Implementing Postgrey on OS X 10.10.X Yosemite and OS X 10.11.X El Capitan With Server 5.X

1. Introduction
2. Requirements
3. Getting and installing the required components
4. Getting and installing Postgrey
5. Using Postgrey to greylist incoming messages
6. Caveats – READ this chapter!

DISCLAIMER: The author(s) claim(s) no responsibility for any damage that may occur from the use of any information found here or found on links followed from this document. Please make sure you have a backup before applying modifications to your server.

1. – Introduction

The purpose of this document is to provide instructions on how to implement Postgrey on OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x.

While OS X Server 5.x. comes with a greylisting policy server, I find Postgrey to be better performing and easier to manage. Most importantly though, it will correctly log that it is greylisting rather than simply reject a message without clear indication to the sender.

You will not find many explanations as to why something is done one way or the other. Also, I will not discuss whether greylisting is useful or not. This is a decision you must make for yourself. There are plenty of discussions about this available on the internet.

Postgrey is a Postfix policy server implementing greylisting developed by David Schweikert. The official website can be found here: http://postgrey.schweikert.ch/

Postgrey functionality depends on several Perl modules and scripts to be installed.

Postgrey works as a policy server in conjunction with Postfix.

This document will require you to use the command line. If you do not feel comfortable with using the command line, you should look for a ready made installer package or for somebody to assist you.

This document is written for OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x. It does not apply to earlier versions. Separate versions of this tutorial are available for earlier Mac OS X Server versions.

If you have used Mac OS X Server releases prior to OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x, you are most likely used to a series of standard file paths. While some of them are still the same, many have changed in an attempt by Apple to better consolidate server related files and binaries. So always be very careful and double-check which file you are editing.

This tutorial has been tested on a standard OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x. installation. If you have already tinkered with your system, be aware that things might differ. It is impossible for me to foresee all changes that one might have applied to a server.

This tutorial contains step-by-step instructions for terminal. Although you could just type them in line by line, it is recommended you have a basic understanding of the terminal.

DISCLAIMER: Whatever you do based on this document, you do it at your own risk! Just in case you haven’t understood: Whatever you do based on this document, you do it at your own risk!

2. – Requirements

Before you get started, you need to make sure some basic requirements are met:

  • You have made a backup of your system.
  • You have the latest version of Apple’s Developer Tools (e.g. Xcode 7 or higher for 10.11.x including command line tools) installed. Dev Tools are available as a free download from the Mac App Store
  • You do have a backup or clone.
  • You are running OS X 10.10.x Yosemite or OS X 10.11.x El Capitan With Server 5.x.
  • Familiarity with a command line editor or alternatively a GUI plain text editor (do NOT use Word or similar)
  • While not a requirement, it is recommended you subscribe to our newsletter or follow us on Twitter to be informed when updated versions of this and other tutorials become available:
    Newsletter: https://topicdesk.com/newsletter/
    Twitter: @topicdesk
3. Getting and installing the required components

As mentioned, you will need a few perl modules to be able to use Postgrey. This chapter will guide you through getting and installing them.

So let’s get going:
Make sure you are logged in as root (or alternatively use sudo).

Install the required modules by issuing the following commands. Issue them one after the other making sure you do not miss any dots or slashes. Also note that the download URLs given may change in the future. In that case just replace the URLs in this document with the current ones.

NOTE: Lines wrapping without line spacing are a single command.

The easiest way to install them is by using CPAN. To do so issue:

sudo perl -MCPAN -e shell

If you have never used CPAN before you will be prompted to supply a few parameters. Just accept the default values. Once done, you should see the CPAN prompt (cpan >):

When at the CPAN prompt issue:

o conf prerequisites_policy ask

This will prompt you when a module relies on other pre-requisites that have to be installed first. You should allow it to go ahead if asked.

Now you are ready to install the missing modules. Actually, the missing module. Apple has caught up well with basic perl modules, so currently there is only one missing.

Just issue:

install IO::Multiplex

This will install the modules and bring you back to the CPAN prompt.

Now issue

exit

to exit CPAN.

NOTE: It is possible that some of the modules will not install. In that case use “force install” instead of “install” at the CPAN prompt.

NOTE: If you had previously tried to use CPAN without having the Developer Tools installed, you will need to make sure that Developer Tools are now correctly installed and you will also need to re-configure CPAN. To do so get to the CPAN prompt and issue:

o conf init

You will be prompted to supply a few parameters. Just accept the default values.

4. – Getting and installing Postgrey

This chapter will guide you through getting and installing Postgrey.

Postgrey is written and maintained by David Schweikert. The official website can be found here: http://postgrey.schweikert.ch/

There are other tools and combinations to implement greylisting available out there, but this one works best and makes most sense for OS X Server.

So let’s get going:
Make sure you are logged in as root (or alternatively use sudo).

Install the latest version of Postgrey by issuing the following commands. Issue them one after the other making sure you do not miss any dots or slashes. Also note that the download URLs given may change in the future. In that case just replace the URLs in this document with the current ones.

NOTE: Lines wrapping without line spacing are a single command.

mkdir -p /topicdesk/sources

cd /topicdesk/sources

sudo curl -O http://postgrey.schweikert.ch/pub/postgrey-1.36.tar.gz

sudo tar xzf postgrey-1.36.tar.gz

cd postgrey-1.36    

mkdir -p /usr/local/sbin

cp postgrey /usr/local/sbin

chmod -R 755 /usr/local/sbin/postgrey

mkdir -p /var/postgrey

NOTE: Instead of creating a new system user for Postgrey, we will use the existing user for other anti-spam measures. 10.10.x and 10.11.x use user _amavisd.

chown -R _amavisd:_amavisd /var/postgrey 

cp postgrey_whitelist_clients /Library/Server/Mail/Config/postfix/postgrey_whitelist_clients

cp postgrey_whitelist_recipients /Library/Server/Mail/Config/postfix/postgrey_whitelist_recipients

Next we need to set up a property list for launchd, so that Postgrey is started on system startup.

cd /Library/LaunchDaemons

sudo touch ch.schweikert.postgrey.plist

Above command created a new empty property list. Edit

/Library/LaunchDaemons/ch.schweikert.postgrey.plist

with your favorite editor (pico, vi, etc.) and add the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>ch.schweikert.postgrey</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/sbin/postgrey</string>
        <string>--inet=127.0.0.1:10029</string>
        <string>--dbdir=/var/postgrey</string>
        <string>--user=_amavisd</string>
        <string>--group=_amavisd</string>
        <string>--whitelist-clients=/Library/Server/Mail/Config/postfix/postgrey_whitelist_clients</string>
        <string>--whitelist-recipients=/Library/Server/Mail/Config/postfix/postgrey_whitelist_recipients</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
    <key>UserName</key>
    <string>root</string>
</dict>
</plist>

(NOTE: is a single line.)

The last step is to start Postgrey by issuing:

sudo /bin/launchctl load -w /Library/LaunchDaemons/ch.schweikert.postgrey.plist

You are now all set and should have Postgrey installed and running.

To check if it runs, issue:

sudo ps U _amavisd

Among other processes, you should see postgrey as well. Something like:

68   ??  Ss     0:01.70 /usr/local/sbin/postgrey --inet=127.0.0.1:10029

The next step is to configure Postfix to use Postgrey for greylisting of incoming messages.

5. – Using Postgrey to greylist incoming messages

As mentioned, we will use Postgrey in combination with Postfix to implement greylisting of incoming messages.

Note: OS X 10.8.x Mountain Lion with Server 2.x and OS X 10.9.x Mavericks with Server 3.x. come with its own greylisting policy server. Unless you have already done so, it needs to be disabled first.

To disable OS X Server’s stock greylisting policy server issue:

sudo serveradmin settings mail:postfix:greylist_enabled = no

Now let’s modify a parameter in your Postfix configuration so that Postgrey is used instead.

Edit:

/Library/Server/Mail/Config/postfix/main.cf

and look for:

smtpd_recipient_restrictions = ...

remove:

permit

at the end and instead add:

check_policy_service inet:127.0.0.1:10029

make sure:

smtpd_recipient_restrictions = ...

contains:

reject_unauth_destination

BEFORE:

check_policy_service

The result should look something like:

smtpd_recipient_restrictions = ..., reject_unauth_destination, ..., check_policy_service inet:127.0.0.1:10029

When done, reload Postfix by issuing:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/postfix reload

You are now all set and should have greylisting in place.

If you would like to exclude certain senders and/or recipients from greylisting, you can edit the following files:

/Library/Server/Mail/Config/postfix/postgrey_whitelist_clients
/Library/Server/Mail/Config/postfix/postgrey_whitelist_recipients
6. – Caveats

The most frequent issues to watch out for are:

a) Incompatible perl modules
b) Typos made when applying this tutorial
c) Long lines seen as multiple lines. Watch for incorrect line breaks

Also, if you have modified any paths and or environment variables, make sure you check them against above instructions.

Hope this helps.


Document Version 1.3, 1.2.2016

2 replies
  1. Avery Z Chipka
    Avery Z Chipka says:

    Im running 10.12.1 with Server 5

    Followed directions to the letter. When I get to this step

    sudo ps U _amavisd

    post grey does not show as running. Triple checked everything up to that point and everything was done correct. Thoughts.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to Athanasios Alexandrides Cancel reply

Your email address will not be published. Required fields are marked *