adjust copyright year

debian/README.Debian

@@ -0,0 +1,5 @@
+postfwd for Debian
+------------------
+
+
+ -- Jan Wagner <waja@cyconet.org>  Mon, 10 Mar 2008 22:37:44 +0100

debian/changelog

@@ -0,0 +1,5 @@
+postfwd (1.03-1) unstable; urgency=low
+
+  * Initial release (Closes: #470356).
+
+ -- Jan Wagner <waja@cyconet.org>  Mon, 10 Mar 2008 22:37:44 +0100

debian/compat

@@ -0,0 +1 @@
+5

debian/control

@@ -0,0 +1,22 @@
+Source: postfwd
+Section: mail
+Priority: optional
+Maintainer: Jan Wagner <waja@cyconet.org>
+Build-Depends: debhelper (>= 5), dpatch
+Homepage: http://www.postfwd.org/
+Vcs-Browser: https://trac.cyconet.org/debian/browser/debian/postfwd
+Vcs-Svn: https://trac.cyconet.org/svn/debian/postfwd
+Standards-Version: 3.7.3
+
+Package: postfwd
+Architecture: all
+Depends: ${perl:Depends}, adduser, libnet-cidr-lite-perl, libnet-server-perl
+Description: a Postfix policyd to combine complex restrictions in a ruleset
+ Postfwd is written in perl to combine complex postfix restrictions in a
+ ruleset similar to those of the most firewalls. The program uses the postfix
+ policy delegation protocol to control access to the mail system before a
+ message has been accepted (please visit
+ http://www.postfix.org/SMTPD_POLICY_README.html for more information). It
+ allows you to choose an action (e.g. reject, dunno) for a combination of
+ several smtp parameters (like sender and recipient address, size or the
+ client's TLS fingerprint).

debian/copyright

@@ -0,0 +1,36 @@
+This package was debianized by Jan Wagner <waja@cyconet.org> on
+Mon, 10 Mar 2008 22:37:44 +0100
+
+It was downloaded from <http://www.postfwd.org/>
+
+Upstream Author: Jan Peter Kessler <info@postfwd.org>
+
+Copyright: (c) 2007, Jan Peter Kessler, All rights reserved.
+
+License:
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of the authors nor the names of his contributors may be
+      used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED
+    WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+    EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+    EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+    PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+    OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+    WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+    OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The Debian packaging is (C) 2008 Jan Wagner <waja@cyconet.org> and
+is licensed under the GPL, see `/usr/share/common-licenses/GPL'.

debian/default

@@ -0,0 +1,15 @@
+# Global options for postfwd(8).
+
+# Set to '1' to enable startup (daemon mode)
+#STARTUP=1
+
+# Config file
+CONF=/etc/postfix/postfwd.cf
+# IP where listen to
+INET=127.0.0.1
+# Port where listen to
+PORT=10040
+# run as user postfwd
+RUNAS="postfw"
+# Arguments passed on start (--daemon implied)
+ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size"

debian/docs

@@ -0,0 +1,2 @@
+doc/postfwd.html
+doc/postfwd.txt

debian/example-cfg.txt

@@ -0,0 +1,108 @@
+# downloaded from http://postfwd.org/example-cfg.txt
+# check for more recent versions!
+
+##
+## Definitions
+##
+
+# Maintenance times
+&&MAINTENANCE { \
+        date=15.01.2007  ; \
+        date=15.04.2007  ; \
+        date=15.07.2007  ; \
+        date=15.10.2007  ; \
+        time=03:00:00-04:00:00 ; \
+};
+
+# Whitelists
+&&TRUSTED_NETS { \
+        client_address=192.168.1.0/22 ;   \
+        client_address=172.16.128.32/27 ; \
+};
+&&TRUSTED_HOSTS { \
+        client_name~=\.domain1\.net$ ; \
+        client_name~=\.domain2\.de$ ;  \
+};
+&&TRUSTED_USERS { \
+        sasl_username==bob ; \
+        sasl_username==alice ; \
+};
+&&TRUSTED_TLS { \
+        ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \
+        ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \
+        encryption_keysize>=64 ; \
+};
+&&FREEMAIL { \
+        client_name~=\.gmx\.net$ ; \
+        client_name~=\.web\.de$ ;  \
+        client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \
+};
+&&STATIC { \
+        # contains freemailers
+        &&FREEMAIL ; \
+        client_name~=[\.\-]static[[\.\-] ;               \
+        client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
+};
+
+# Spamchecks
+&&BADHELO { \
+	client_name~=!!($$(helo_name)) ; \
+};
+&&DYNAMIC { \
+        client_name~=^unknown$ ; \
+        client_name~=(\-.+){4} ; \
+        client_name~=\d{5} ;     \
+        client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
+};
+&&RBLS { \
+        rbl=zen.spamhaus.org ;     \
+        rbl=list.dsbl.org ;        \
+        rbl=bl.spamcop.net ;       \
+        rbl=dnsbl.sorbs.net ;      \
+        rbl=ix.dnsbl.manitu.net ;  \
+};
+&&RHSBLS { \
+        rhsbl=rddn.dnsbl.net.au ; \
+        rhsbl=rhsbl.ahbl.org ; \
+        rhsbl=rhsbl.sorbs.net ; \
+};
+
+
+##
+## Ruleset
+##
+
+# temporary reject and drop connection during maintenance window
+id=M_001    ;  &&MAINTENANCE      ;  action=421 maintenance - please try again later
+
+# stress-friendly behaviour (will not match on postfix version pre 2.5)
+id=STRESS   ;  stress==yes        ;  action=dunno
+
+# Whitelists
+id=WL_001   ;  &&TRUSTED_NETS     ;  action=dunno
+id=WL_002   ;  &&TRUSTED_HOSTS    ;  action=dunno
+id=WL_003   ;  &&TRUSTED_USERS    ;  action=dunno
+id=WL_004   ;  &&TRUSTED_TLS      ;  action=dunno
+
+# DNSBL checks
+id=RBL_001  ;  &&RHSBLS ; &&RBLS ; \
+               rhsblcount=all ; rblcount=all ; \
+               action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
+id=RBL_002  ;  HIT_rhls>=1 ; HIT_rbls>=1 ;  action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
+id=RBL_003  ;  HIT_rhls>=2               ;  action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
+id=RBL_004  ;  HIT_rbls>=2               ;  action=554 5.7.1 blocked using $$HIT_rbls RBLs
+id=RBL_005  ;  HIT_rbls>=1 ; &&DYNAMIC   ;  action=REJECT listed on RBL and $$client_name looks like dynip
+id=RBL_006  ;  HIT_rhls>=1 ; &&DYNAMIC   ;  action=REJECT listed on RHSBL and $$client_name looks like dynip
+id=RBL_007  ;  HIT_rbls>=1 ; &&BADHELO   ;  action=REJECT listed on RBL and $$helo_name does not match $$client_name
+id=RBL_008  ;  HIT_rhls>=1 ; &&BADHELO   ;  action=REJECT listed on RHSBL and $$helo_name does not match $$client_name
+
+# Selective greylisting
+id=GREY_001 ;  action=dunno              ;  &&STATIC
+id=GREY_002 ;  action=dunno              ;  $$client_name~=$$(sender_domain)$
+id=GREY_003 ;  action=greylisting        ;  &&DYNAMIC
+id=GREY_004 ;  action=greylisting        ;  HIT_rhls>=1
+id=GREY_005 ;  action=greylisting        ;  HIT_rbls>=1
+# greylisting should be safe during out-of-office times
+id=GREY_006 ;  action=greylisting        ;  days=Sat-Sun
+id=GREY_007 ;  action=greylisting        ;  days=Mon-Fri ; time=!!06:00:00-20:00:00
+

debian/example-cfg2.txt

@@ -0,0 +1,103 @@
+# downloaded from http://hege.li/howto/spam/etc/postfwd/postfwd.conf
+# check for more recent versions!
+
+## Check DNS Whitelisting
+
+id=OK_DNSWL; \
+  rbl=list.dnswl.org/127/43200; \
+  rbl=hostkarma.junkemailfilter.com/127.0.0.[13]; \
+  action=OK
+
+## Check HELO and reverse DNS
+
+id=SET_HELO; \
+  helo_name=^(\[|[^.]+$|.*?[0-9.-]{8}); \
+  action=set(HIT_helo=1)
+
+id=SET_NODNS; \
+  client_name=^unknown$; \
+  action=set(HIT_nodns=1)
+
+id=REJECT_HELO_NODNS; \
+  HIT_helo==1; HIT_nodns==1; \
+  action=REJECT Your HELO is suspicious and no reverse DNS
+
+## Check ZEN for immediate blocking
+
+id=REJECT_RBL_ZEN; \
+  rbl=zen.spamhaus.org; \
+  action=REJECT You are listed in zen.spamhaus.org DNSBL
+
+## Check DNSBLs
+
+&&DNSBLS { \
+  rbl=bl.spamcop.net; \
+  rbl=dnsbl-1.uceprotect.net; \
+  rbl=psbl.surriel.org; \
+  rbl=dnsbl.ahbl.org; \
+  rbl=dnsbl.njabl.org; \
+  rbl=list.dsbl.org; \
+  rbl=dnsbl.sorbs.net; \
+  rbl=ix.dnsbl.manitu.net; \
+  rbl=hostkarma.junkemailfilter.com/127.0.0.2; \
+};
+
+id=EVAL_DNSBLS; \
+  &&DNSBLS; rblcount=all; \
+  action=set(HIT_rbls=$$rblcount)
+
+id=REJECT_RBL_MULTI; \
+  HIT_rbls>=2; \
+  action=REJECT You are listed in several DNSBLs
+
+## Check RHSBLs
+
+&&RHSBLS_REVERSE { \
+  rhsbl_reverse_client=l1.apews.org; \
+  rhsbl_reverse_client=rddn.dnsbl.net.au; \
+  rhsbl_reverse_client=dynamic.rhs.mailpolice.com; \
+};
+
+&&RHSBLS_SENDER { \
+  rhsbl_sender=multi.uribl.com; \
+  rhsbl_sender=multi.surbl.org; \
+  rhsbl_sender=rhsbl.ahbl.org; \
+  rhsbl_sender=rhsbl.sorbs.net; \
+  rhsbl_sender=dsn.rfc-ignorant.org; \
+};
+
+id=EVAL_RHSBLS; \
+  &&RHSBLS_REVERSE; &&RHSBLS_SENDER; rhsblcount=all; \
+  action=set(HIT_rhsbls=$$rhsblcount)
+
+id=REJECT_RHSBL_MULTI; \
+  HIT_rhsbls>=2; \
+  action=REJECT You are listed in several RHSBLs
+
+## Combined checks
+
+id=REJECT_RBL_RHSBL; \
+  HIT_rbls>=1; HIT_rhsbls>=1; \
+  action=REJECT You are DNSBL and RHSBL listed
+
+id=REJECT_RBL_HELO; \
+  HIT_rbls>=1; HIT_helo==1; \
+  action=REJECT You are DNSBL listed and HELO is suspicious
+
+id=REJECT_RBL_NODNS; \
+  HIT_rbls>=1; HIT_nodns==1; \
+  action=REJECT You are DNSBL listed and no reverse DNS
+
+id=REJECT_RHSBL_HELO; \
+  HIT_rhsbls>=1; HIT_helo==1; \
+  action=REJECT You are RHSBL listed and HELO is suspicious
+
+id=REJECT_RHSBL_NODNS; \
+  HIT_rhsbls>=1; HIT_nodns==1; \
+  action=REJECT You are RHSBL listed and no reverse DNS
+
+## Greylist suspicious
+
+id=GREY_RBL; HIT_rbls>=1; action=check_postgrey
+id=GREY_RHSBL; HIT_rhsbls>=1; action=check_postgrey
+

debian/init.d

@@ -0,0 +1,101 @@
+#! /bin/sh
+#		Written by Miquel van Smoorenburg <miquels@cistron.nl>.
+#		Modified for Debian
+#		by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+#
+# Version:	@(#)skeleton  1.9  26-Feb-2001  miquels@cistron.nl
+# /etc/init.d/postfwd: v1 2008/03/12 Jan Wagner <waja@cyconet.org>
+
+### BEGIN INIT INFO
+# Provides: postfwd
+# Required-Start: $local_fs $network $remote_fs $syslog
+# Required-Stop: $local_fs $network $remote_fs $syslog
+# Default-Start:  2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop the postfw daemon
+# Description: a Perl policy daemon for the Postfix MTA
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+NAME=postfwd
+DAEMON=/usr/sbin/${NAME}
+DESC=postfwd
+
+test -x $DAEMON || exit 0
+
+not_configured () {
+        echo "#### WARNING ####"
+        echo "${NAME} won't be started/stopped unless it is configured."
+        echo "If you want to start ${NAME} as daemon, see /etc/default/${NAME}."
+        echo "#################"
+        exit 0
+}
+
+no_configfile () {
+	echo "#### WARNING ####"
+	echo "${NAME} won't be started/stopped unless a rules file is provided at $CONF."
+	echo "#################"
+	exit 0
+}
+
+# check if postfwd is configured or not
+if [ -f "/etc/default/$NAME" ]
+then
+        . /etc/default/$NAME
+        if [ "$STARTUP" != "1" ]
+        then
+                not_configured
+        fi
+else
+        not_configured
+fi
+
+# check if rules file is there
+if [ ! -f $CONF ]
+then
+	no_configfile
+fi
+
+# Check whether we have to drop privileges.
+if [ -n "$RUNAS" ]; then
+        if ! getent passwd "$RUNAS" >/dev/null; then
+                RUNAS=""
+        fi
+fi
+
+set -e
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+        start-stop-daemon --start --quiet \
+                --name ${RUNAS} \
+                --exec $DAEMON -- ${ARGS} --daemon --file=${CONF} --interface=${INET} --port=${PORT} --user=${RUNAS} --group=${RUNAS}
+	echo "$NAME."
+	;;
+  stop)
+	echo -n "Stopping $DESC: "
+        start-stop-daemon --stop --quiet --oknodo \
+                --exec $DAEMON
+        echo "$NAME."
+        rm -f /var/run/$NAME.pid
+	;;
+  reload)
+	echo "Reloading $DESC configuration files."
+		for pid in `pidof ${NAME}`; do kill -HUP ${pid}; done ;
+	;;
+  restart|force-reload)
+	echo -n "Restarting $DESC (incl. cache): "
+	        $0 stop
+        	sleep 1
+	        $0 start
+	echo "$NAME."
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
+	exit 1
+	;;
+esac
+
+exit 0

debian/patches/00list

@@ -0,0 +1 @@
+10_fix_manpage.dpatch

debian/patches/10_fix_manpage.dpatch

@@ -0,0 +1,21 @@
+#!/bin/sh /usr/share/dpatch/dpatch-run
+## 10_fix_manpage.dpatch by Jan Wagner <waja@cyconet.org>
+##
+## DP: Fix manpage section
+
+@DPATCH@
+
+diff -Nur postfwd-1.03.orig/man/man1/postfwd.1 postfwd-1.03/man/man1/postfwd.1
+--- postfwd-1.03.orig/man/man1/postfwd.1        2007-10-29 09:29:15.000000000 +0100
++++ postfwd-1.03/man/man1/postfwd.1     2008-03-12 01:10:48.000000000 +0100
+@@ -128,8 +128,8 @@
+ .rm #[ #] #H #V #F C
+ .\" ========================================================================
+ .\"
+-.IX Title "POSTFWD 1"
+-.TH POSTFWD 1 "2007-10-29" "perl v5.8.5" "User Contributed Perl Documentation"
++.IX Title "POSTFWD 8"
++.TH POSTFWD 8 "2007-10-29" "perl v5.8.5" "User Contributed Perl Documentation"
+ .SH "NAME"
+ postfwd \- postfix firewall daemon
+ .SH "SYNOPSIS"

debian/postinst

@@ -0,0 +1,57 @@
+#!/bin/sh
+# based on arpwatch.postinst: v11 2004/09/15 KELEMEN Peter <fuji@debian.org>
+# postinst: v1 2006/01/12 Jan Wagner <waja@cyconet.org>
+
+set -e
+
+NUSER="postfw"
+NGROUP="postfw"
+NHOME="/var/lib/$NUSER"
+NGECOS="postfwd user"
+
+case "$1" in
+	configure)
+		# Take care of group.
+		if NGROUP_ENTRY=`getent group $NGROUP`; then
+			# group exists
+			:
+		else
+			# group does not exist yet
+			addgroup --quiet --system $NGROUP
+		fi
+
+		# Take care of user.
+		if NUSER_ENTRY=`getent passwd $NUSER`; then
+			# user exists
+			adduser --quiet $NUSER $NGROUP
+			# 
+		else
+			# user does not exist yet
+			adduser --quiet --system	\
+				--ingroup $NGROUP	\
+				--gecos "$NGECOS"	\
+				--home $NHOME		\
+				--no-create-home	\
+				--shell /bin/sh		\
+				--disabled-login	\
+				--disabled-password	\
+				--shell /bin/false	\
+				$NUSER
+		fi
+
+		# Set up home directory.
+		if [ -d $NHOME ]; then
+			chown -R ${NUSER}:${NGROUP} $NHOME
+			chmod -R o-rwX $NHOME
+		fi
+		;;
+
+	abort-upgrade|abort-remove|abort-deconfigure)
+		;;
+	*)
+		echo "postinst called with unknown argument \`$1'" >&2
+		exit 1
+		;;
+esac
+
+#DEBHELPER#

debian/postrm

@@ -0,0 +1,53 @@
+#!/bin/sh
+# based on arpwatch.postrm: v2 2004/09/15 KELEMEN Peter <fuji@debian.org>
+# postrm: v1 2006/10/12 Jan Wagner <waja@cyconet.org>
+
+NUSER="postfw"
+NGROUP="postfw"
+
+set -e
+
+case "$1" in
+	purge)
+		# find first and last SYSTEM_UID numbers
+		for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
+			case $LINE in
+				FIRST_SYSTEM_UID*)
+					FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
+					;;
+				LAST_SYSTEM_UID*)
+					LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
+					;;
+				*)
+					;;
+			esac
+		done
+		# remove system account if necessary
+		if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
+			if USERID=`getent passwd $NUSER | cut -f 3 -d ':'`; then
+				if [ -n "$USERID" ]; then
+					if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
+						[ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
+
+						deluser --quiet $NUSER || true
+						# And then remove the group
+						GROUPID=`getent group $NGROUP | cut -f 3 -d ':'`
+						if [ -n "$GROUPID" ] ;  then
+							delgroup --quiet $NGROUP || true
+						fi
+					fi
+				fi
+			fi
+		fi
+		;;
+
+	remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+		;;
+
+	*)
+		echo "postrm called with unknown argument \`$1'" >&2
+		exit 1
+		;;
+esac
+
+#DEBHELPER#

debian/rules

@@ -0,0 +1,47 @@
+#!/usr/bin/make -f
+# written by Jan Wagner <waja@cyconet.org>
+#
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+include /usr/share/dpatch/dpatch.make
+
+build: patch-stamp
+
+clean: unpatch
+	dh_testdir
+	dh_testroot
+	dh_clean
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k
+	dh_installdirs
+
+	install -D -m 644 sbin/postfwd debian/postfwd/usr/sbin/postfwd
+	install -d -m 0755 debian/postfwd/usr/share/doc/postfwd/examples/
+	cp debian/example-cfg*.txt debian/postfwd/usr/share/doc/postfwd/examples/
+
+# Build architecture-independent files here.
+binary-indep: build install
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs doc/CHANGELOG
+	dh_installdocs tools
+	dh_installinit -- defaults 19 21
+	dh_installman man/man1/postfwd.1
+	dh_link
+	dh_compress
+	dh_fixperms
+	dh_perl
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install

debian/watch

@@ -0,0 +1,2 @@
+version=3
+http://www.postfwd.org/postfwd-(.*)\.tar\.gz