debian/postfwd
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

adjust copyright year

Browse source
This commit is contained in:
Jan Wagner 2008-04-14 08:30:20 +00:00
commit 229f91b71f
16 changed files with 579 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
debian/README.Debian vendored Normal file
View file

@ -0,0 +1,5 @@
postfwd for Debian
------------------
-- Jan Wagner <waja@cyconet.org> Mon, 10 Mar 2008 22:37:44 +0100

5
debian/changelog vendored Normal file
View file

@ -0,0 +1,5 @@
postfwd (1.03-1) unstable; urgency=low
* Initial release (Closes: #470356).
-- Jan Wagner <waja@cyconet.org> Mon, 10 Mar 2008 22:37:44 +0100

1
debian/compat vendored Normal file
View file

@ -0,0 +1 @@
5

22
debian/control vendored Normal file
View file

@ -0,0 +1,22 @@
Source: postfwd
Section: mail
Priority: optional
Maintainer: Jan Wagner <waja@cyconet.org>
Build-Depends: debhelper (>= 5), dpatch
Homepage: http://www.postfwd.org/
Vcs-Browser: https://trac.cyconet.org/debian/browser/debian/postfwd
Vcs-Svn: https://trac.cyconet.org/svn/debian/postfwd
Standards-Version: 3.7.3
Package: postfwd
Architecture: all
Depends: ${perl:Depends}, adduser, libnet-cidr-lite-perl, libnet-server-perl
Description: a Postfix policyd to combine complex restrictions in a ruleset
Postfwd is written in perl to combine complex postfix restrictions in a
ruleset similar to those of the most firewalls. The program uses the postfix
policy delegation protocol to control access to the mail system before a
message has been accepted (please visit
http://www.postfix.org/SMTPD_POLICY_README.html for more information). It
allows you to choose an action (e.g. reject, dunno) for a combination of
several smtp parameters (like sender and recipient address, size or the
client's TLS fingerprint).

36
debian/copyright vendored Normal file
View file

@ -0,0 +1,36 @@
This package was debianized by Jan Wagner <waja@cyconet.org> on
Mon, 10 Mar 2008 22:37:44 +0100
It was downloaded from <http://www.postfwd.org/>
Upstream Author: Jan Peter Kessler <info@postfwd.org>
Copyright: (c) 2007, Jan Peter Kessler, All rights reserved.
License:
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the authors nor the names of his contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The Debian packaging is (C) 2008 Jan Wagner <waja@cyconet.org> and
is licensed under the GPL, see `/usr/share/common-licenses/GPL'.

15
debian/default vendored Normal file
View file

@ -0,0 +1,15 @@
# Global options for postfwd(8).
# Set to '1' to enable startup (daemon mode)
#STARTUP=1
# Config file
CONF=/etc/postfix/postfwd.cf
# IP where listen to
INET=127.0.0.1
# Port where listen to
PORT=10040
# run as user postfwd
RUNAS="postfw"
# Arguments passed on start (--daemon implied)
ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size"

2
debian/docs vendored Normal file
View file

@ -0,0 +1,2 @@
doc/postfwd.html
doc/postfwd.txt

108
debian/example-cfg.txt vendored Normal file
View file

@ -0,0 +1,108 @@
# downloaded from http://postfwd.org/example-cfg.txt
# check for more recent versions!
##
## Definitions
##
# Maintenance times
&&MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00-04:00:00 ; \
};
# Whitelists
&&TRUSTED_NETS { \
client_address=192.168.1.0/22 ; \
client_address=172.16.128.32/27 ; \
};
&&TRUSTED_HOSTS { \
client_name~=\.domain1\.net$ ; \
client_name~=\.domain2\.de$ ; \
};
&&TRUSTED_USERS { \
sasl_username==bob ; \
sasl_username==alice ; \
};
&&TRUSTED_TLS { \
ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \
ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \
encryption_keysize>=64 ; \
};
&&FREEMAIL { \
client_name~=\.gmx\.net$ ; \
client_name~=\.web\.de$ ; \
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \
};
&&STATIC { \
# contains freemailers
&&FREEMAIL ; \
client_name~=[\.\-]static[[\.\-] ; \
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
};
# Spamchecks
&&BADHELO { \
client_name~=!!($$(helo_name)) ; \
};
&&DYNAMIC { \
client_name~=^unknown$ ; \
client_name~=(\-.+){4} ; \
client_name~=\d{5} ; \
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
};
&&RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
};
&&RHSBLS { \
rhsbl=rddn.dnsbl.net.au ; \
rhsbl=rhsbl.ahbl.org ; \
rhsbl=rhsbl.sorbs.net ; \
};
##
## Ruleset
##
# temporary reject and drop connection during maintenance window
id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later
# stress-friendly behaviour (will not match on postfix version pre 2.5)
id=STRESS ; stress==yes ; action=dunno
# Whitelists
id=WL_001 ; &&TRUSTED_NETS ; action=dunno
id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno
id=WL_003 ; &&TRUSTED_USERS ; action=dunno
id=WL_004 ; &&TRUSTED_TLS ; action=dunno
# DNSBL checks
id=RBL_001 ; &&RHSBLS ; &&RBLS ; \
rhsblcount=all ; rblcount=all ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
id=RBL_002 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL_003 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL_004 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
id=RBL_005 ; HIT_rbls>=1 ; &&DYNAMIC ; action=REJECT listed on RBL and $$client_name looks like dynip
id=RBL_006 ; HIT_rhls>=1 ; &&DYNAMIC ; action=REJECT listed on RHSBL and $$client_name looks like dynip
id=RBL_007 ; HIT_rbls>=1 ; &&BADHELO ; action=REJECT listed on RBL and $$helo_name does not match $$client_name
id=RBL_008 ; HIT_rhls>=1 ; &&BADHELO ; action=REJECT listed on RHSBL and $$helo_name does not match $$client_name
# Selective greylisting
id=GREY_001 ; action=dunno ; &&STATIC
id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$
id=GREY_003 ; action=greylisting ; &&DYNAMIC
id=GREY_004 ; action=greylisting ; HIT_rhls>=1
id=GREY_005 ; action=greylisting ; HIT_rbls>=1
# greylisting should be safe during out-of-office times
id=GREY_006 ; action=greylisting ; days=Sat-Sun
id=GREY_007 ; action=greylisting ; days=Mon-Fri ; time=!!06:00:00-20:00:00

103
debian/example-cfg2.txt vendored Normal file
View file

@ -0,0 +1,103 @@
# downloaded from http://hege.li/howto/spam/etc/postfwd/postfwd.conf
# check for more recent versions!
## Check DNS Whitelisting
id=OK_DNSWL; \
rbl=list.dnswl.org/127/43200; \
rbl=hostkarma.junkemailfilter.com/127.0.0.[13]; \
action=OK
## Check HELO and reverse DNS
id=SET_HELO; \
helo_name=^(\[|[^.]+$|.*?[0-9.-]{8}); \
action=set(HIT_helo=1)
id=SET_NODNS; \
client_name=^unknown$; \
action=set(HIT_nodns=1)
id=REJECT_HELO_NODNS; \
HIT_helo==1; HIT_nodns==1; \
action=REJECT Your HELO is suspicious and no reverse DNS
## Check ZEN for immediate blocking
id=REJECT_RBL_ZEN; \
rbl=zen.spamhaus.org; \
action=REJECT You are listed in zen.spamhaus.org DNSBL
## Check DNSBLs
&&DNSBLS { \
rbl=bl.spamcop.net; \
rbl=dnsbl-1.uceprotect.net; \
rbl=psbl.surriel.org; \
rbl=dnsbl.ahbl.org; \
rbl=dnsbl.njabl.org; \
rbl=list.dsbl.org; \
rbl=dnsbl.sorbs.net; \
rbl=ix.dnsbl.manitu.net; \
rbl=hostkarma.junkemailfilter.com/127.0.0.2; \
};
id=EVAL_DNSBLS; \
&&DNSBLS; rblcount=all; \
action=set(HIT_rbls=$$rblcount)
id=REJECT_RBL_MULTI; \
HIT_rbls>=2; \
action=REJECT You are listed in several DNSBLs
## Check RHSBLs
&&RHSBLS_REVERSE { \
rhsbl_reverse_client=l1.apews.org; \
rhsbl_reverse_client=rddn.dnsbl.net.au; \
rhsbl_reverse_client=dynamic.rhs.mailpolice.com; \
};
&&RHSBLS_SENDER { \
rhsbl_sender=multi.uribl.com; \
rhsbl_sender=multi.surbl.org; \
rhsbl_sender=rhsbl.ahbl.org; \
rhsbl_sender=rhsbl.sorbs.net; \
rhsbl_sender=dsn.rfc-ignorant.org; \
};
id=EVAL_RHSBLS; \
&&RHSBLS_REVERSE; &&RHSBLS_SENDER; rhsblcount=all; \
action=set(HIT_rhsbls=$$rhsblcount)
id=REJECT_RHSBL_MULTI; \
HIT_rhsbls>=2; \
action=REJECT You are listed in several RHSBLs
## Combined checks
id=REJECT_RBL_RHSBL; \
HIT_rbls>=1; HIT_rhsbls>=1; \
action=REJECT You are DNSBL and RHSBL listed
id=REJECT_RBL_HELO; \
HIT_rbls>=1; HIT_helo==1; \
action=REJECT You are DNSBL listed and HELO is suspicious
id=REJECT_RBL_NODNS; \
HIT_rbls>=1; HIT_nodns==1; \
action=REJECT You are DNSBL listed and no reverse DNS
id=REJECT_RHSBL_HELO; \
HIT_rhsbls>=1; HIT_helo==1; \
action=REJECT You are RHSBL listed and HELO is suspicious
id=REJECT_RHSBL_NODNS; \
HIT_rhsbls>=1; HIT_nodns==1; \
action=REJECT You are RHSBL listed and no reverse DNS
## Greylist suspicious
id=GREY_RBL; HIT_rbls>=1; action=check_postgrey
id=GREY_RHSBL; HIT_rhsbls>=1; action=check_postgrey

101
debian/init.d vendored Normal file
View file

@ -0,0 +1,101 @@
#! /bin/sh
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian
# by Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# Version: @(#)skeleton 1.9 26-Feb-2001 miquels@cistron.nl
# /etc/init.d/postfwd: v1 2008/03/12 Jan Wagner <waja@cyconet.org>
### BEGIN INIT INFO
# Provides: postfwd
# Required-Start: $local_fs $network $remote_fs $syslog
# Required-Stop: $local_fs $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the postfw daemon
# Description: a Perl policy daemon for the Postfix MTA
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
NAME=postfwd
DAEMON=/usr/sbin/${NAME}
DESC=postfwd
test -x $DAEMON || exit 0
not_configured () {
echo "#### WARNING ####"
echo "${NAME} won't be started/stopped unless it is configured."
echo "If you want to start ${NAME} as daemon, see /etc/default/${NAME}."
echo "#################"
exit 0
}
no_configfile () {
echo "#### WARNING ####"
echo "${NAME} won't be started/stopped unless a rules file is provided at $CONF."
echo "#################"
exit 0
}
# check if postfwd is configured or not
if [ -f "/etc/default/$NAME" ]
then
. /etc/default/$NAME
if [ "$STARTUP" != "1" ]
then
not_configured
fi
else
not_configured
fi
# check if rules file is there
if [ ! -f $CONF ]
then
no_configfile
fi
# Check whether we have to drop privileges.
if [ -n "$RUNAS" ]; then
if ! getent passwd "$RUNAS" >/dev/null; then
RUNAS=""
fi
fi
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet \
--name ${RUNAS} \
--exec $DAEMON -- ${ARGS} --daemon --file=${CONF} --interface=${INET} --port=${PORT} --user=${RUNAS} --group=${RUNAS}
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --oknodo \
--exec $DAEMON
echo "$NAME."
rm -f /var/run/$NAME.pid
;;
reload)
echo "Reloading $DESC configuration files."
for pid in `pidof ${NAME}`; do kill -HUP ${pid}; done ;
;;
restart|force-reload)
echo -n "Restarting $DESC (incl. cache): "
$0 stop
sleep 1
$0 start
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
exit 1
;;
esac
exit 0

1
debian/patches/00list vendored Normal file
View file

@ -0,0 +1 @@
10_fix_manpage.dpatch

21
debian/patches/10_fix_manpage.dpatch vendored Executable file
View file

@ -0,0 +1,21 @@
#!/bin/sh /usr/share/dpatch/dpatch-run
## 10_fix_manpage.dpatch by Jan Wagner <waja@cyconet.org>
##
## DP: Fix manpage section
@DPATCH@
diff -Nur postfwd-1.03.orig/man/man1/postfwd.1 postfwd-1.03/man/man1/postfwd.1
--- postfwd-1.03.orig/man/man1/postfwd.1 2007-10-29 09:29:15.000000000 +0100
+++ postfwd-1.03/man/man1/postfwd.1 2008-03-12 01:10:48.000000000 +0100
@@ -128,8 +128,8 @@
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
-.IX Title "POSTFWD 1"
-.TH POSTFWD 1 "2007-10-29" "perl v5.8.5" "User Contributed Perl Documentation"
+.IX Title "POSTFWD 8"
+.TH POSTFWD 8 "2007-10-29" "perl v5.8.5" "User Contributed Perl Documentation"
.SH "NAME"
postfwd \- postfix firewall daemon
.SH "SYNOPSIS"

57
debian/postinst vendored Normal file
View file

@ -0,0 +1,57 @@
#!/bin/sh
# based on arpwatch.postinst: v11 2004/09/15 KELEMEN Peter <fuji@debian.org>
# postinst: v1 2006/01/12 Jan Wagner <waja@cyconet.org>
set -e
NUSER="postfw"
NGROUP="postfw"
NHOME="/var/lib/$NUSER"
NGECOS="postfwd user"
case "$1" in
configure)
# Take care of group.
if NGROUP_ENTRY=`getent group $NGROUP`; then
# group exists
:
else
# group does not exist yet
addgroup --quiet --system $NGROUP
fi
# Take care of user.
if NUSER_ENTRY=`getent passwd $NUSER`; then
# user exists
adduser --quiet $NUSER $NGROUP
#
else
# user does not exist yet
adduser --quiet --system \
--ingroup $NGROUP \
--gecos "$NGECOS" \
--home $NHOME \
--no-create-home \
--shell /bin/sh \
--disabled-login \
--disabled-password \
--shell /bin/false \
$NUSER
fi
# Set up home directory.
if [ -d $NHOME ]; then
chown -R ${NUSER}:${NGROUP} $NHOME
chmod -R o-rwX $NHOME
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
#DEBHELPER#

53
debian/postrm vendored Normal file
View file

@ -0,0 +1,53 @@
#!/bin/sh
# based on arpwatch.postrm: v2 2004/09/15 KELEMEN Peter <fuji@debian.org>
# postrm: v1 2006/10/12 Jan Wagner <waja@cyconet.org>
NUSER="postfw"
NGROUP="postfw"
set -e
case "$1" in
purge)
# find first and last SYSTEM_UID numbers
for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
case $LINE in
FIRST_SYSTEM_UID*)
FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;;
LAST_SYSTEM_UID*)
LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;;
*)
;;
esac
done
# remove system account if necessary
if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
if USERID=`getent passwd $NUSER | cut -f 3 -d ':'`; then
if [ -n "$USERID" ]; then
if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
[ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
deluser --quiet $NUSER || true
# And then remove the group
GROUPID=`getent group $NGROUP | cut -f 3 -d ':'`
if [ -n "$GROUPID" ] ; then
delgroup --quiet $NGROUP || true
fi
fi
fi
fi
fi
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
;;
*)
echo "postrm called with unknown argument \`$1'" >&2
exit 1
;;
esac
#DEBHELPER#

47
debian/rules vendored Executable file
View file

@ -0,0 +1,47 @@
#!/usr/bin/make -f
# written by Jan Wagner <waja@cyconet.org>
#
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
include /usr/share/dpatch/dpatch.make
build: patch-stamp
clean: unpatch
dh_testdir
dh_testroot
dh_clean
install: build
dh_testdir
dh_testroot
dh_clean -k
dh_installdirs
install -D -m 644 sbin/postfwd debian/postfwd/usr/sbin/postfwd
install -d -m 0755 debian/postfwd/usr/share/doc/postfwd/examples/
cp debian/example-cfg*.txt debian/postfwd/usr/share/doc/postfwd/examples/
# Build architecture-independent files here.
binary-indep: build install
dh_testdir
dh_testroot
dh_installchangelogs doc/CHANGELOG
dh_installdocs tools
dh_installinit -- defaults 19 21
dh_installman man/man1/postfwd.1
dh_link
dh_compress
dh_fixperms
dh_perl
dh_installdeb
dh_gencontrol
dh_md5sums
dh_builddeb
# Build architecture-dependent files here.
binary-arch: build install
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install

2
debian/watch vendored Normal file
View file

@ -0,0 +1,2 @@
version=3
http://www.postfwd.org/postfwd-(.*)\.tar\.gz