I’ve made some modifications to his patch to allow for sender address and sender domain based whitelisting.
You can get my patch here:

large-qmail-patch_greylisting-katastrophos.net-20061023.patch

The dbdef.sql file includes an example of how to set up a whitelist filter for a specific sender domain or sender address.

The patch is against Bill’s Large Qmail Patch 0.8.3.

The server load is also reduced because SpamAssassin and ClamAV are less busy filtering mails:

So, speaking for us, this experiment has been very successful. Exactly no real mails got lost, tons of spam was blocked at the SMTP level. Excellent. Now, let’s see how long the effects of this technique will last…

See http://projects.puremagic.com/greylisting/ to learn more about greylisting.

The problem here is that vdelivermail (of vpopmail) doesn’t support those mailfilter files. For that to work we need vdelivermail to call maildrop to process those files on an individual basis. However, this requires to setup the processing instructions for every mail account manually. Of course, this is unbearable on a large setup.

We came up with a patch for vdelivermail that automatically chain-calls maildrop if it finds a mailfilter file in the domain’s account directory. Some parts are based on another patch which source I forgot. I mainly extended it to be less strict and to publish certain internal vpopmail/vdelivermail variables as environment variables that could be used inside the mailfilter – namely username, userdir, domainname, domaindir.

If it finds the file in the domain’s directory, it will delegate the mail to the domain-wide mailfilter.
The domain-wide mailfilter will delegate the mail to the users mailfilter if it exists. If not, it will simply do a standard mail delivery to the account’s INBOX.

If vdelivermail can’t find any domain-wide mailfilter it will simply default to standard mail delivery to the account’s INBOX.

Here is the patch against vpopmail 5.4.17:

vpopmail-5.4.17-vdelivermail.c-maildrop.patch

If you’re too lazy to patch the vpopmail sourcecode yourself, here is the already patched vdelivermail.c:

vdelivermail-5.4.17-maildrop.c

(Rename it to vdelivermail.c and place it in the vpopmail source directory and compile.)

Our current mail server setup goes something like this:

qmail (with SMTP-AUTH + TLS) + vpopmail + SpamAssassin / ClamAV + maildrop + custom scripts + SqWebMail (for webmail) + Dovecot (for SSL IMAP)

In our setup by default every account has the following hierarchy:

INBOX
  Spam
    learn no-spam
    learn spam

The Spam subfolder is automatically created by the domain-wide mailfilter once the first email hits the account.

We’re using the following domain-wide filter (/home/vpopmail/domains/yourdomainname/mailfilter):

mailfilter

Again, our modified vdelivermail takes care of checking the domain for that mailfilter as described above.

Here is our script used to create the Spam subfolders in the domain-wide mailfilter above:

check-create-spamfolders.sh

If you want to use it, make sure to adjust the paths in the file to your setup.

So, now consider that the Spam subfolders have been created. People can use these folders to instruct what mails are spam and what mails are ham (non-spam). They can use this mechanism to report missed spam mails or to correct mistakenly classified non-spam mails.

Now, we wanted to get information out of those folders and try to educate our SpamAssassin’s bayes filter. Here is what we start in our crontab every hour:

sa-learn.sh

This script will make a list of all account’s spam and ham folders in every domain under /home/vpopmail/domains and feed the mails therein into sa-learn. Again, if you want to use the script, make sure to adjust the paths to your setup.

Since our server runs Debian installing SpamAssassin is pretty easy. We just had to make sure to start SpamAssassin’s spamd with the following adjusted settings in /etc/default/spamd.conf:

# Change to one to enable spamd
ENABLED=1

# Options
# See man spamd for possible options. The -d option is automatically added.
OPTIONS="-m 2 -H -u vpopmail --vpopmail --nouser-config"

# Set nice level of spamd
NICE="--nicelevel 10"

This will launch spamd globally for all vpopmail accounts. The bayes database is shared among all accounts and is stored in /home/vpopmail/.spamassassin/ with the following local.cf in /etc/spamassassin/local.cf:

local.cf

Having a global shared bayes database for your SpamAssassin is controversial. I won’t go into detail on why it’s good or bad to do so. All I can say is it’s working pretty well for us.

Currently, in our setup the SpamAssassin and ClamAV scanning is integrated into qmail via Qmail-Scanner. This has the disadvantage that antivirus filtering is done pretty deep down the processing chain. I plan to migrate this to simscan, which stops and rejects any virus mail at SMTP level and thus prevents them from entering the queue, i.e. nothing will get onto your box. Qmail-Scanner on the other hand puts virus mails into a global quarantine directory.

As for IMAP access to mail accounts, we’ve previously used Courier IMAP and just recently migrated all accounts to Dovecot. Both servers are proven and very reliable. However, we found Dovecot to be more secure and way faster. This is especially noticeable when doing searches and threading on mailboxes. Also, Dovecot is easier to set up as there are fewer external dependencies than with Courier IMAP.
Dovecot offers support for vpopmail. If you want to give it a try in your setup, make sure to enable this support via the “–with-vpopmail” switch when running configure.

As already stated above, we chose to use SqWebMail for webmail and mail filter configuration. By default the latter is disabled. You’ll have to explicitly enable the mail filter interface. Check the documentation on how to do that.