[pmg-devel] [PATCH pmg-docs] add a section on greylisting to pmgconfig.adoc

Aaron Lauterer a.lauterer at proxmox.com
Thu Apr 23 09:39:33 CEST 2020

looks good.

some nits inline

On 4/21/20 8:59 PM, Stoiko Ivanov wrote:
> While we mention greylisting as available feature in pmgintro.adoc, we
> should also document a few more technical details of its workings
> in PMG (e.g. how long a seen triple is kept before expiring).
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>   pmgconfig.adoc | 43 +++++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 43 insertions(+)
> diff --git a/pmgconfig.adoc b/pmgconfig.adoc
> index 7b2d1f7..0e343e3 100644
> --- a/pmgconfig.adoc
> +++ b/pmgconfig.adoc
> @@ -358,6 +358,49 @@ NOTE: Since before queue filtering is currently incompatible with the
>   editing '/etc/pmg/pmg.conf'.
> +[[pmgconfig_mailproxy_greylisting]]
> +Greylisting
> +~~~~~~~~~~~
> +
> +Greylisting is a technique for preventing unwanted messages from reaching the
> +resource intensive stages of content analysis (virus detection and spam
> +detection): By initially replying with a temporary failure code ('450') to
> +each new email, {pmg} tells the sending server that it should queue the mail
> +and retry delivery at a later moment. Since certain kinds of spam get sent out
> +by software, which has no provisioning for queueing, these mails are dropped
> +without reaching {pmg} or your mailbox.

s/{pmg}/the {pmg}/

> +
> +The downside of greylisting is the delay introduced by the intial deferral of


> +the email, which usually amounts to less than 30 minutes.
> +
> +In order to prevent unnecessary delays in delivery from known sources, emails
> +coming from a source for a recipient, which have passed greylisting in the
> +past are directly passed on: For each email the triple '<sender network,
> +sender email, recipient email>' is stored in a list, along with the time when
> +delivery was attempted. If an email fits an already existing triple, the
> +timerecord for that triple is updated and the email is accepted for further

s/timerecord/ time record/

would probably fit better, or maybe with a dash: time-record.

> +processing.
> +
> +As long as a sender and recpient do communicate frequently there


> +is no delay introduced by enabling greylisting. A triple is removed after
> +a longer period, when no mail fitting that triple has been seen. The timeouts

s/period/period of time/

> +in {pmg} are:
> +
> +* 2 days for the retry of the first delivery
> +
> +* 36 days for known triples
> +
> +Mails with an empty envelope-sender always delayed.
> +
> +Some email service providers send out email for one domain from multiple

s/out email/out emails/

> +servers. In order to prevent delays due to an email coming in from 2 separate

s/In order to/To/

would simplify the sentence a bit

> +IPs of the same provider the triples store a network ('cidr') instead of a
> +single IP. For certain large providers the default network size might be too
> +small.  You can configure the netmask applied to an IP for the greylist lookup
> +with the settings 'greylistmask' for IPv4 and 'greylistmask6' for IPv6
> +respectively.
> +
> +
>   [[pmgconfig_mailproxy_transports]]
>   Transports
>   ~~~~~~~~~~

More information about the pmg-devel mailing list