Docs / Email Servers / Email Greylisting with Postgrey

Email Greylisting with Postgrey

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 375 views · 3 min read

Greylisting is a simple but effective anti-spam technique that temporarily rejects email from unknown senders with a "try again later" response. Legitimate mail servers retry delivery (typically within 5-30 minutes), while most spam bots do not. Postgrey is the most popular greylisting implementation for Postfix. This guide covers installation, configuration, and tuning for production use.

How Greylisting Works

  1. A new sender/recipient/IP combination connects to your server
  2. Postgrey returns a temporary rejection (450 response): "Please try again later"
  3. After a configurable delay (default 5 minutes), the same combination is accepted
  4. The triplet is remembered for 35 days, so subsequent emails are not delayed

This simple mechanism blocks 80-90% of spam because most spam is sent by bots that do not retry after a temporary failure.

Installation

# Ubuntu/Debian
sudo apt install postgrey

# Rocky Linux/RHEL
sudo dnf install postgrey

# Start and enable
sudo systemctl enable --now postgrey

Postfix Integration

# /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service inet:127.0.0.1:10023,   # Postgrey
    permit
sudo systemctl reload postfix

Configuration

# /etc/default/postgrey (Ubuntu/Debian)
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60 --max-age=35 --auto-whitelist-clients=5 --greylist-text=Greylisted, please retry in %s seconds"

# Key options:
# --delay=60          Greylist for 60 seconds (default 300)
# --max-age=35        Remember triplets for 35 days
# --auto-whitelist-clients=5  Auto-whitelist after 5 successful deliveries
# --retry-window=2h   Accept retries within 2 hours (default 48h)
sudo systemctl restart postgrey

Whitelisting

Some senders should bypass greylisting — large providers, transactional email services, and known business contacts:

# /etc/postgrey/whitelist_clients
# Whitelist by domain (sender MX)
google.com
outlook.com
amazonses.com
sendgrid.net
mailchimp.com
github.com
*.paypal.com

# /etc/postgrey/whitelist_recipients
# Recipients that should never be greylisted
postmaster@
abuse@
hostmaster@

Monitoring

# Check Postgrey logs
sudo journalctl -u postgrey -f

# Sample log entries:
# postgrey: action=greylist, reason=new, client_name=unknown, client_address=203.0.113.50
# postgrey: action=pass, reason=triplet found, client_address=203.0.113.50

# Count greylisted vs passed
grep "action=greylist" /var/log/mail.log | wc -l
grep "action=pass" /var/log/mail.log | wc -l

# Check auto-whitelist database
postgrey --dump-wl

Tuning for User Experience

# Reduce delay for faster email delivery (60s is usually enough)
# Most legitimate servers retry within 1-5 minutes
POSTGREY_OPTS="--delay=60"

# Auto-whitelist frequent senders after 3 deliveries
POSTGREY_OPTS="--auto-whitelist-clients=3"

# Shorter retry window reduces database size
POSTGREY_OPTS="--retry-window=4h"

Postgrey with Rspamd

If you use Rspamd, it has built-in greylisting that replaces Postgrey:

# /etc/rspamd/local.d/greylist.conf
enabled = true;
expire = 86400;
timeout = 60;
key_prefix = "gr";
# Rspamd only greylists messages with a spam score between 4-15
# Low-scoring messages pass through, high-scoring are rejected

Best Practices

  • Set the delay to 60 seconds — most servers retry within 1-5 minutes, so 300 seconds is unnecessarily long
  • Whitelist major email providers (Google, Microsoft, Amazon) to avoid delays for common senders
  • Auto-whitelist after 3-5 successful deliveries for repeat senders
  • Always whitelist postmaster@ and abuse@ addresses (RFC requirement)
  • Monitor greylisting effectiveness — if most mail passes anyway, your other filters are handling spam well
  • Consider Rspamd's built-in greylisting as a more intelligent alternative (score-based)

Was this article helpful?

Related Articles