Greylisting temporarily rejects the first delivery attempt from an unknown mail server with a
451 4.7.1(please retry later) response.
Legitimate mail servers always retry within minutes and are then accepted — and remembered.
Most spam engines never retry, so their messages simply never enter your platform.
Open MTA Mail system » Access Control Lists, click New Rule and select GreyListing:

Attach at least one object to define the scope (typically All).
Outbound/authenticated submissions and messages already in scope of DKIM/ARC signing are automatically skipped — greylisting only evaluates inbound, unauthenticated mail.

| Option | Default | Meaning |
|---|---|---|
| Retry delay (seconds) | 300 |
Minimum wait before a retry of the same host name + IP pair is accepted. |
| Authentication bypass | Bypass when DMARC passes |
Senders passing SPF or DKIM with DMARC alignment skip greylisting. |
| Remember authenticated senders | enabled | Persist authenticated senders as accepted so they are never greylisted again. |
| Behaviour when the database is unavailable | cache_only |
Keep deciding from the in-memory cache, or fail-open (accept everything) until the database returns. |
| Temporary rejection SMTP code / message | 451 / 4.7.1 Greylisted, please retry later |
The temporary response sent on first contact. |
| Accepted sender lifetime | 2592000 (30 days) |
How long an accepted pair stays valid without new mail. |
| Pending entry lifetime | 86400 (1 day) |
How long a first-seen pair may wait for its retry before expiring. |
| In-memory cache lifetime | 900 |
TTL of the local decision cache shielding the database. |
| Cleanup interval | 3600 |
How often expired entries are purged. |
| Allow-listed IP / CIDR | — | Networks that always bypass greylisting (one per line). |
| Allow-listed host names | — | Host names that always bypass (wildcards such as *.trusted-partner.com are supported). |
host name + IP pair → accepted.451 4.7.1), recorded as pending.Every greylist temporary rejection is also written to Postfix's mail.log in the standard Postfix format, so your log analysis keeps working.
The milter's REST control socket exposes greylisting counters and a simulator (see Monitoring & REST API):
# live counterscurl --unix-socket /usr/share/artica-postfix/bin/run/artica-milter.sock http://x/greylisting/metrics
# what would happen for this tuple? (no side effects)curl --unix-socket /usr/share/artica-postfix/bin/run/artica-milter.sock -X POST http://x/greylisting/simulate -d '{"instance_id":0,"hostname":"mx.example.net","ip":"203.0.113.10","mail_from":"user@example.net"}'