Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

PGL4RBL: Greylisting on RBL (DNS blacklist) for Postfix

Build Status Coverage Status

This package implements a Postfix policy server that mixes two widely used techniques: greylisting and RBL (DNS blacklists). The idea is that SMTP clients that match a RBL get greylisted. Normal clients are not delayed (unlike a normal greylisting implementation), and RBL false positives do not cause problems (like when outright blocking them at the SMTP level).

More information can be found in this blog post.


Install pgl4rbl somewhere on the local Postfix filesystem, for instance:

cd /usr/local
git clone

Create the pgl4rbl user:

adduser --home=/var/spool/postfix/pgl4rbl --ingroup=nogroup --shell=/usr/sbin/nologin

Edit the configuration file (/usr/local/pgl4rbl/pgl4rbl.conf) as needed. All defaults are meant to be reasonable and correct, but you are welcome to change them if you want.

Now, tell Postfix to start pgl4rbl as a service, by editing /etc/postfix/ and adding this line to it:

# greylisting on rbl
rbl_grey unix  -       n       n       -       0       spawn
        user=pgl4rbl argv=/usr/local/pgl4rbl/ --config /usr/local/pgl4rbl/pgl4rbl.conf

Then, in /etc/postfix/, within the section smptd_recipient_restrictions, add the following line:

check_policy_service unix:private/rbl_grey

Finally, reload postfix:

service postfix reload

Example of full anti-spam configuration

For instance, the following section shows a sample anti-spam configuration with several rules:

smtpd_recipient_restrictions =
        check_policy_service unix:private/rbl_grey

This is what happens, step by step:

  • If the client's IP is in mynetworks, mail is delivered.
  • If the client has authenticated, mail is delivered.
  • If the client's IP is in the <> whitelist, mail is delivered.
  • If the client's IP is in either the Spamhaus SBL or PSBL blacklists, the mail is rejected (500).
  • If the mail destination's domain is not directly handled by Postfix, mail is rejected (= disable relay).
  • If the mail destination's email is not a valid email address, mail is rejected.
  • Otherwise, the mail is handled by pgl4rbl; it will check whether the client's IP is in one of the configured RBLs

Choosing a Blacklist

The default configuration of pgl4rbl includes the following blacklists:

  • list of hijacked PCs (aka "zombies")
  • list of consumer IP ranges, that shouldn't run mail servers
  • list of IPs which sent spam (as reported by a large community of volunteers)
  • list of IPs which sent spam to a set of honeypots / spam traps

In our experience, outright rejection of email through these blacklists would be too harsh, while their usage within pgl4rbl achieves a very good balance.


Greylisting on RBL (DNS blacklist) for Postfix



No releases published


You can’t perform that action at this time.