greyd.conf - greyd configuration file
This configuration file is read by greyd, greydb, greylogd and greyd-setup.
The syntax consists of sequences of assignments, each terminated by a newline:
# A string value.
variable = "value"
# A number value.
variable = 10 # Another comment.
# A list value may contain strings or numbers.
# Trailing commas are allowed.
variable = [ 10, "value", ]
Comments, whitespace and blank lines are ignored.
Sections may contain many assignments, separated by a newline.
section sectionname {
var1 = "val1"
var2 = 10
var3 = [ 1, 2, 3 ]
}
Blacklists and whitelists use the same syntax as the section above (see BLACKLIST CONFIGURATION):
blacklist blacklistname {
...
}
whitelist whitelistname {
...
}
Configuration may also be recursively loaded by way of an include:
# Globbing is supported.
include "/etc/greyd/conf.d/*.conf"
The following options may be specified outside of a section. A boolean value is a number which takes the values 0 or 1.
Log debug messages which are suppressed by default.
Log blacklisted connection headers.
When this option is set greyd will send logs to the specified path. This is useful for containerized environments.
Detach from the controlling terminal. Defaults to 1.
Proxy protocol configuration. Enabling this configuration allows greyd to sit behind a TCP load balancer that speaks the proxy protocol v1 as defined in the protocol spec.
Defaults to false. Note that if this is enabled all client connections will need to specify the proxy protocol header first, ie there is no mixing of proxied and direct requests.
You must also specify the proxy_protocol_permitted_proxies list of trusted proxies. There are many upstream proxies/load balancers that support this protocol, for example nginx and haproxy to name a couple.
The upstream proxies must be explicitly configured. Without this any client would be able to spoof their addresses. This setting
only has an effect if proxy_protocol_enable is set to true. The elements in this list must be strings consisting of IPv4 and/or IPv6
CIDRs.
Drop priviliges and run as the specified user. Defaults to 1.
Chroot the main greyd process that accepts connections. Defaults to 1.
The location to chroot to.
Use setrlimit to self-impose resource limits such as the maximum number of file descriptors (ie connections).
The maximum number of concurrent connections to handle. This number can not exceed the operating system maximum file descriptor limit. Defaults to 800.
The maximum number of concurrent blacklisted connections to tarpit. This number can not exceed the maximum configured number of connections. Defaults to 800.
The port to listen on. Defaults to 8025.
The username for the main greyd daemon the run as.
The IPv4 address to listen on. Defaults to listen on all addresses.
The port to listen on. Defaults to 8025.
The port on which to listen for blacklist configuration data (see greyd-setup(8)). Defaults to 8026.
The greyd pidfile path.
The greylogd pidfile path.
The hostname to display to clients in the initial SMTP banner.
Listen for IPv6 connections. Disabled by default.
The IPv6 address to listen on. Only has an effect if enable_ipv6 is set to true.
For blacklisted connections, the number of seconds between stuttered bytes.
Adjust the socket receive buffer to the specified number of bytes (window size). This slows down spammers even more.
The banner message to be displayed to new connections.
The SMTP error code to show blacklisted spammers. May be either "450" (default) or "550".
The following options are common to all firewall drivers:
The driver shared object location. May be either an absolute or relative path. If no '/' is present, then the system's dynamic linker will search the relevant paths. For example:
section firewall {
#driver = "greyd_pf.so"
driver = "greyd_netfilter.so"
# Driver-specific options below.
...
}
This driver runs on GNU/Linux systems and makes use of libipset, libnetfilter_conntrack and libnetfilter_log.
Maximum number of ipset elements. Defaults to 200,000.
Maximum ipset hash size for each set.
Track outbound connections. See greylogd(8) for more details.
The --nflog-group to indicate inbound SMTP connections.
The --nflog-group to indicate outbound SMTP connections.
This driver runs on BSD systems making use of the PF firewall. The driver makes use of libpcap.
Path to pfdev, defaults to /dev/pf.
Path to pfctl utility, defaults to /sbin/pfctl.
Pflog interface to listen for logged packets, defaults to pflog0.
Network interface to restrict monitored logged packets to. Not set by default.
The following options are common to all database drivers:
The driver shared object location. May be either an absolute or relative path. If no '/' is present, then the system's dynamic linker will search the relevant paths. For example:
section database {
driver = "greyd_bdb.so"
#driver = "greyd_bdb_sql.so"
#driver = "greyd_sqlite.so"
#driver = "greyd_mysql.so"
# Driver-specific options below.
...
}
The Berkeley database driver runs on all systems providing libdb version > 4 and is built using the --with-bdb configure option. On OpenBSD, the db4 port will need to be installed.
The filesystem path to the Berkeley DB environment.
The name of the database file, relative to the specified environment path.
The Berkeley DB SQL driver makes use of libdb_sql, which is available in Berkeley DB versions >= 5.x. This driver is built by specifying the --with-bdb-sql configure option.
The filesystem path to the directory containing the database files.
The name of the database file, relative to the specified path.
The SQLite database driver makes use of libsqlite3. No special initialization is required as the driver will manage the schema internally. This driver is built by specifying the --with-sqlite configure option.
The filesystem path to the directory containing the database files.
The name of the database file, relative to the specified path.
The MySQL driver may be built by specifying the --with-mysql configure option. The desired database will need to be setup independently of greyd using the mysql_schema.sql DDL distributed with the source distribution.
The database host. Defaults to localhost.
The database port. Defaults to 3306.
The database name. Defaults to greyd.
The database username.
The database password.
The path to the UNIX domain socket.
Enable/disable the greylisting engine. Defaults to 1.
The username to run as for the greylisting processes. Defaults to greydb. This should differ from the user that the main greyd process is running as.
The name of the blacklist to which spamtrapped hosts are added.
The blacklist rejection message. See the message field in BLACKLIST CONFIGURATION.
The firewall whitelist set/table name. Defaults to greyd-whitelist.
The firewall whitelist set/table name for IPv6 hosts. Defaults to greyd-whitelist-ipv6.
The address of the secondary MX server, to greytrap hosts attempting to deliver spam to the MX servers in the incorrect order.
Kill stutter for new grey connections after so many seconds. Defaults to 10.
Filesystem location of the domains allowed to receive mail. If this file is specified (and exists), any message received with a RCPT TO domain not matching an entry in the below file will be greytrapped (ie blacklisted).
Augment permitted_domains (or replace if permitted_domains is not set) with DOMAIN entries loaded into the database. See greydb(8) for more on managing these database permitted domains.
The amount of time in seconds after which to whitelist grey entries. Defaults to 25 minutes.
The amount of time in seconds after which to remove grey entries. Defaults to 4 hours.
The amount of time in seconds after which to remove whitelisted entries. Defaults to 31 days.
The amount of time in seconds after which to remove greytrapped entries. Defaults to 1 day.
Enable/disable the synchronisation engine. Defaults to 0.
Specify a list of sync targets. See the -Y option in greyd(8).
See -y option in greyd(8).
The port on which to listen for incoming UDP sync messages.
Specify a multicast TTL value. Defaults to 1.
Load the specified key for verifying sync messages.
The filesystem path to the key used to verify sync messages.
The multicast group address for sync messages.
This section controls the operation of the SPF validation functionality. Use the --with-spf configure flag to compile in SPF support.
Enable the SPF checking functionality.
Trap a host producing an SPF softfail. SPF hardfails are always trapped.
Whitelist a host which passes SPF validation. This is disabled by default.
This section controls the operation of the greyd-setup(8) program.
The list of blacklists/whitelists to load. The order is important, see BLACKLIST CONFIGURATION. Consecutive blacklists will be merged, with overlapping regions removed. If a blacklist (or series of blacklists) is followed by a whitelist, any address appearing on both will be removed.
The path to the curl program, which is used to fetch the lists via HTTP and FTP.
Specify a proxyhost[:port] through which to fetch the lists.
A blacklist must contain the following fields:
The message to be sent to greyd(8). This message will be displayed to clients who are on this list.
The method in which the list of addresses is fetched. This may be one of http, ftp, exec or file.
The argument to the specified method. For example, if the http method is specified, the file refers to the URL (minus the protocol).
An example blacklist definition is as follows:
blacklist nixspam {
message = "Your address %A is in the nixspam list"
method = "http"
file = "www.openbsd.org/spamd/nixspam.gz"
}
Whitelist definitions take the same fields as a blacklist definition, with the exception of the message (which is not applicable). For example:
whitelist work_clients {
method = "exec"
file = "cat /tmp/work-clients-traplist.gz"
}
The format of the list of addresses is expected to consist of one network block or address per line (optionally followed by a space and text that is ignored). Comment lines beginning with # are ignored. Network blocks may be specified in any of the formats as in the following example:
# CIDR format
192.168.20.0/24
# A start - end range
192.168.21.0 - 192.168.21.255
# As a single IP address
192.168.23.1
Note, currently only IPv4 addresses are supported.
greyd is Copyright (C) 2015 Mikey Austin (greyd.org)
greyd(8), greyd-setup(8), greydb(8), greylogd(8)