In case anyone else is interested, I got postgrey working, by following the instructions here.
https://github.com/schweikert/postgrey/ ... EADME.exim
Installation is simple:
apt install postgrey
This sets up the daemon, and enables it with systemctl.
Next step, you need to edit /etc/default/postgrey and add --exim as an option to start the daemon. ie.
POSTGREY_OPTS="--inet=10023 --exim "
(plus whatever other options you want to add here). Then restart with
systemctl restart postgrey.service
You can check that the right commandline was issued with
systemctl status postgrey.service
OK now to edit the exim config. I followed the VestaCP convention and put a line at the top of the config which lets you turn greylisting on and off easily by commenting out a single line.
GREYLIST = yes
Then go down to the ACL section. Find the section labeled acl_check_rcpt (which corresponds to acl_smtp_rcpt mentioned in the docs)
You can put this code anywhere between acl_check_rcpt and the following "accept". The higher up the list, the sooner the check is processed, so you might choose to do it before other checks or after.
Code: Select all
.ifdef GREYLIST
defer log_message = greylisted host $sender_host_address
set acl_m3 = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_h
ost_name\nsender=$sender_address\nrecipient=$local_part@$domain\n\n
set acl_m3 = ${sg{${readsocket{inet:127.0.0.1:10023}{$acl_m3}{5s}{}{action=DUNNO}}}{action=}{}}
message = ${sg{$acl_m3}{^\\w+\\s*}{}}
condition = ${if eq{${uc:${substr{0}{5}{$acl_m3}}}}{DEFER}{true}{false}}
warn message = ${sg{$acl_m3}{^\\w+\\s*}{}}
condition = ${if eq{${uc:${substr{0}{7}{$acl_m3}}}}{PREPEND}{true}{false}}
.endif
Note that as per the documentation, I had to use $acl_m3 instead of $acl_m0 as m0, m1 and m2 were already in use.
Also note that I had to change the socket from /var/run/postgrey to inet:127.0.0.1:10023 to match the configuration as installed by apt.
Restart with
systemctl restart exim4.service
And then
tail -f /var/log/exim4/mainlog to monitor your incoming mail queue.
Just to explain greylisting very quickly, the server will now reject anyone's email when they first try to connect, and will record their IP, From, and To addresses. After a short interval (300 sec), if the same IP, To, and From tries again, it will let it through (and continue to for the next month). This works because spammers never try twice, and proper email servers will retry after minutes or hours, and keep going up to 5 days.