initial support for postfwd, as discussed on mail-in-a-box/mailinabox#765

conf/postfwd.cf

@@ -0,0 +1,205 @@
+###################################################################################################
+##
+##   ATTENTION: This configuration uses features which require at least postfwd 1.30!
+##              Please see the manual ('postfwd -m') for example syntax for prior versions.
+##
+###################################################################################################
+
+
+##
+## Definitions
+##
+
+# Maintenance times
+&&MAINTENANCE {
+        date=15.01.2007
+        date=15.10.2007 - 17.10.2007
+	# keep as an example.
+        #days=Sat-Sun
+        #time=03:00:00 - 04:00:00
+}
+
+# Whitelists
+&&TRUSTED_NETS {
+	# empty on propose
+        #client_address=192.168.1.0/22
+        #client_address=172.16.128.32/27
+}
+&&TRUSTED_HOSTS {
+	# put them in here as an example.
+        client_name~=\.debian\.org$
+        client_name~=\.lists\.debian\.org$
+}
+&&TRUSTED_USERS {
+	# examples
+	#sasl_username==user@example.com
+	#sasl_username==(.*)@example.net
+}
+&&TRUSTED_TLS {
+	# whitelist know certs
+        #ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66
+        # optionally, whitelist senders which use TLS
+	#encryption_keysize>=64
+}
+&&FREEMAIL {
+        client_name~=\.gmx\.net$
+        client_name~=\.web\.de$
+        client_name~=\.(aol|gmail|outlook|yahoo|h(ush|ot)mail)\.com$
+}
+&&STATIC {
+        # contains freemailers
+        &&FREEMAIL
+        client_name~=[\.\-]static[[\.\-]
+        client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\.
+}
+&&DNSWLS {
+	rbl=sbl-xbl.spamhaus.org
+        rbl=list.dnswl.org
+        rbl=query.bondedsender.org
+        rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
+        rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
+}
+
+# Spamchecks
+&&BADHELO {
+	client_name==!!($$(helo_name))
+}
+&&DYNAMIC {
+        client_name==unknown
+        client_name~=(\-.+){4}
+        client_name~=\d{5}
+        client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-]
+}
+&&DNSBLS {
+        rbl=zen.spamhaus.org
+        rbl=list.dsbl.org
+        rbl=bl.spamcop.net
+        rbl=dnsbl.sorbs.net
+        rbl=ix.dnsbl.manitu.net
+        rhsbl=rddn.dnsbl.net.au
+        rhsbl=rhsbl.sorbs.net
+}
+
+
+##
+## Ruleset
+##
+
+# temporary reject and drop connection during maintenance window
+id=M_001
+	&&MAINTENANCE
+	action=421 maintenance - please try again later
+
+# stress-friendly behaviour (will not match on postfix version pre 2.5)
+id=STRESS
+	stress==yes
+	action=dunno
+
+# Whitelists
+id=WL_001
+	&&TRUSTED_NETS
+	action=dunno
+id=WL_002
+	&&TRUSTED_HOSTS
+	action=dunno
+id=WL_003
+	&&TRUSTED_USERS
+	action=dunno
+id=WL_004
+	&&TRUSTED_TLS
+	action=dunno
+
+# DNSWL checks - lookup
+id=RWL_001
+	&&DNSWLS
+	rhsblcount=all ; rblcount=all
+	action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
+
+# DNSWL - whitelisting
+id=RWL_002
+	HIT_dnswls>=2
+	action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
+id=RWL_003
+	HIT_dnswls>=1
+	action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ;  &&STATIC
+id=RWL_004
+	HIT_dnswls>=1
+	action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ;  $$client_name~=$$(sender_domain)$
+
+# DNSBL checks - lookup
+id=RBL_001
+	&&DNSBLS
+	rhsblcount=all ; rblcount=all
+        action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
+
+# DNSBL checks - evaluation
+
+# this will drop emails from servers which are in 2 or more blacklists
+id=RBL_002
+	HIT_dnsbls>=2
+	action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
+
+# this will drop emails from servers which are in more than 1 blacklist and have dynamic ip address
+id=RBL_003
+	HIT_dnsbls>=1
+	&&DYNAMIC
+	action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
+
+# this will drop emails from servers which are in more than 1 blacklist and helo does not match their PTR
+id=RBL_004
+	HIT_dnsbls>=1
+	&&BADHELO
+	action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
+
+# Rate limits
+
+# rate limit servers in more than 1 dnsbl, which didn't login
+id=RATE_001
+	sasl_username==unknown
+	HIT_dnsbls>=1
+	action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
+
+# rate limit servers behind a dynamic ip address, if they didn't login
+id=RATE_002
+	sasl_username==unknown
+	&&DYNAMIC
+	action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
+
+# Selective greylisting
+
+# do no greylist freeemailers and servers with PTR
+id=GREY_001
+	action=dunno
+	&&STATIC
+
+# do no greylist emails which sender domain matches the server domain
+id=GREY_002
+	action=dunno
+	$$client_name~=$$(sender_domain)$
+
+# do no greylist emails which sender is in one or more dnswl.
+id=GREY_003
+	action=dunno
+	HIT_dnswls>=1
+
+# greylist dynamic ip senders
+id=GREY_004
+	action=greylisting
+	&&DYNAMIC
+
+# greylist servers in one or more dnsbl.
+id=GREY_005
+	action=greylisting
+	HIT_dnsbls>=1
+
+# Greylisting should be safe during out-of-office times
+# there is no thing as office hours, so I'll leave this commented out.
+#
+#id=GREY_006
+#	action=greylisting
+#	days=Sat-Sun
+#id=GREY_007
+#	action=greylisting
+#	days=Mon-Fri
+#	time=!!06:00:00-20:00:00
+

setup/mail-postfix.sh

@@ -50,7 +50,7 @@ source /etc/mailinabox.conf # load global vars
 # > anti-spam solutions) must register with dnswl.org and purchase a subscription.
 
 echo "Installing Postfix (SMTP server)..."
-apt_install postfix postfix-pcre postgrey ca-certificates
+apt_install postfix postfix-pcre postgrey ca-certificates postfwd
 
 # ### Basic Settings
 
@@ -193,10 +193,30 @@ tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025
 # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
 tools/editconf.py /etc/postfix/main.cf \
         smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
-	smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
+	smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10040" \
+	smtpd_restriction_classes="greylisting" \
+	greylisting="check_policy_service inet:127.0.0.1:10023"
 
-# Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
+
-# Postgrey listens on the same interface (and not IPv6, for instance).
+# Postfix connects to Postfwd on the 127.0.0.1 interface specifically. Ensure that
+# Postfwd listens on the same interface (and not IPv6, for instance).
+# Postfwd is an advanced policy engine for Postfix, it may reject, limit, greylist or accept emails.
+
+tools/editconf.py /etc/default/postfwd \
+	STARTUP=1 \
+	CONF=/etc/postfix/postfwd.cf \
+	INET=127.0.0.1 \
+	PORT=10040 \
+	RUNAS="postfw" \
+	ARGS=\"'--summary=660 --cache=600 --cache-rdomain-only --cache-no-size --max_spare_servers=5'\"
+
+# Install the configuration file for postfwd service. If the local admin modified it, we won't overwrite
+# This configuration will accept emails right away (no greylist) for servers in DNSWL, gmail, hotmail, outlook, etc.
+# If the server has a dynamic ip it will be greylisted.
+
+cp -n conf/postfwd.cf /etc/postfix/postfwd.cf
+
+# Postfwd will instruct Postfix to greylist some emails, depending on who is sending it and the server who is sending it.
 # A lot of legit mail servers try to resend before 300 seconds.
 # As a matter of fact RFC is not strict about retry timer so postfix and
 # other MTA have their own intervals. To fix the problem of receiving
@@ -219,3 +239,4 @@ ufw_allow submission
 
 restart_service postfix
 restart_service postgrey
+restart_service postfwd