Parliament Hill Computers LtdParliament Hill Computers Ltd

HOWTO: Implement Greylisting with Exim

A non technical overview

Greylisting is one defense against unsolicited or junk email (SPAM). The way that it works is that the computer remembers everywhere that has sent it email and when it first got something. When it is asked to accept email from somewhere new, it will tell the sending computer that it is unable to take the email at the moment and please try again in ten minutes.

Genuine email senders will come back and try to deliver the email again, machines that send SPAM will often not bother to try again.

It works because much SPAM is sent from Botnets, generally Microsoft machines that have been taken over and are under the control of a Bot Master. The SPAM sending software will often not attempt to resend deferred email.

Greylisting must be used in conjunction with other SPAM elimination techniques.

This HOWTO explains one way of greylisting with the Exim MTA

This has been in use since early 2010 and there are no known problems with the implementation. However: this does not come with a guarantee. It may throw all your email away or drink all of your best wine. It may even prevent you receiving offers of untold wealth from Nigeria.

What is the big picture ?

The idea is that many spam bots do not retry sending email if the at first attempt they are told to defer: SMTP code 451. A genuine MTA will retry. A record of the pair of sender domain and the IP address trying to deliver the mail is kept in a database along with a time; mail will be deferred until the pair record is at least 10 minutes old. The first time that email is received from the pair there is a small delay, subsequent attempts are not delayed.

In practice this seems to be quite successful.

This is a new implementation that uses a Mysql stored procedure, this makes the Exim configuration simpler than other implementations.

Mysql setup

Note that you need Mysql 5.0.10 or later; your Exim should be able to connect to a Mysql server.

You need to create:

You will find the Mysql commands to do that here: greylist.database.function.setup.mysql

You execute the SQL commands in that file, something like this will do it (you may need to give a password):

   mysql -u root -p < greylist.database.function.setup.mysql

NOTE that this file contains a username and password, you should change the password at least.

Exim setup

You will need to update your exim configuration file, this will probably be called something like /etc/exim/exim.conf. This is where this HOWTO assumes that it is.

Near the top of the configuration file, before the line that contains:

    begin acl

Put the following lines:

    # Get Mysql password for grey listing:
    .include /etc/exim/grey_pass

    # Macro to call the mysql function that returns 'yes' if the mail should be deferred:
    GREYLIST_DEFER = SELECT greylist_defer('${quote_mysql:$sender_address_domain}', '${quote_mysql:$sender_host_address}')

Your RCPT ACL (probably called acl_check_rcpt) can be constructed in various ways, but often it will end with a set of accept acls followed by an unconditional deny. Before the set of accept acls insert:

    # Defer if GREYLIST_DEFER is 'yes':
    defer   condition = ${lookup mysql{GREYLIST_DEFER}}
            message   = Now greylisted - please try again in ten minutes.

If your RCPT ACL ends with an accept insert the above before it.

The file /etc/exim/grey_pass should contain the following. The file should be readable by exim and only by exim.
Change the password to match that used to create the database account.

    # Password for mysql exim database that is used to implement greylisting
    # This file should only be readable by exim.
    hide mysql_servers = localhost/exim_db/exim_user/code419

The greylisting checks should be made after:

	accept  hosts         = +relay_from_hosts


	accept  authenticated = *

since you will always accept them.

You should also put greylisting checks after other checks, eg: SPF, RBL, ... since you don't want to fill your database with junk.


You need to ensure that mysql is running on the machine, it should just work.

You can check the exim log file on the receiving server (probably /var/log/exim/main.log) and you will see lines like:

2010-01-27 21:31:50 ( [] F=<> temporarily rejected RCPT <>: Now greylisted - please try again in ten minutes.

If you have access to the sending machine an exim log file would contain entries like:

2010-01-27 21:31:51 1NaFUI-0006Jb-9O == <> R=dnslookup T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<>: host []: 451 Now greylisted - please try again in ten minutes.

If you need to clear the mysql greylist table down, do not worry. All that will happen is that incoming mail will be delayed slightly as you build up the history again.

Clearing old entries

Machines that send spam will, hopefully, not send you spam again; or at least not from the same domain. You will accumulate old entries in the greylist table, you need to clear these out occasionally.

You should run the following script daily; cron is a good way of doing this. Entries where you have not received mail for 30 days will be removed, tweak 30 to suit your taste.

    # Clear old entries from the greylist table
    mysql -u exim_user -pcode419 exim_db <<END
        DELETE FROM greylist WHERE last_received < NOW() - INTERVAL 30 DAY;

Beware: this script contains the password in clear, so it should be protected so that only trusted users can read it. However: the password will be visible to someone running ps when the script is running, for better ways of doing this see:

Discussion & config changes

Other comments and implementations of greylisting

License and copyright

All description & sample files copyright (c) 2010, 2011, 2012 Parliament Hill Computers. Author: Alain D D Williams.

You may used these files as the basis your own (or organisation's/company's) project(s) (under whatever licence that you see fit). You may not claim ownership or copyright of any substantially unmodified files. Acknowledgement would be appreciated, but is not necessary.

These demonstrations are made available in the hope that they are useful. There may be errors: there is no warranty at all, use at your own risk.

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.