Postfix site.