Andrew Richards
• The Free Stuff!

John Levine's greydaemon

On this page: • Introduction   • License   • Status/Warranty   • Documentation   • Pre-requisites   • Download   • Installation   • Setup / Configuration   • Compatibility   • Security   • Programming Notes   • Archives


This package extends netqmail with John Levine's greylisting daemon. Subject to the environment variable GREYIP being set, greylist checks are made for incoming SMTP connections prior to accepting messages.

'Full' greylisting is implemented, meaning that the connecting IP address, envelope sender and envelope recipient form the triplet that is checked.

greydaemon is used by qmail-smtpd to carry out these checks; qmail-smtpd communicates with greydaemon using UDP. greydaemon itself is written in Perl.

qmail-logmsg is a pre-requisite of this package, along with Perl.

Also note that although this package comes with the 'glue' for it to be used with netqmail there is no reason why greydaemon couldn't be used with other MTAs, subject to appropriate 'glue' being added for the relevant MTA. Ask me or John about this if it's relevant to you.


The greydaemon [Perl] program is subject to a 'BSD' style license: Please see the greydaemon program itself - the text of the license is included there.

Status / Warranty

No warranty, express or implied is given - USE THIS SOFTWARE ENTIRELY AT YOUR OWN RISK. You will need to satisfy yourself as to the suitability of this software before deploying it in a production environment.


The documentation for this package consists of this web page and the included man pages (the qmail-smtpd man page is an updated version of the original):


This package is for netqmail 1.06 patched with qmail-logmsg. Perl is required - that's what greydaemon is written in.


The current release, version 1.15, is available in plaintext or gzipped (.gz).


Proceed as follows:

Setup / Configuration


If you're comfortable with qmail, daemontools etc. you can probably just skim-read this section; if you need a bit more detail, then this section should provide it...

In detail:

Setting up greydaemon as a 'service':

Enabling greylisting in qmail-smtpd:

Greylisting is enabled using the GREYIP environment variable. This specifies the IP address and/or port on which greydaemon is listening. Specifying an empty string, GREYIP="" disables greylisting; setting GREYIP=":" causes qmail-smtpd to use the default IP address and port for greylisting; or you can specify the IP address where greydaemon is listening before the : and/or the port it's listening on after the :, so for example GREYIP="".


Please let me know if you successfully install greydaemon on systems not listed below (see the end of the installation section on this page).

Compatibility with qmail, netqmail: The greydaemon patch should apply cleanly to the following:

Compatibility with Unix / Linux: Successful compilations have been reported on the following:



As discussed below under programming notes, the UDP/socket code is the same as that in qmail-verify which will make patching with it relatively straightforward.


Here are some notes relating to security with this package, these notes are unlikely to be exhaustive:

This package deliberately splits the greylisting functionality such that the actual greylisting part runs as a separate daemon, greydaemon, with qmail-smtpd using UDP to communicate with it. Changes to qmail-smtpd are minimal and very similar to those used by qmail-verify.

Once greydaemon has started listening it changes its effective UID/GID if the -u option has been used.

Programming Notes

I've tried to ensure that the changes to qmail-smtpd.c are minimal and have re-used code employed in qmail-verify to maximise commonality between these packages and make it relatively straightforward to patch both patches to an instance of netqmail.

The request to greydaemon is sent when the connection gets to the DATA stage, with the various recipients being included in the request packet. If there are very many recipients and/or these recipients have particularly long addresses, the maximum packet size may be exceeded, in which case the request is truncated. It should still however include some recipients. See the note on MAXGREYDATASIZE below.

Where greylisting occurs, qmail-smtpd logs only the first recipient as greylisted - but all recipients will be logged by greydaemon in this situation.

A few values are specified with #define at the top of grey.h:

MAXGREYDATASIZE specifies the largest amount of data to put in a UDP packet; the actual packet will be slightly larger. The default setup sends UDP queries to localhost, so packet fragmentation shouldn't be a problem. Alternatively, having a separate greylisting server may cause UDP fragmentation for larger queries. If you dislike this, you could convert the code to use TCP or lower the max. packet size; 1470 is likely to be fragmentation-safe, but this will reduce the amount of recipient addresses that can be checked.

DEFAULTGREYPORT specifies the default port that greydaemon will listen on; this can be overridden by GREYIP at run time.

DEFAULTGREYIP specifies the default IP address that greydaemon will listen on; this can be overridden by GREYIP at run time.

GREYTIMEOUT specifies the timeout within which a response would be expected from greydaemon. In the case of a timeout connections are accepted. To change this behaviour alter the if (r == 0) line in greycheck() in grey.c to return 0.


The only other public releases were versions 1.12 and 1.14:

In v1.14 there was a memory leak with the declaration of chkpacket in grey.c missing a static prefix (thank you to Manvendra Bhangui).

In v1.12 the code parsing the GREYIP value only worked by accident(!) - scan_ip_port() and grey_init() were faulty (thank you to Manvendra Bhangui).

This page last updated: AR, 1st July 2013.

This gratuitous space at the end ensures that the short-cuts to each section work properly