initial support for postfwd, as discussed on mail-in-a-box/mailinabox#765
This commit is contained in:
gustavo panizzo
parent
65add24e2a
commit
4bac95f309
|
|
@ -0,0 +1,205 @@
|
|||
###################################################################################################
|
||||
##
|
||||
## ATTENTION: This configuration uses features which require at least postfwd 1.30!
|
||||
## Please see the manual ('postfwd -m') for example syntax for prior versions.
|
||||
##
|
||||
###################################################################################################
|
||||
|
||||
|
||||
##
|
||||
## Definitions
|
||||
##
|
||||
|
||||
# Maintenance times
|
||||
&&MAINTENANCE {
|
||||
date=15.01.2007
|
||||
date=15.10.2007 - 17.10.2007
|
||||
# keep as an example.
|
||||
#days=Sat-Sun
|
||||
#time=03:00:00 - 04:00:00
|
||||
}
|
||||
|
||||
# Whitelists
|
||||
&&TRUSTED_NETS {
|
||||
# empty on propose
|
||||
#client_address=192.168.1.0/22
|
||||
#client_address=172.16.128.32/27
|
||||
}
|
||||
&&TRUSTED_HOSTS {
|
||||
# put them in here as an example.
|
||||
client_name~=\.debian\.org$
|
||||
client_name~=\.lists\.debian\.org$
|
||||
}
|
||||
&&TRUSTED_USERS {
|
||||
# examples
|
||||
#sasl_username==user@example.com
|
||||
#sasl_username==(.*)@example.net
|
||||
}
|
||||
&&TRUSTED_TLS {
|
||||
# whitelist know certs
|
||||
#ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66
|
||||
# optionally, whitelist senders which use TLS
|
||||
#encryption_keysize>=64
|
||||
}
|
||||
&&FREEMAIL {
|
||||
client_name~=\.gmx\.net$
|
||||
client_name~=\.web\.de$
|
||||
client_name~=\.(aol|gmail|outlook|yahoo|h(ush|ot)mail)\.com$
|
||||
}
|
||||
&&STATIC {
|
||||
# contains freemailers
|
||||
&&FREEMAIL
|
||||
client_name~=[\.\-]static[[\.\-]
|
||||
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\.
|
||||
}
|
||||
&&DNSWLS {
|
||||
rbl=sbl-xbl.spamhaus.org
|
||||
rbl=list.dnswl.org
|
||||
rbl=query.bondedsender.org
|
||||
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
|
||||
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
|
||||
}
|
||||
|
||||
# Spamchecks
|
||||
&&BADHELO {
|
||||
client_name==!!($$(helo_name))
|
||||
}
|
||||
&&DYNAMIC {
|
||||
client_name==unknown
|
||||
client_name~=(\-.+){4}
|
||||
client_name~=\d{5}
|
||||
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-]
|
||||
}
|
||||
&&DNSBLS {
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
rhsbl=rddn.dnsbl.net.au
|
||||
rhsbl=rhsbl.sorbs.net
|
||||
}
|
||||
|
||||
|
||||
##
|
||||
## Ruleset
|
||||
##
|
||||
|
||||
# temporary reject and drop connection during maintenance window
|
||||
id=M_001
|
||||
&&MAINTENANCE
|
||||
action=421 maintenance - please try again later
|
||||
|
||||
# stress-friendly behaviour (will not match on postfix version pre 2.5)
|
||||
id=STRESS
|
||||
stress==yes
|
||||
action=dunno
|
||||
|
||||
# Whitelists
|
||||
id=WL_001
|
||||
&&TRUSTED_NETS
|
||||
action=dunno
|
||||
id=WL_002
|
||||
&&TRUSTED_HOSTS
|
||||
action=dunno
|
||||
id=WL_003
|
||||
&&TRUSTED_USERS
|
||||
action=dunno
|
||||
id=WL_004
|
||||
&&TRUSTED_TLS
|
||||
action=dunno
|
||||
|
||||
# DNSWL checks - lookup
|
||||
id=RWL_001
|
||||
&&DNSWLS
|
||||
rhsblcount=all ; rblcount=all
|
||||
action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
|
||||
|
||||
# DNSWL - whitelisting
|
||||
id=RWL_002
|
||||
HIT_dnswls>=2
|
||||
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
|
||||
id=RWL_003
|
||||
HIT_dnswls>=1
|
||||
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
|
||||
id=RWL_004
|
||||
HIT_dnswls>=1
|
||||
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
|
||||
|
||||
# DNSBL checks - lookup
|
||||
id=RBL_001
|
||||
&&DNSBLS
|
||||
rhsblcount=all ; rblcount=all
|
||||
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
|
||||
|
||||
# DNSBL checks - evaluation
|
||||
|
||||
# this will drop emails from servers which are in 2 or more blacklists
|
||||
id=RBL_002
|
||||
HIT_dnsbls>=2
|
||||
action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
|
||||
|
||||
# this will drop emails from servers which are in more than 1 blacklist and have dynamic ip address
|
||||
id=RBL_003
|
||||
HIT_dnsbls>=1
|
||||
&&DYNAMIC
|
||||
action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
|
||||
|
||||
# this will drop emails from servers which are in more than 1 blacklist and helo does not match their PTR
|
||||
id=RBL_004
|
||||
HIT_dnsbls>=1
|
||||
&&BADHELO
|
||||
action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
|
||||
|
||||
# Rate limits
|
||||
|
||||
# rate limit servers in more than 1 dnsbl, which didn't login
|
||||
id=RATE_001
|
||||
sasl_username==unknown
|
||||
HIT_dnsbls>=1
|
||||
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
|
||||
|
||||
# rate limit servers behind a dynamic ip address, if they didn't login
|
||||
id=RATE_002
|
||||
sasl_username==unknown
|
||||
&&DYNAMIC
|
||||
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
|
||||
|
||||
# Selective greylisting
|
||||
|
||||
# do no greylist freeemailers and servers with PTR
|
||||
id=GREY_001
|
||||
action=dunno
|
||||
&&STATIC
|
||||
|
||||
# do no greylist emails which sender domain matches the server domain
|
||||
id=GREY_002
|
||||
action=dunno
|
||||
$$client_name~=$$(sender_domain)$
|
||||
|
||||
# do no greylist emails which sender is in one or more dnswl.
|
||||
id=GREY_003
|
||||
action=dunno
|
||||
HIT_dnswls>=1
|
||||
|
||||
# greylist dynamic ip senders
|
||||
id=GREY_004
|
||||
action=greylisting
|
||||
&&DYNAMIC
|
||||
|
||||
# greylist servers in one or more dnsbl.
|
||||
id=GREY_005
|
||||
action=greylisting
|
||||
HIT_dnsbls>=1
|
||||
|
||||
# Greylisting should be safe during out-of-office times
|
||||
# there is no thing as office hours, so I'll leave this commented out.
|
||||
#
|
||||
#id=GREY_006
|
||||
# action=greylisting
|
||||
# days=Sat-Sun
|
||||
#id=GREY_007
|
||||
# action=greylisting
|
||||
# days=Mon-Fri
|
||||
# time=!!06:00:00-20:00:00
|
||||
|
||||
|
|
@ -50,7 +50,7 @@ source /etc/mailinabox.conf # load global vars
|
|||
# > anti-spam solutions) must register with dnswl.org and purchase a subscription.
|
||||
|
||||
echo "Installing Postfix (SMTP server)..."
|
||||
apt_install postfix postfix-pcre postgrey ca-certificates
|
||||
apt_install postfix postfix-pcre postgrey ca-certificates postfwd
|
||||
|
||||
# ### Basic Settings
|
||||
|
||||
|
|
@ -192,11 +192,31 @@ tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025
|
|||
# whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
|
||||
# "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
|
||||
tools/editconf.py /etc/postfix/main.cf \
|
||||
smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
|
||||
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
|
||||
smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
|
||||
smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10040" \
|
||||
smtpd_restriction_classes="greylisting" \
|
||||
greylisting="check_policy_service inet:127.0.0.1:10023"
|
||||
|
||||
# Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
|
||||
# Postgrey listens on the same interface (and not IPv6, for instance).
|
||||
|
||||
# Postfix connects to Postfwd on the 127.0.0.1 interface specifically. Ensure that
|
||||
# Postfwd listens on the same interface (and not IPv6, for instance).
|
||||
# Postfwd is an advanced policy engine for Postfix, it may reject, limit, greylist or accept emails.
|
||||
|
||||
tools/editconf.py /etc/default/postfwd \
|
||||
STARTUP=1 \
|
||||
CONF=/etc/postfix/postfwd.cf \
|
||||
INET=127.0.0.1 \
|
||||
PORT=10040 \
|
||||
RUNAS="postfw" \
|
||||
ARGS=\"'--summary=660 --cache=600 --cache-rdomain-only --cache-no-size --max_spare_servers=5'\"
|
||||
|
||||
# Install the configuration file for postfwd service. If the local admin modified it, we won't overwrite
|
||||
# This configuration will accept emails right away (no greylist) for servers in DNSWL, gmail, hotmail, outlook, etc.
|
||||
# If the server has a dynamic ip it will be greylisted.
|
||||
|
||||
cp -n conf/postfwd.cf /etc/postfix/postfwd.cf
|
||||
|
||||
# Postfwd will instruct Postfix to greylist some emails, depending on who is sending it and the server who is sending it.
|
||||
# A lot of legit mail servers try to resend before 300 seconds.
|
||||
# As a matter of fact RFC is not strict about retry timer so postfix and
|
||||
# other MTA have their own intervals. To fix the problem of receiving
|
||||
|
|
@ -219,3 +239,4 @@ ufw_allow submission
|
|||
|
||||
restart_service postfix
|
||||
restart_service postgrey
|
||||
restart_service postfwd
|
||||
|
|
|
|||
Loading…
Reference in New Issue