postgrey configuration on Fedora Core 21 is very different, and not documented

Richard T asked:

In upgrading from Fedora Core 16 to Fedora Core 21, one of the challenges has been getting postfix working with postgrey. I still don’t have it working after many long hours focused on it.

In the old strategy, the official directions direct you to author your own script to put into /etc/init.d. And, indeed, way back on FC16, I did that! But today, we have systemctl. You can install postgrey with yum, the repositories know about it. It installs fine. You then enable with systemctl enable postgrey.service, and that goes well too.

So far so good. Just a few things left to do…

Next, move over your whitelisting files – seem to be of the same format.

In the old scheme, you’d have a line like this in your postfix main.cf file:

...
smtpd_recipient_restrictions = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_pipelining,
                               reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
                               reject_unauth_destination,
                               check_policy_service inet:127.0.0.1:10023,
                               permit_mynetworks
...

In my /etc/init.d, I had written a script of which the following excerpt shows the interesting parts, and it worked well:

...
exec="/usr/sbin/postgrey"
prog="postgrey"
options="--unix=/var/spool/postfix/postgrey/socket --inet=10023"

[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog

lockfile=/var/lock/subsys/$prog

start() {
    [ -x $exec ] || exit 5
    echo -n $"Starting $prog: "
    daemon $exec -d $options
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}
...

Notice how the port is specified in --inet= and it matches what’s in main.cf.

But, when I try and use this, the postfix server complains and it won’t receive email. It explicitly states it can’t connect to postgrey:

...
Apr 12 13:27:50 ms1 postfix/smtpd[14273]: warning: connect to 127.0.0.1:10023: Connection refused
Apr 12 13:27:50 ms1 postfix/smtpd[14273]: warning: problem talking to server 127.0.0.1:10023: Connection refused
...

I’ve looked and looked and can’t find any configuration information for the new scheme. Asking if postgrey is up and happy gets this:

# systemctl status postgrey.service -l
● postgrey.service - Postfix Greylisting Service
   Loaded: loaded (/usr/lib/systemd/system/postgrey.service; enabled)
   Active: active (running) since Sun 2015-04-12 12:13:19 PDT; 1h 19min ago
     Docs: man:postgrey(8)
  Process: 13280 ExecStart=/usr/sbin/postgrey --unix=/var/spool/postfix/postgrey/socket --pidfile=/var/run/postgrey.pid --group=postgrey --user=postgrey --greylist-text=Greylisted for %%s seconds --daemonize $POSTGREY_OPTS (code=exited, status=0/SUCCESS)
  Process: 13277 ExecStartPre=/bin/rm -f /var/run/postgrey.pid (code=exited, status=0/SUCCESS)
 Main PID: 13281 (/usr/sbin/postg)
   CGroup: /system.slice/postgrey.service
           └─13281 /usr/sbin/postgrey --unix=/var/spool/postfix/postgrey/socket --pidfile=/var/run/postgrey.pid --group=postgrey --user=postgrey --greylist-text=Greylisted for %s seconds --daemonize --delay=6

Apr 12 12:13:19 ms1 postgrey[13281]: Process Backgrounded
Apr 12 12:13:19 ms1 postgrey[13281]: 2015/04/12-12:13:19 postgrey (type Net::Server::Multiplex) starting! pid(13281)
Apr 12 12:13:19 ms1 postgrey[13281]: Binding to UNIX socket file "/var/spool/postfix/postgrey/socket"
Apr 12 12:13:19 ms1 postgrey[13281]: Setting gid to "479 479"
Apr 12 12:13:19 ms1 postgrey[13281]: Setting uid to "984"

Oddly, it doesn’t clearly denote the socket ID – maybe it doesn’t have to? But I checked with netstat anyway:

# netstat -l | grep postgrey
unix  2      [ ACC ]     STREAM     LISTENING     126293   /var/spool/postfix/postgrey/socket

…I’m not an expert with netstat, but I think this means that the program /postfix/postgrey/socket is listening on port 126293.

So, am I supposed to alter my line in main.cf to match this port number? If so, that doesn’t work – or, hasn’t so far! And, I can’t seem to find the place to put an alternate port / socket configuration, so it looks like you’re stuck with whatever they gave us.

Any help / advice appreciated. … I was thinking the only course of action next is to figure out how the systemctl toolset works, even though I don’t want to take the time now – it’s a Sunday!

My answer:


Fedora 21 and RHEL/CentOS 7 use the new Python-based postgrey reimplementation.

In this implementation the only change you need in your Postfix configuration is to call the service from smtpd_recipient_restrictions. For instance, taken from my own mail server:

smtpd_recipient_restrictions =
        #.....other stuff here
        # This should be next-to-last
        check_policy_service unix:postgrey/socket,
        permit

Oh, and yes, this was documented in /usr/share/doc/postgrey-*/README-rpm. 🙂


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.