Manage iRedAPD (white/blacklists, greylisting, throttling and more)


Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.


All iRedAPD features listed in current page can be managed with our web-based admin panel - iRedAdmin-Pro.


iRedAPD-4.0 and later releases requires Python 3, if you're running iRedAPD-3.6 or earlier release, please run commands with Python 2 instead.

Introduce iRedAPD

iRedAPD is a simple Postfix policy server, written in Python, with plugin support. It listens on by default, and runs as a low-privileged user iredapd.

Source code is hosted on GitHub.

How to disable iRedAPD service

To disable iRedAPD service:

  1. please remove all check_policy_service inet: in Postfix config file /etc/postfix/ (Linux/OpenBSD) or /usr/local/etc/postfix/ (FreeBSD).
  2. Restart or reload Postfix service.
  3. Disable iredapd service.

How to enable or disable iRedAPD plugins

iRedAPD plugins are Python files under /opt/iredapd/plugins/ directory. To enable a plugin, please find line plugins = in iRedAPD config file /opt/iredapd/, for example:

plugins = ['greylisting', 'throttle']

If you want to enable plugin reject_sender_login_mismatch (file /opt/iredapd/plugins/, please add the plugin name without extension .py in plugins = like below, then restart iRedAPD service:

plugins = ['greylisting', 'throttle', 'reject_sender_login_mismatch']

The priorities of plugins shipped in iRedAPD are hard-coded, so the order of plugin names doesn't matter.

To disable a plugin, just remove the plugin name and restart iRedAPD service.

How to add custom settings

iRedAPD has some default settings in file /opt/iredapd/libs/, but you should never modify it. Instead, you should copy the settings you want to modify from /opt/iredapd/libs/ to /opt/iredapd/, then update it with new values. This way you will keep custom settings after upgrading iRedAPD -- because iRedAPD upgrade tool will copy /opt/iredapd/ to new iRedAPD release during upgrading.


Sender Address Restrictions

Plugin reject_sender_login_mismatch will reject emails if:

It offers some parameters to control whether or not to reject email:

# Check whether sender is forged in message sent without smtp auth.

# If you allow someone or some service providers to send email as forged
# (your local) address, you can list all allowed addresses in this parameter.
# For example, if some ISPs may send email as '' (
# is hosted on your server) to you, you should add `` as one
# of forged senders.
# Sample: ALLOWED_FORGED_SENDERS = ['', '']

# Allow sender login mismatch for specified senders or sender domains.
# Sample setting: allow local user `` and all users
# under `` to send email as other users.

# Strictly allow sender to send as one of user alias addresses. Default is True.

# Allow member of mail lists/alias account to send email as mail list/alias
# ('From: <email_of_mail_list>' in mail header). Default is False.


How to disable white/blacklists completely

To disable white/blacklists completely, please remove plugin name amavisd_wblist in iRedAPD config file /opt/iredapd/, parameter plugins =:

plugins = [..., 'amavisd_wblist', ...]

Restarting iRedAPD service is required.

Manage white/blacklists

White/blacklisting is controlled by plugin amavisd_wblist (file /opt/iredapd/plugins/, you can manage it with script /opt/iredapd/tools/

Available arguments
        Manage white/blacklist for outbound messages.

        If no '--outbound' argument, defaults to manage inbound messages.

    --account account
        Add white/blacklists for specified (local) account. Valid formats:

            - a single user:
            - a single domain:
            - entire domain and all its sub-domains:
            - anyone: @. (the ending dot is required)

        if no '--account' argument, defaults to '@.' (anyone).

        Add white/blacklists for specified (local) account.

        Delete specified white/blacklists for specified (local) account.

        Delete ALL white/blacklists for specified (local) account.

        Show existing white/blacklists for specified (local) account. If no
        account specified, defaults to manage server-wide white/blacklists.

    --whitelist sender1 [sender2 sender3 ...]
        Whitelist specified sender(s). Multiple senders must be separated by a space.

    --blacklist sender1 [sender2 sender3 ...]
        Blacklist specified sender(s). Multiple senders must be separated by a space.

    WARNING: Do not use --list, --add-whitelist, --add-blacklist at the same time.
Valid formats of whitelisted and blacklisted addresses
Sample usages
python3 --list --whitelist
python3 --list --blacklist

# Whitelist IP address, email address, entire domain, subdomain (including main domain)
python3 --add --whitelist

# Blacklist IP address, email address, entire domain, subdomain (including main domain)
python3 --add --blacklist
python3 --account --add --whitelist
python3 --account --add --blacklist

python3 --account --list --whitelist
python3 --account --list --blacklist



Greylisting is available in iRedAPD-1.7.0 and later releases.

For technical details about greylisting, please visit

How to disable greylisting service globally

To disable greylisting global, please run command below:

python3 /opt/iredapd/tools/ --disable --from '@.'

General settings

There're several settings for greylisting behaviour, default values are defined in /opt/iredapd/libs/ If you want to modify them, please add the settings with custom values in /opt/iredapd/

Manage greylisting settings

Greylisting is controlled by plugin greylisting (file /opt/iredapd/plugins/, you can manage it with script /opt/iredapd/tools/

Available arguments
        Show ALL whitelisted sender domain names (in `greylisting_whitelist_domains`)

        Show ALL whitelisted sender addresses (in `greylisting_whitelists`)

        Whitelist the IP addresses/networks in SPF record of specified sender
        domain for greylisting service. Whitelisted domain is stored in sql
        table `greylisting_whitelist_domains`.

        Remove whitelisted sender domain

        Show ALL existing greylisting settings.

    --from <from_address>
    --to <to_address>
        Manage greylisting setting from email which is sent from <from_address>
        to <to_address>.

        Valid formats for both <from_address> and <to_address>:

            - a single user:
            - a single domain:
            - entire domain and all its sub-domains:
            - anyone: @. (the ending dot is required)

        if no '--from' or '--to' argument, defaults to '@.' (anyone).

        Explicitly enable greylisting for specified account.

        Explicitly disable greylisting for specified account.

        Delete specified greylisting setting.
Sample usages
python3 --list
python3 --list-whitelist-domains
python3 --list-whitelists
python3 --whitelist-domain --from ''

This is same as:

python3 --submit
python3 --remove-whitelist-domain --from ''
python3 --enable --to ''
python3 --disable --to ''
python3 --disable --from '' --to ''
python3 --disable --from ''
python3 --delete --to ''

Since many companies setup their mail servers to re-deliver returned email immediately from another server, this causes trouble with greylisting.

Possible solutions:

  1. Disable greylisting on your server completely.
  2. [Recommended] Whitelist IP addresses/networks of their mail servers.

For solution #2, you can whitelist those mail servers with script /opt/iredapd/tools/


Script tools/ is available in iRedAPD-1.8.0 and later releases.

It queries SPF and MX records of specified mail domain names, then store all converted IP addresses/networks defined in SPF/MX records in SQL table iredapd.greylisting_whitelists.

To whitelist IP addresses/networks of some mail domain, for example,,, please run command like below:

cd /opt/iredapd/tools/


Above command stores server addresses/networks in SPF/MX records in SQL table, but doesn't store whitelisted domain name in SQL, that means iRedAPD won't re-query their DNS records regularly (via cron job) to get the latest servers listed in SPF record. To store domain names and update their server addresses/networks, please run above command with --submit option.

If you want to whitelist more mail domains, just run the command with the domain names like above sample.

Since iRedAPD-1.8.0, we have SQL table iredapd.greylisting_whitelist_domains to store these mail domain names. if you run without any argument, it will fetch all mail domains stored in sql table greylisting_whitelist_domains instead of fetching from command line arguments.


You should setup a cron job to run this script, so that it can keep the IP addresses/networks up to date. iRedMail sets up the cron job to run every 10 or 30 minutes, like below:

*/30   *   *   *   *   /usr/bin/python3 /opt/iredapd/tools/ &>/dev/null