Greylisting configuration is stored in an SQLite 3 database (by default /var/lib/greylstd/greylstd.db) in the tables greyconf and whitelist.
Greylisting timeouts (specified in seconds) can be configured either per user (recipient='user@domain.tld') or per domain (recipient='@domain.tld') in the greyconf table. Global defaults are configured by setting recipient=''.
- minwait .. minimum time a sender has to wait before a retried attempt will be allowed
- maxwait .. maximum time a sender is allowed to wait for a retry
- maxvalid .. time span during which emails with the same (sender IP, sender address, recipient address) tuple will be allowed without further greylisting
Whitelists can be configured for a sender IP address, an e-mail address or a domain in the whitelist table.
greyconf example
| recipient | minwait | maxwait | maxvalid |
|---|---|---|---|
| '' | 300 | 3600 | 86400 |
| '@domain.tld' | 60 | NULL | 43200 |
| 'user@domain.tld' | 120 | 7200 | NULL |
A recipient address of 'otheruser@domain.tld' would pick up the options minwait=60, maxwait=3600 and maxvalid=43200, whereas the recipient 'user@domain.tld' would use minwait=120, maxwait=7200 and maxvalid=43200.
whitelist example
| recipient | sender | remoteip | remoteprefixlen |
|---|---|---|---|
| 'white@domain.tld' | '' | NULL | |
| '@sub.domain.tld' | '' | NULL | |
| '192.168.0.1' | 32 | ||
| '172.30.0.0' | 16 | ||
| 'fe80::' | 64 | ||
| '' | 'allow@domain.tld' | NULL | NULL |
Using this whitelisting configuration would exempt SMTP connections from 192.168.0.1, 172.30.0.0/255.255.0.0 and fe80::/64 from being greylisted at all, but would also exclude the recipient 'white@domain.tld' and any user under '@sub.domain.tld' from greylisting. Furthermore, mails being sent from 'allow@domain.tld' will also be whitelisted.
IP address storage
To be able to efficiently match IP addresses against CIDR netmasks in the database, IP addresses are physically stored as BLOBs in the database. To facilitate command-line database manipulation, a helper module sqlite_inet.so is available (which can be loaded by using <tt>.load /usr/lib/greylstd/sqlite_inet.so</tt> in the sqlite3 shell) and provides function inet_ntop and inet_pton to convert IP addresses from their internal format to a string representation and vice versa.
Following are a few examples to clarify the usage:
sqlite> INSERT INTO whitelist (remoteip, remoteprefixlen) VALUES (inet_pton('fe80::'), 64);
sqlite> SELECT recipient, sender, inet_ntop(remoteip), remoteprefixlen FROM whitelist;
||fe80::|64