postfwd/etc/postfwd.cf.sample



###################################################################################################
##
##   ATTENTION: This example configuration uses features which require at least postfwd 1.30!
##              Please see the manual ('postfwd -m') for example syntax for prior versions.
##
##   WARNING:	Only provided to show some capabilities of postfwd. Do NOT use this without
##		modifications to suit your environment!
##
###################################################################################################


##
## Definitions
##

# Maintenance times
&&MAINTENANCE {
        date=15.01.2007
        date=15.10.2007 - 17.10.2007
        days=Sat-Sun
        time=03:00:00 - 04:00:00
}

# Whitelists
&&TRUSTED_NETS {
        client_address=192.168.1.0/22
        client_address=172.16.128.32/27
}
&&TRUSTED_HOSTS {
        client_name~=\.domain1\.net$
        client_name~=\.domain2\.de$
}
&&TRUSTED_USERS {
        sasl_username==bob
        sasl_username==alice
}
&&TRUSTED_TLS {
        ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF
        ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66
        encryption_keysize>=64
}
&&FREEMAIL {
        client_name~=\.gmx\.net$
        client_name~=\.web\.de$
        client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$
}
&&STATIC {
        # contains freemailers
        &&FREEMAIL
        client_name~=[\.\-]static[[\.\-]
        client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\.
}
&&DNSWLS {
        rbl=list.dnswl.org
        rbl=exemptions.ahbl.org
        rbl=query.bondedsender.org
        rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 
        rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
}

# Spamchecks
&&BADHELO {
	client_name==!!($$(helo_name))
}
&&DYNAMIC {
        client_name==unknown
        client_name~=(\-.+){4}
        client_name~=\d{5}
        client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-]
}
&&DNSBLS {
        rbl=zen.spamhaus.org
        rbl=list.dsbl.org
        rbl=bl.spamcop.net
        rbl=dnsbl.sorbs.net
        rbl=ix.dnsbl.manitu.net
        rhsbl=rddn.dnsbl.net.au
        rhsbl=rhsbl.ahbl.org
        rhsbl=rhsbl.sorbs.net
}


##
## Ruleset
##

# temporary reject and drop connection during maintenance window
id=M_001
	&&MAINTENANCE
	action=421 maintenance - please try again later

# stress-friendly behaviour (will not match on postfix version pre 2.5)
id=STRESS
	stress==yes
	action=dunno

# Whitelists
id=WL_001
	&&TRUSTED_NETS
	action=dunno
id=WL_002
	&&TRUSTED_HOSTS
	action=dunno
id=WL_003
	&&TRUSTED_USERS
	action=dunno
id=WL_004
	&&TRUSTED_TLS
	action=dunno

# DNSWL checks - lookup
id=RWL_001
	&&DNSWLS
	rhsblcount=all ; rblcount=all
	action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)

# DNSWL - whitelisting
id=RWL_002
	HIT_dnswls>=2
	action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
id=RWL_003
	HIT_dnswls>=1
	action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ;  &&STATIC
id=RWL_004
	HIT_dnswls>=1
	action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ;  $$client_name~=$$(sender_domain)$

# DNSBL checks - lookup
id=RBL_001
	&&DNSBLS
	rhsblcount=all ; rblcount=all
        action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)

# DNSBL checks - evaluation
id=RBL_002
	HIT_dnsbls>=2
	action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
id=RBL_003
	HIT_dnsbls>=1
	&&DYNAMIC
	action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
id=RBL_004
	HIT_dnsbls>=1
	&&BADHELO
	action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]

# Rate limits
id=RATE_001
	HIT_dnsbls>=1
	action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
id=RATE_002
	&&DYNAMIC
	action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)

# Selective greylisting
id=GREY_001
	action=dunno
	&&STATIC
id=GREY_002
	action=dunno
	$$client_name~=$$(sender_domain)$
id=GREY_003
	action=dunno
	HIT_dnswls>=1
id=GREY_004
	action=greylisting
	&&DYNAMIC
id=GREY_005
	action=greylisting
	HIT_dnsbls>=1

# Greylisting should be safe during out-of-office times
id=GREY_006
	action=greylisting
	days=Sat-Sun
id=GREY_007
	action=greylisting
	days=Mon-Fri
	time=!!06:00:00-20:00:00
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00

			`###################################################################################################`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00			`##`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`## ATTENTION: This example configuration uses features which require at least postfwd 1.30!`
			`## Please see the manual ('postfwd -m') for example syntax for prior versions.`
			`##`
			`## WARNING: Only provided to show some capabilities of postfwd. Do NOT use this without`
			`## modifications to suit your environment!`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00			`##`
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00			`###################################################################################################`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00

			`##`
			`## Definitions`
			`##`

			`# Maintenance times`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`&&MAINTENANCE {`
			`date=15.01.2007`
			`date=15.10.2007 - 17.10.2007`
			`days=Sat-Sun`
			`time=03:00:00 - 04:00:00`
			`}`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00
			`# Whitelists`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`&&TRUSTED_NETS {`
			`client_address=192.168.1.0/22`
			`client_address=172.16.128.32/27`
			`}`
			`&&TRUSTED_HOSTS {`
			`client_name~=\.domain1\.net$`
			`client_name~=\.domain2\.de$`
			`}`
			`&&TRUSTED_USERS {`
			`sasl_username==bob`
			`sasl_username==alice`
			`}`
			`&&TRUSTED_TLS {`
			`ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF`
			`ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66`
			`encryption_keysize>=64`
			`}`
			`&&FREEMAIL {`
			`client_name~=\.gmx\.net$`
			`client_name~=\.web\.de$`
			`client_name~=\.(aol\|yahoo\|h(ush\|ot)mail)\.com$`
			`}`
			`&&STATIC {`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00			`# contains freemailers`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`&&FREEMAIL`
			`client_name~=[\.\-]static[[\.\-]`
			`client_name~=^(mail\|smtp\|mout\|mx)[\-][0-9]\.`
			`}`
			`&&DNSWLS {`
			`rbl=list.dnswl.org`
			`rbl=exemptions.ahbl.org`
			`rbl=query.bondedsender.org`
			`rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600`
			`rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600`
			`}`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00
			`# Spamchecks`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`&&BADHELO {`
			`client_name==!!($$(helo_name))`
			`}`
			`&&DYNAMIC {`
			`client_name==unknown`
			`client_name~=(\-.+){4}`
			`client_name~=\d{5}`
			`client_name~=[_\.\-]([axt]{0,1}dsl\|br(e\|oa)dband\|ppp\|pppoe\|dynamic\|dynip\|ADSL\|dial(up\|in)\|pool\|dhcp\|leased)[_\.\-]`
			`}`
			`&&DNSBLS {`
			`rbl=zen.spamhaus.org`
			`rbl=list.dsbl.org`
			`rbl=bl.spamcop.net`
			`rbl=dnsbl.sorbs.net`
			`rbl=ix.dnsbl.manitu.net`
			`rhsbl=rddn.dnsbl.net.au`
			`rhsbl=rhsbl.ahbl.org`
			`rhsbl=rhsbl.sorbs.net`
			`}`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00

			`##`
			`## Ruleset`
			`##`

			`# temporary reject and drop connection during maintenance window`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=M_001`
			`&&MAINTENANCE`
			`action=421 maintenance - please try again later`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00
			`# stress-friendly behaviour (will not match on postfix version pre 2.5)`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=STRESS`
			`stress==yes`
			`action=dunno`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00
			`# Whitelists`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=WL_001`
			`&&TRUSTED_NETS`
			`action=dunno`
			`id=WL_002`
			`&&TRUSTED_HOSTS`
			`action=dunno`
			`id=WL_003`
			`&&TRUSTED_USERS`
			`action=dunno`
			`id=WL_004`
			`&&TRUSTED_TLS`
			`action=dunno`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00			`# DNSWL checks - lookup`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=RWL_001`
			`&&DNSWLS`
			`rhsblcount=all ; rblcount=all`
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00			`action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)`

			`# DNSWL - whitelisting`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=RWL_002`
			`HIT_dnswls>=2`
			`action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]`
			`id=RWL_003`
			`HIT_dnswls>=1`
			`action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC`
			`id=RWL_004`
			`HIT_dnswls>=1`
			`action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$`
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00
			`# DNSBL checks - lookup`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=RBL_001`
			`&&DNSBLS`
			`rhsblcount=all ; rblcount=all`
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00			`action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)`

			`# DNSBL checks - evaluation`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=RBL_002`
			`HIT_dnsbls>=2`
			`action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]`
			`id=RBL_003`
			`HIT_dnsbls>=1`
			`&&DYNAMIC`
			`action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]`
			`id=RBL_004`
			`HIT_dnsbls>=1`
			`&&BADHELO`
			`action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00
			`# Rate limits`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=RATE_001`
			`HIT_dnsbls>=1`
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00			`action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=RATE_002`
			`&&DYNAMIC`
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00			`action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00
			`# Selective greylisting`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=GREY_001`
			`action=dunno`
			`&&STATIC`
			`id=GREY_002`
			`action=dunno`
			`$$client_name~=$$(sender_domain)$`
			`id=GREY_003`
			`action=dunno`
			`HIT_dnswls>=1`
			`id=GREY_004`
			`action=greylisting`
			`&&DYNAMIC`
			`id=GREY_005`
			`action=greylisting`
			`HIT_dnsbls>=1`
Imported Upstream version 1.10pre8b 2013-11-05 16:32:27 +00:00
			`# Greylisting should be safe during out-of-office times`
Imported Upstream version 1.32 2013-11-05 16:33:44 +00:00			`id=GREY_006`
			`action=greylisting`
			`days=Sat-Sun`
			`id=GREY_007`
			`action=greylisting`
			`days=Mon-Fri`
			`time=!!06:00:00-20:00:00`
Imported Upstream version 1.10pre7c 2013-11-05 16:31:59 +00:00