From 4bac95f3094d810c24a36a9cd1bd6b00edf88eaa Mon Sep 17 00:00:00 2001 From: gustavo panizzo Date: Sat, 26 Mar 2016 22:43:01 +0800 Subject: [PATCH] initial support for postfwd, as discussed on mail-in-a-box/mailinabox#765 --- conf/postfwd.cf | 205 ++++++++++++++++++++++++++++++++++++++++++ setup/mail-postfix.sh | 31 +++++-- 2 files changed, 231 insertions(+), 5 deletions(-) create mode 100644 conf/postfwd.cf diff --git a/conf/postfwd.cf b/conf/postfwd.cf new file mode 100644 index 00000000..5274c399 --- /dev/null +++ b/conf/postfwd.cf @@ -0,0 +1,205 @@ +################################################################################################### +## +## ATTENTION: This configuration uses features which require at least postfwd 1.30! +## Please see the manual ('postfwd -m') for example syntax for prior versions. +## +################################################################################################### + + +## +## Definitions +## + +# Maintenance times +&&MAINTENANCE { + date=15.01.2007 + date=15.10.2007 - 17.10.2007 + # keep as an example. + #days=Sat-Sun + #time=03:00:00 - 04:00:00 +} + +# Whitelists +&&TRUSTED_NETS { + # empty on propose + #client_address=192.168.1.0/22 + #client_address=172.16.128.32/27 +} +&&TRUSTED_HOSTS { + # put them in here as an example. + client_name~=\.debian\.org$ + client_name~=\.lists\.debian\.org$ +} +&&TRUSTED_USERS { + # examples + #sasl_username==user@example.com + #sasl_username==(.*)@example.net +} +&&TRUSTED_TLS { + # whitelist know certs + #ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 + # optionally, whitelist senders which use TLS + #encryption_keysize>=64 +} +&&FREEMAIL { + client_name~=\.gmx\.net$ + client_name~=\.web\.de$ + client_name~=\.(aol|gmail|outlook|yahoo|h(ush|ot)mail)\.com$ +} +&&STATIC { + # contains freemailers + &&FREEMAIL + client_name~=[\.\-]static[[\.\-] + client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. +} +&&DNSWLS { + rbl=sbl-xbl.spamhaus.org + rbl=list.dnswl.org + rbl=query.bondedsender.org + rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 + rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 +} + +# Spamchecks +&&BADHELO { + client_name==!!($$(helo_name)) +} +&&DYNAMIC { + client_name==unknown + client_name~=(\-.+){4} + client_name~=\d{5} + client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] +} +&&DNSBLS { + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net + rhsbl=rddn.dnsbl.net.au + rhsbl=rhsbl.sorbs.net +} + + +## +## Ruleset +## + +# temporary reject and drop connection during maintenance window +id=M_001 + &&MAINTENANCE + action=421 maintenance - please try again later + +# stress-friendly behaviour (will not match on postfix version pre 2.5) +id=STRESS + stress==yes + action=dunno + +# Whitelists +id=WL_001 + &&TRUSTED_NETS + action=dunno +id=WL_002 + &&TRUSTED_HOSTS + action=dunno +id=WL_003 + &&TRUSTED_USERS + action=dunno +id=WL_004 + &&TRUSTED_TLS + action=dunno + +# DNSWL checks - lookup +id=RWL_001 + &&DNSWLS + rhsblcount=all ; rblcount=all + action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext) + +# DNSWL - whitelisting +id=RWL_002 + HIT_dnswls>=2 + action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] +id=RWL_003 + HIT_dnswls>=1 + action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC +id=RWL_004 + HIT_dnswls>=1 + action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$ + +# DNSBL checks - lookup +id=RBL_001 + &&DNSBLS + rhsblcount=all ; rblcount=all + action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext) + +# DNSBL checks - evaluation + +# this will drop emails from servers which are in 2 or more blacklists +id=RBL_002 + HIT_dnsbls>=2 + action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text] + +# this will drop emails from servers which are in more than 1 blacklist and have dynamic ip address +id=RBL_003 + HIT_dnsbls>=1 + &&DYNAMIC + action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text] + +# this will drop emails from servers which are in more than 1 blacklist and helo does not match their PTR +id=RBL_004 + HIT_dnsbls>=1 + &&BADHELO + action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text] + +# Rate limits + +# rate limit servers in more than 1 dnsbl, which didn't login +id=RATE_001 + sasl_username==unknown + HIT_dnsbls>=1 + action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes) + +# rate limit servers behind a dynamic ip address, if they didn't login +id=RATE_002 + sasl_username==unknown + &&DYNAMIC + action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes) + +# Selective greylisting + +# do no greylist freeemailers and servers with PTR +id=GREY_001 + action=dunno + &&STATIC + +# do no greylist emails which sender domain matches the server domain +id=GREY_002 + action=dunno + $$client_name~=$$(sender_domain)$ + +# do no greylist emails which sender is in one or more dnswl. +id=GREY_003 + action=dunno + HIT_dnswls>=1 + +# greylist dynamic ip senders +id=GREY_004 + action=greylisting + &&DYNAMIC + +# greylist servers in one or more dnsbl. +id=GREY_005 + action=greylisting + HIT_dnsbls>=1 + +# Greylisting should be safe during out-of-office times +# there is no thing as office hours, so I'll leave this commented out. +# +#id=GREY_006 +# action=greylisting +# days=Sat-Sun +#id=GREY_007 +# action=greylisting +# days=Mon-Fri +# time=!!06:00:00-20:00:00 + diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index a3b87a98..bfd35216 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -50,7 +50,7 @@ source /etc/mailinabox.conf # load global vars # > anti-spam solutions) must register with dnswl.org and purchase a subscription. echo "Installing Postfix (SMTP server)..." -apt_install postfix postfix-pcre postgrey ca-certificates +apt_install postfix postfix-pcre postgrey ca-certificates postfwd # ### Basic Settings @@ -192,11 +192,31 @@ tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025 # whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC tools/editconf.py /etc/postfix/main.cf \ - smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \ - smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023" + smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \ + smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10040" \ + smtpd_restriction_classes="greylisting" \ + greylisting="check_policy_service inet:127.0.0.1:10023" -# Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that -# Postgrey listens on the same interface (and not IPv6, for instance). + +# Postfix connects to Postfwd on the 127.0.0.1 interface specifically. Ensure that +# Postfwd listens on the same interface (and not IPv6, for instance). +# Postfwd is an advanced policy engine for Postfix, it may reject, limit, greylist or accept emails. + +tools/editconf.py /etc/default/postfwd \ + STARTUP=1 \ + CONF=/etc/postfix/postfwd.cf \ + INET=127.0.0.1 \ + PORT=10040 \ + RUNAS="postfw" \ + ARGS=\"'--summary=660 --cache=600 --cache-rdomain-only --cache-no-size --max_spare_servers=5'\" + +# Install the configuration file for postfwd service. If the local admin modified it, we won't overwrite +# This configuration will accept emails right away (no greylist) for servers in DNSWL, gmail, hotmail, outlook, etc. +# If the server has a dynamic ip it will be greylisted. + +cp -n conf/postfwd.cf /etc/postfix/postfwd.cf + +# Postfwd will instruct Postfix to greylist some emails, depending on who is sending it and the server who is sending it. # A lot of legit mail servers try to resend before 300 seconds. # As a matter of fact RFC is not strict about retry timer so postfix and # other MTA have their own intervals. To fix the problem of receiving @@ -219,3 +239,4 @@ ufw_allow submission restart_service postfix restart_service postgrey +restart_service postfwd