This patch adds the capability to postgrey to store the IPs and emails in the greylisting database using a one-way SHA1 hash function, instead of in clear-text. This will defeat straight-forward attempts to retrieve mail user behaviours. The goal is to give the system administrator the means to implement their site-logging policies by allowing them easier control over the privacy behavior of what information postgrey gathers.
Data retention has become a hot legal topic for ISPs and other Online Service Providers (OSPs). There are many instances where it is preferable to keep less information on users than is collected by default on many systems. In the United States, there is currently no requirement to retain data on users of a server, but you may be required to provide all data on a user which you have retained. OSPs can protect themselves from legal hassles and added work by choosing what data they wish to retain.
Here are some related links:
- Best Practices for Online Service Providers
- EPIC International Data Retention Page
- Working Paper on Usage Log Data Management (from Computer, Freedom, and Privacy conference)
getting postgrey-privacy installed¶
This patch has been integrated to upstream in version 1.24.
There are two ways to get this working on your system, the easiest is to install the debian package if you can.
installing the debian package¶
Postgrey >= 1.24, which has this patch merged, has entered Debian Sid and Etch. Depending on the Debian version you’re running and who you are trusting, you can choose one of the following solutions.
install Debian package¶
If you’re running Debian, just run the following:
# apt-get install postgrey
You may need to apply the patch found on intrigeri.boum.org/misc/postgrey-1.24-1... to get the thing to work.
There is a draft backport HOWTO on debian.ethz.ch/pub/debian-backports/uti....
applying the patch¶
If you wish to create your own version of postgrey with this patch, follow these instructions.
This patch has been tested against the following versions of postgrey:
- version 1.21 and 1.23
- Debian package postgrey-1.21-1, postgrey-1.23-2
To use this patch, obtain the source for postgrey and the latest postgrey-privacy patch. Uncompress the postgrey source and then apply the patch:
% tar -zxvf postgrey-1.23.tar.gz % cd postgrey-1.23 % patch -p1 < postgrey-1.23-privacy.diff
Then install postgrey as normal.
If you are patching a newer version of postgrey than 1.23, you will likely need to modify the patch.
how to use it¶
This patch adds the command-line option —privacy. This option will store the IPs and emails in the greylisting database using a one-way SHA1 hash function, instead of in clear-text. To use this option, modify your startup script to include it on boot.
Thanks go to Lunar^ for the patch and the boum crew!