Introducing greylisting on gnome.org

[Tomas Ögren <stric acc umu se>]

Hello.

While trying to help get mail flowing over at gnome.org, I noticed that
gnome.org isn't using greylisting.

For those who isn't sure what this is about, read
http://en.wikipedia.org/wiki/Greylisting

>From what I've seen, some people seem to have something against it. Not
sure what though, since you only get a delay for the -first- mail with a
certain triple (sender, recipient, sender ip). The rest is let through
immediately (after an X minute waiting period for the first mail).
If some mail is lost due to greylisting, that mail could have been lost
in regular mail flow as well.

Using greylisting cuts away lots of virus and a large amount of spam as
well. Granted, it does not stop all - but it sure helps.

Examples on how it worked out for me at two systems:
http://support.cs.umu.se/stats/mail/
http://www.acc.umu.se/~project/mailgraph/

Check the bottom graphs and guess when we started using greylisting.

At those systems, we use (just like at gnome.org) postfix with amavisd
[sa + clam].. Then we added postgrey..

Needed changes in postfix was:

main.cf:
smtpd_restriction_classes = greylist
greylist = check_policy_service inet:127.0.0.1:10026
127.0.0.1:10026_time_limit = 3600

smtpd_recipient_restriction =
		......
		everything like now, but as last entry before the mail
		is supposed to be accepted
		...
	        check_recipient_access hash:$config_directory/access_recipient


access_recipient (new file or so):
# example of exception from greylisting
someuser gnome org  DUNNO
# gl the rest
gnome.org	greylist


If you want to try on a single user first, don't use the domain
catch-all in access_recipient and put a specific recipient there
instead.


mneptok said I should mail this here. Flame him etc ;)

/Tomas
-- 
Tomas Ögren, stric acc umu se, http://www.acc.umu.se/~stric/
|- Student at Computing Science, University of Umeå
`- Sysadmin at {cs,acc}.umu.se