Greylisting is an effective way to reduce the amount of SPAM sent by non-standard sources, such as scripts. I relies on the fact that a real SMTP sender will respond to a temporary rejection with a later retry.

Postgrey is service that implements greylisting. It is easily integrated into Postfix confgurations.

To this end Postgrey will build triples of

If a triple was not previously seen, the mail is temporarily rejected. When the sending server retries a delivery after a configurable minimum delay (default 300s) the mail is accepted and the triple is marked as a valid combination, so that the next email with the same triple will be accepted without any delays. After a certain time (default 35 days) unused triples will expire.

Postgrey allows for exceptions by specifying allowed sending servers and allowed recipients.

It does not allow exceptions for the sender's email address though. Some services use multiple sending servers, so the retry might come from a different server. This then does not match the previous triple and results in another temporary rejection. These cases can only be handled by defining exceptions for the sender's email address, which Postgrey does not implement. See Enhancement Request: Sender Whitelist (#56) which is unlikely to be implemented.

One solution would be to filter by sender address before passing the email to Postgrey.

A typical Postfix configuration using Postgrey will contain something like the following in master.cf:

smtp      inet  n       -       y       -       -       smtpd
  -o { smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023 }
  ...

Here the check_policy_service directive passes the message to the Postgrey service listening on 127.0.0.1:10023, which then decides on temporary rejection or immediate acceptance.

Since the smtpd_recipient_restrictions options are evaluated in order until the first match is found, inserting a filter right before the check_policy_service directive will do the trick. This filter could look like this: check_sender_access hash:/etc/postfix/nogreylist-senders, which requires an access table similar to:

/etc/postfix/nogreylist-senders

# The following sender email address patterns will be used to exclude
# emails from these senders from being subjected to greylisting by
# postgrey.
#
# Beware that email sender addresses are easily forged. So use this
# judiciously.
#
# NOTE 1: This affects all recipient addresses on this server, so
#         don't be too permissive.
# NOTE 2: Please only use the ACCEPT ACTION OK because any other action
#         is not appropriate semantically in this file.
#         https://www.postfix.org/access.5.html#accept_actions
#         REJECT actions are technically possible but their use should
#         be separated from the goal of bypassing greylisting, thus
#         inappropriate here.
#
# For syntax see:
# https://www.postfix.org/access.5.html
#
# Always run `postmap /etc/postfix/nogreylist-senders` after making changes.

# Allow emails from senders in the domain example.com to bypass greylisting
example.com OK


#
# EOF.
#

Thus the entry in master.cf will now look like this:

smtp      inet  n       -       y       -       -       smtpd
  -o { smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/etc/postfix/nogreylist-senders check_policy_service inet:127.0.0.1:10023 }
  ...

This method has been successfully tested on OpenBSD 7.9 running Postfix 3.11.3 and Postgrey 1.37.