Policy

The policy object decides what to do if a match was successful.

[policy]
type=whitelist
match=recipient match

The type can be either whitelist or greylist. In most cases you want to run a triplet through a couple of whitelist checks and then finally a greylist.
The match refers to the user defined name of the match object to use.
If a whitelist object matches it breaks the chain of execution and sends a action=dunno to postfix (or whatever is connected to it). So the triplet is not checked against the greylist object (if one is defined!) or any later checks.

[policy]
type=greylist
mode=reverse
match=allmatch
datasource=tripletds
weakbytes=3
timeout=60
mode
reverse(default), weak, normal. See the greylist service documenation for an explanation. It is strongly recommended to use the reverse mode. The reverse mode gracefully degrades to weak mode if there is no client_name (verified client name).
There is no support for the init mode - create the database structure manually and use timeout=0 to collect triplets without greylisting.
datasource
greylist requires a read/writeable datasource backend to read and store triplet data. This is the user defined name of the datasource to use.
weakbytes
4=1.2.3.4, 3=1.2.3, 2=1.2, 1=1 - hope this makes sense!
timeout
time in seconds before accepting a resend. When a triplet is first seen it is new. If it retries before timeout it is wait, after the timeout it is ok