commit 229f91b71f4b4c5bda5b4a56b3ee120ba835d0d3 Author: Jan Wagner Date: Mon Apr 14 08:30:20 2008 +0000 adjust copyright year diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..10a50f2 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,5 @@ +postfwd for Debian +------------------ + + + -- Jan Wagner Mon, 10 Mar 2008 22:37:44 +0100 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..d22c65f --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +postfwd (1.03-1) unstable; urgency=low + + * Initial release (Closes: #470356). + + -- Jan Wagner Mon, 10 Mar 2008 22:37:44 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7ed6ff8 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +5 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..ab0b294 --- /dev/null +++ b/debian/control @@ -0,0 +1,22 @@ +Source: postfwd +Section: mail +Priority: optional +Maintainer: Jan Wagner +Build-Depends: debhelper (>= 5), dpatch +Homepage: http://www.postfwd.org/ +Vcs-Browser: https://trac.cyconet.org/debian/browser/debian/postfwd +Vcs-Svn: https://trac.cyconet.org/svn/debian/postfwd +Standards-Version: 3.7.3 + +Package: postfwd +Architecture: all +Depends: ${perl:Depends}, adduser, libnet-cidr-lite-perl, libnet-server-perl +Description: a Postfix policyd to combine complex restrictions in a ruleset + Postfwd is written in perl to combine complex postfix restrictions in a + ruleset similar to those of the most firewalls. The program uses the postfix + policy delegation protocol to control access to the mail system before a + message has been accepted (please visit + http://www.postfix.org/SMTPD_POLICY_README.html for more information). It + allows you to choose an action (e.g. reject, dunno) for a combination of + several smtp parameters (like sender and recipient address, size or the + client's TLS fingerprint). diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..0a4df50 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,36 @@ +This package was debianized by Jan Wagner on +Mon, 10 Mar 2008 22:37:44 +0100 + +It was downloaded from + +Upstream Author: Jan Peter Kessler + +Copyright: (c) 2007, Jan Peter Kessler, All rights reserved. + +License: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of the authors nor the names of his contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO + EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +The Debian packaging is (C) 2008 Jan Wagner and +is licensed under the GPL, see `/usr/share/common-licenses/GPL'. diff --git a/debian/default b/debian/default new file mode 100644 index 0000000..70ae908 --- /dev/null +++ b/debian/default @@ -0,0 +1,15 @@ +# Global options for postfwd(8). + +# Set to '1' to enable startup (daemon mode) +#STARTUP=1 + +# Config file +CONF=/etc/postfix/postfwd.cf +# IP where listen to +INET=127.0.0.1 +# Port where listen to +PORT=10040 +# run as user postfwd +RUNAS="postfw" +# Arguments passed on start (--daemon implied) +ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size" diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..0646e19 --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +doc/postfwd.html +doc/postfwd.txt diff --git a/debian/example-cfg.txt b/debian/example-cfg.txt new file mode 100644 index 0000000..49efb5f --- /dev/null +++ b/debian/example-cfg.txt @@ -0,0 +1,108 @@ +# downloaded from http://postfwd.org/example-cfg.txt +# check for more recent versions! + +## +## Definitions +## + +# Maintenance times +&&MAINTENANCE { \ + date=15.01.2007 ; \ + date=15.04.2007 ; \ + date=15.07.2007 ; \ + date=15.10.2007 ; \ + time=03:00:00-04:00:00 ; \ +}; + +# Whitelists +&&TRUSTED_NETS { \ + client_address=192.168.1.0/22 ; \ + client_address=172.16.128.32/27 ; \ +}; +&&TRUSTED_HOSTS { \ + client_name~=\.domain1\.net$ ; \ + client_name~=\.domain2\.de$ ; \ +}; +&&TRUSTED_USERS { \ + sasl_username==bob ; \ + sasl_username==alice ; \ +}; +&&TRUSTED_TLS { \ + ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \ + ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \ + encryption_keysize>=64 ; \ +}; +&&FREEMAIL { \ + client_name~=\.gmx\.net$ ; \ + client_name~=\.web\.de$ ; \ + client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \ +}; +&&STATIC { \ + # contains freemailers + &&FREEMAIL ; \ + client_name~=[\.\-]static[[\.\-] ; \ + client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \ +}; + +# Spamchecks +&&BADHELO { \ + client_name~=!!($$(helo_name)) ; \ +}; +&&DYNAMIC { \ + client_name~=^unknown$ ; \ + client_name~=(\-.+){4} ; \ + client_name~=\d{5} ; \ + client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \ +}; +&&RBLS { \ + rbl=zen.spamhaus.org ; \ + rbl=list.dsbl.org ; \ + rbl=bl.spamcop.net ; \ + rbl=dnsbl.sorbs.net ; \ + rbl=ix.dnsbl.manitu.net ; \ +}; +&&RHSBLS { \ + rhsbl=rddn.dnsbl.net.au ; \ + rhsbl=rhsbl.ahbl.org ; \ + rhsbl=rhsbl.sorbs.net ; \ +}; + + +## +## Ruleset +## + +# temporary reject and drop connection during maintenance window +id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later + +# stress-friendly behaviour (will not match on postfix version pre 2.5) +id=STRESS ; stress==yes ; action=dunno + +# Whitelists +id=WL_001 ; &&TRUSTED_NETS ; action=dunno +id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno +id=WL_003 ; &&TRUSTED_USERS ; action=dunno +id=WL_004 ; &&TRUSTED_TLS ; action=dunno + +# DNSBL checks +id=RBL_001 ; &&RHSBLS ; &&RBLS ; \ + rhsblcount=all ; rblcount=all ; \ + action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount) +id=RBL_002 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs +id=RBL_003 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs +id=RBL_004 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs +id=RBL_005 ; HIT_rbls>=1 ; &&DYNAMIC ; action=REJECT listed on RBL and $$client_name looks like dynip +id=RBL_006 ; HIT_rhls>=1 ; &&DYNAMIC ; action=REJECT listed on RHSBL and $$client_name looks like dynip +id=RBL_007 ; HIT_rbls>=1 ; &&BADHELO ; action=REJECT listed on RBL and $$helo_name does not match $$client_name +id=RBL_008 ; HIT_rhls>=1 ; &&BADHELO ; action=REJECT listed on RHSBL and $$helo_name does not match $$client_name + +# Selective greylisting +id=GREY_001 ; action=dunno ; &&STATIC +id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$ +id=GREY_003 ; action=greylisting ; &&DYNAMIC +id=GREY_004 ; action=greylisting ; HIT_rhls>=1 +id=GREY_005 ; action=greylisting ; HIT_rbls>=1 +# greylisting should be safe during out-of-office times +id=GREY_006 ; action=greylisting ; days=Sat-Sun +id=GREY_007 ; action=greylisting ; days=Mon-Fri ; time=!!06:00:00-20:00:00 + diff --git a/debian/example-cfg2.txt b/debian/example-cfg2.txt new file mode 100644 index 0000000..9b0d203 --- /dev/null +++ b/debian/example-cfg2.txt @@ -0,0 +1,103 @@ +# downloaded from http://hege.li/howto/spam/etc/postfwd/postfwd.conf +# check for more recent versions! + +## Check DNS Whitelisting + +id=OK_DNSWL; \ + rbl=list.dnswl.org/127/43200; \ + rbl=hostkarma.junkemailfilter.com/127.0.0.[13]; \ + action=OK + +## Check HELO and reverse DNS + +id=SET_HELO; \ + helo_name=^(\[|[^.]+$|.*?[0-9.-]{8}); \ + action=set(HIT_helo=1) + +id=SET_NODNS; \ + client_name=^unknown$; \ + action=set(HIT_nodns=1) + +id=REJECT_HELO_NODNS; \ + HIT_helo==1; HIT_nodns==1; \ + action=REJECT Your HELO is suspicious and no reverse DNS + +## Check ZEN for immediate blocking + +id=REJECT_RBL_ZEN; \ + rbl=zen.spamhaus.org; \ + action=REJECT You are listed in zen.spamhaus.org DNSBL + +## Check DNSBLs + +&&DNSBLS { \ + rbl=bl.spamcop.net; \ + rbl=dnsbl-1.uceprotect.net; \ + rbl=psbl.surriel.org; \ + rbl=dnsbl.ahbl.org; \ + rbl=dnsbl.njabl.org; \ + rbl=list.dsbl.org; \ + rbl=dnsbl.sorbs.net; \ + rbl=ix.dnsbl.manitu.net; \ + rbl=hostkarma.junkemailfilter.com/127.0.0.2; \ +}; + +id=EVAL_DNSBLS; \ + &&DNSBLS; rblcount=all; \ + action=set(HIT_rbls=$$rblcount) + +id=REJECT_RBL_MULTI; \ + HIT_rbls>=2; \ + action=REJECT You are listed in several DNSBLs + +## Check RHSBLs + +&&RHSBLS_REVERSE { \ + rhsbl_reverse_client=l1.apews.org; \ + rhsbl_reverse_client=rddn.dnsbl.net.au; \ + rhsbl_reverse_client=dynamic.rhs.mailpolice.com; \ +}; + +&&RHSBLS_SENDER { \ + rhsbl_sender=multi.uribl.com; \ + rhsbl_sender=multi.surbl.org; \ + rhsbl_sender=rhsbl.ahbl.org; \ + rhsbl_sender=rhsbl.sorbs.net; \ + rhsbl_sender=dsn.rfc-ignorant.org; \ +}; + +id=EVAL_RHSBLS; \ + &&RHSBLS_REVERSE; &&RHSBLS_SENDER; rhsblcount=all; \ + action=set(HIT_rhsbls=$$rhsblcount) + +id=REJECT_RHSBL_MULTI; \ + HIT_rhsbls>=2; \ + action=REJECT You are listed in several RHSBLs + +## Combined checks + +id=REJECT_RBL_RHSBL; \ + HIT_rbls>=1; HIT_rhsbls>=1; \ + action=REJECT You are DNSBL and RHSBL listed + +id=REJECT_RBL_HELO; \ + HIT_rbls>=1; HIT_helo==1; \ + action=REJECT You are DNSBL listed and HELO is suspicious + +id=REJECT_RBL_NODNS; \ + HIT_rbls>=1; HIT_nodns==1; \ + action=REJECT You are DNSBL listed and no reverse DNS + +id=REJECT_RHSBL_HELO; \ + HIT_rhsbls>=1; HIT_helo==1; \ + action=REJECT You are RHSBL listed and HELO is suspicious + +id=REJECT_RHSBL_NODNS; \ + HIT_rhsbls>=1; HIT_nodns==1; \ + action=REJECT You are RHSBL listed and no reverse DNS + +## Greylist suspicious + +id=GREY_RBL; HIT_rbls>=1; action=check_postgrey +id=GREY_RHSBL; HIT_rhsbls>=1; action=check_postgrey + diff --git a/debian/init.d b/debian/init.d new file mode 100644 index 0000000..2672648 --- /dev/null +++ b/debian/init.d @@ -0,0 +1,101 @@ +#! /bin/sh +# Written by Miquel van Smoorenburg . +# Modified for Debian +# by Ian Murdock . +# +# Version: @(#)skeleton 1.9 26-Feb-2001 miquels@cistron.nl +# /etc/init.d/postfwd: v1 2008/03/12 Jan Wagner + +### BEGIN INIT INFO +# Provides: postfwd +# Required-Start: $local_fs $network $remote_fs $syslog +# Required-Stop: $local_fs $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the postfw daemon +# Description: a Perl policy daemon for the Postfix MTA +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +NAME=postfwd +DAEMON=/usr/sbin/${NAME} +DESC=postfwd + +test -x $DAEMON || exit 0 + +not_configured () { + echo "#### WARNING ####" + echo "${NAME} won't be started/stopped unless it is configured." + echo "If you want to start ${NAME} as daemon, see /etc/default/${NAME}." + echo "#################" + exit 0 +} + +no_configfile () { + echo "#### WARNING ####" + echo "${NAME} won't be started/stopped unless a rules file is provided at $CONF." + echo "#################" + exit 0 +} + +# check if postfwd is configured or not +if [ -f "/etc/default/$NAME" ] +then + . /etc/default/$NAME + if [ "$STARTUP" != "1" ] + then + not_configured + fi +else + not_configured +fi + +# check if rules file is there +if [ ! -f $CONF ] +then + no_configfile +fi + +# Check whether we have to drop privileges. +if [ -n "$RUNAS" ]; then + if ! getent passwd "$RUNAS" >/dev/null; then + RUNAS="" + fi +fi + +set -e + +case "$1" in + start) + echo -n "Starting $DESC: " + start-stop-daemon --start --quiet \ + --name ${RUNAS} \ + --exec $DAEMON -- ${ARGS} --daemon --file=${CONF} --interface=${INET} --port=${PORT} --user=${RUNAS} --group=${RUNAS} + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + start-stop-daemon --stop --quiet --oknodo \ + --exec $DAEMON + echo "$NAME." + rm -f /var/run/$NAME.pid + ;; + reload) + echo "Reloading $DESC configuration files." + for pid in `pidof ${NAME}`; do kill -HUP ${pid}; done ; + ;; + restart|force-reload) + echo -n "Restarting $DESC (incl. cache): " + $0 stop + sleep 1 + $0 start + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/patches/00list b/debian/patches/00list new file mode 100644 index 0000000..324347e --- /dev/null +++ b/debian/patches/00list @@ -0,0 +1 @@ +10_fix_manpage.dpatch diff --git a/debian/patches/10_fix_manpage.dpatch b/debian/patches/10_fix_manpage.dpatch new file mode 100755 index 0000000..76c020c --- /dev/null +++ b/debian/patches/10_fix_manpage.dpatch @@ -0,0 +1,21 @@ +#!/bin/sh /usr/share/dpatch/dpatch-run +## 10_fix_manpage.dpatch by Jan Wagner +## +## DP: Fix manpage section + +@DPATCH@ + +diff -Nur postfwd-1.03.orig/man/man1/postfwd.1 postfwd-1.03/man/man1/postfwd.1 +--- postfwd-1.03.orig/man/man1/postfwd.1 2007-10-29 09:29:15.000000000 +0100 ++++ postfwd-1.03/man/man1/postfwd.1 2008-03-12 01:10:48.000000000 +0100 +@@ -128,8 +128,8 @@ + .rm #[ #] #H #V #F C + .\" ======================================================================== + .\" +-.IX Title "POSTFWD 1" +-.TH POSTFWD 1 "2007-10-29" "perl v5.8.5" "User Contributed Perl Documentation" ++.IX Title "POSTFWD 8" ++.TH POSTFWD 8 "2007-10-29" "perl v5.8.5" "User Contributed Perl Documentation" + .SH "NAME" + postfwd \- postfix firewall daemon + .SH "SYNOPSIS" diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..8d4160d --- /dev/null +++ b/debian/postinst @@ -0,0 +1,57 @@ +#!/bin/sh +# based on arpwatch.postinst: v11 2004/09/15 KELEMEN Peter +# postinst: v1 2006/01/12 Jan Wagner + +set -e + +NUSER="postfw" +NGROUP="postfw" +NHOME="/var/lib/$NUSER" +NGECOS="postfwd user" + +case "$1" in + configure) + # Take care of group. + if NGROUP_ENTRY=`getent group $NGROUP`; then + # group exists + : + else + # group does not exist yet + addgroup --quiet --system $NGROUP + fi + + # Take care of user. + if NUSER_ENTRY=`getent passwd $NUSER`; then + # user exists + adduser --quiet $NUSER $NGROUP + # + else + # user does not exist yet + adduser --quiet --system \ + --ingroup $NGROUP \ + --gecos "$NGECOS" \ + --home $NHOME \ + --no-create-home \ + --shell /bin/sh \ + --disabled-login \ + --disabled-password \ + --shell /bin/false \ + $NUSER + fi + + # Set up home directory. + if [ -d $NHOME ]; then + chown -R ${NUSER}:${NGROUP} $NHOME + chmod -R o-rwX $NHOME + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..3e7be22 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,53 @@ +#!/bin/sh +# based on arpwatch.postrm: v2 2004/09/15 KELEMEN Peter +# postrm: v1 2006/10/12 Jan Wagner + +NUSER="postfw" +NGROUP="postfw" + +set -e + +case "$1" in + purge) + # find first and last SYSTEM_UID numbers + for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do + case $LINE in + FIRST_SYSTEM_UID*) + FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + LAST_SYSTEM_UID*) + LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + *) + ;; + esac + done + # remove system account if necessary + if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then + if USERID=`getent passwd $NUSER | cut -f 3 -d ':'`; then + if [ -n "$USERID" ]; then + if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \ + [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then + + deluser --quiet $NUSER || true + # And then remove the group + GROUPID=`getent group $NGROUP | cut -f 3 -d ':'` + if [ -n "$GROUPID" ] ; then + delgroup --quiet $NGROUP || true + fi + fi + fi + fi + fi + ;; + + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..293fe7f --- /dev/null +++ b/debian/rules @@ -0,0 +1,47 @@ +#!/usr/bin/make -f +# written by Jan Wagner +# +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +include /usr/share/dpatch/dpatch.make + +build: patch-stamp + +clean: unpatch + dh_testdir + dh_testroot + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + install -D -m 644 sbin/postfwd debian/postfwd/usr/sbin/postfwd + install -d -m 0755 debian/postfwd/usr/share/doc/postfwd/examples/ + cp debian/example-cfg*.txt debian/postfwd/usr/share/doc/postfwd/examples/ + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs doc/CHANGELOG + dh_installdocs tools + dh_installinit -- defaults 19 21 + dh_installman man/man1/postfwd.1 + dh_link + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..5a512b0 --- /dev/null +++ b/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://www.postfwd.org/postfwd-(.*)\.tar\.gz