debian/postfwd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Imported Upstream version 1.14

Browse source
This commit is contained in:
Jan Wagner 2013-11-05 17:32:43 +01:00
parent b5012c41b3
commit 2357dc9ae5
9 changed files with 1178 additions and 202 deletions
Download patch file Download diff file Expand all files Collapse all files

55
doc/CHANGELOG
View file

@ -1,3 +1,57 @@
1.14
=====
- feature: new compare operators *
====================================================================
ITEM == VALUE true if ITEM equals VALUE
ITEM => VALUE true if ITEM >= VALUE
ITEM =< VALUE true if ITEM <= VALUE
ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
*ITEM != VALUE false if ITEM equals VALUE
*ITEM !> VALUE false if ITEM >= VALUE
*ITEM !< VALUE false if ITEM <= VALUE
*ITEM !~ VALUE false if ITEM ~= /^VALUE$/i
ITEM = VALUE default behaviour (see ITEMS section)
====================================================================
- feature: added --nodaemon option
- code: non dns items first: if a rule contains dns and non dns items, the
lookups will only be done if all non dns items matched
- bugfix: empty pcre with empty sender_(ns|mx)_names was parsed incorrectly.
this bug affects postfwd versions 1.12 - 1.13
- bugfix: negated pcre items with '~=' operator were parsed incorrectly.
this bug affects postfwd version 1.13
1.13
=====
- feature: enabled dns cache for sender(ns|mx) and helo address
- feature: new options --dns_max_ns_lookups and --dns_max_mx_lookups
- bugfix: workaround: Net::Server died if a unix domain socket
filename without a dot ('.') was used (B. Frauendienst)
1.12
=====
- feature: new items sender_ns_names and sender_ns_addrs
- feature: new items sender_mx_names and sender_mx_addrs
- feature: new item helo_address, please see docs for more
- feature: added --proto switch, to enable the use of unix domain sockets
(thanks to Bernhard Frauendienst)
- feature: added command-line options --kill and --reload
(of course you can still use TERM and HUP signals)
- feature: dnsbl txt lookups only for dnsbls with at least one a record.
use --dns_async_txt for the old behaviour (see docs for more).
- code: small performance improvement (5-10%) for pcre (~= or =~) items
- bugfix: network 0.0.0.0/0 did not work as expected on all platforms
- bugfix: postfwd tried to chop() an uninitialized value when sending
garbage (non policy delegation protocol requests) to it.
1.11
=====
- feature: the ask() action allows to delegate the policy decision to another
policy service (like postgrey). a new parameter allows to specify
answer patterns which should be ignored by postfwd. please look
at the 'ACTIONS' section in the manual (postfwd2 -m) for details.
- feature: new options --noidlestats and --norulelog
- feature: more informative --version
- feature: documentation updates
**************************************************************************************************
@ -6,7 +60,6 @@ ATTENTION: requirements changed - postfwd since v1.10pre8 now uses Net::DNS.
NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more information
**************************************************************************************************
1.10pre8b
==========
- bugfix: fixed two warnings about logging of undefined values in verbose mode

75
doc/postfwd.html
View file

@ -1,15 +1,13 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>postfwd - postfix firewall daemon</title>
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="postfwd a postfix firewall policy daemon">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:feedback@suse.de" />
</head>
<body>
<body style="background-color: white">
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
@ -64,6 +62,7 @@
-d, --daemon run postfwd as daemon
-i, --interface &lt;dev&gt; listen on interface &lt;dev&gt;
-p, --port &lt;port&gt; listen on port &lt;port&gt;
--proto &lt;proto&gt; socket type (tcp or unix)
-u, --user &lt;name&gt; set uid to user &lt;name&gt;
-g, --group &lt;name&gt; set gid to group &lt;name&gt;
-R, --chroot &lt;path&gt; chroot the daemon to &lt;path&gt;
@ -87,12 +86,17 @@
-t, --test testing, always returns &quot;dunno&quot;
-v, --verbose verbose logging, use twice (-vv) to increase level
-S, --summary &lt;int&gt; show some usage statistics every &lt;int&gt; seconds
--no-rulestats disables per rule statistics
--norulelog disbles rule logging
--norulestats disables per rule statistics
--noidlestats disables statistics when idle
-n, --nodns disable dns
--nodnslog disable dns logging
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
--dns_max_ns_lookups max names to look up with sender_ns_addrs
--dns_max_mx_lookups max names to look up with sender_mx_addrs
-I, --instantcfg re-reads rulefiles for every new request</pre>
<pre>
Informational (use only at command-line!):
@ -207,6 +211,15 @@ arguments. Please see the COMMAND LINE section below for more information on thi
<pre>
recipient_localpart, - the local-/domainpart of the recipient address
recipient_domain</pre>
<pre>
helo_address - postfwd tries to look up the helo_name. use
helo_address=!!(0.0.0.0/0) to check for unknown.</pre>
<pre>
sender_ns_names, - postfwd tries to look up the names/ip addresses
sender_ns_addrs of the nameservers for the sender domain part.</pre>
<pre>
sender_mx_names, - postfwd tries to look up the names/ip addresses
sender_mx_addrs of the mx records for the sender domain part.</pre>
<pre>
version - postfwd version, contains &quot;postfwd n.nn&quot;
this enables version based checks in your rulesets
@ -230,6 +243,11 @@ for details:</p>
score=5.0 mask = maximum floating point value
rbl=zen.spamhaus.org mask = &lt;name&gt;/&lt;reply&gt;/&lt;maxcache&gt;[,...]
rblcount=2 mask = numeric, will match if rbl hits &gt;= 2
helo_address=&lt;a.b.c.d/nn&gt; mask = CIDR[,CIDR,...]
sender_ns_names=some.domain.tld mask = PCRE
sender_mx_names=some.domain.tld mask = PCRE
sender_ns_addrs=&lt;a.b.c.d/nn&gt; mask = CIDR[,CIDR,...]
sender_mx_addrs=&lt;a.b.c.d/nn&gt; mask = CIDR[,CIDR,...]
# ------------------------------
# Postfix version 2.1 and later:
# ------------------------------
@ -352,6 +370,16 @@ rule containing only an action statement:</p>
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size($$client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
<pre>
ask (&lt;addr&gt;:&lt;port&gt;[:&lt;ignore&gt;])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
and the second argument (address and port) are mandatory. a third optional argument may be
specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
# example1: query postgrey and return it's answer to postfix
id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031)
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
# and continue parsing postfwd's ruleset
id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031:^dunno$)</pre>
<pre>
wait (&lt;delay&gt;)
pauses the program execution for &lt;delay&gt; seconds. use this for
@ -476,6 +504,11 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
-p, --port &lt;port&gt;
postfwd listens on the specified port (default tcp/10040).</pre>
<pre>
--proto &lt;type&gt;
The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
To use postfwd with a unix domain socket, run it as follows:
postfwd --proto=unix --port=/somewhere/postfwd.socket</pre>
<pre>
-u, --user &lt;name&gt;
Changes real and effective user to &lt;name&gt;.</pre>
@ -599,6 +632,17 @@ The following arguments will control it's behaviour in this case.</p>
--dns_timeout_interval (default=1200)
The dnsbl timeout counter will be cleaned after this interval in seconds. Use this
in conjunction with the --dns_timeout_max parameter.</pre>
<pre>
--dns_async_txt
Perform dnsbl A and TXT lookups simultaneously (otherwise only for listings with at
least one A record). This needs more network bandwidth due to increased queries but
might increase throughput because the lookups can be parallelized.</pre>
<pre>
--dns_max_ns_lookups (default=0)
maximum ns names to lookup up with sender_ns_addrs item. use 0 for no maximum.</pre>
<pre>
--dns_max_mx_lookups (default=0)
maximum mx names to lookup up with sender_mx_addrs item. use 0 for no maximum.</pre>
<pre>
-I, --instantcfg
The config files, specified by -f will be re-read for every request
@ -854,7 +898,7 @@ The parser stops rule processing and returns the action to postfix. Other rules
The parser evaluates the given action and continues with the next rule (except for the <code>jump()</code> or <code>quit()</code> actions - please see the <a href="#actions">ACTIONS</a> section
for more information). Nothing will be sent to postfix.</p>
<p>If no rule has matched and the end of the ruleset is reached postfwd will return dunno without logging anything unless in verbose mode. You may
simply place a last `catch-all´ rule to change that behaviour:</p>
simply place a last `catch-all´ rule to change that behaviour:</p>
<pre>
... &lt;your rules&gt; ...
id=DEFAULT ; action=dunno</pre>
@ -996,17 +1040,8 @@ POSSIBILITY OF SUCH DAMAGE.</p>
</p>
<hr />
<h1><a name="author">AUTHOR</a></h1>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info (AT) postfwd (DOT) org&gt;. Let me know, if you have any suggestions.</p>
<p><center>
<table border="1" color="black" frame="hsides" rules="none" width="100%">
<td width="33%" align="left"><small>http://www.postfwd.org/doc.html</small>
<td width="34%" align="center"><small>2007 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
</table>
</center></p>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info&nbsp;(AT)&nbsp;postfwd&nbsp;(DOT)&nbsp;org&gt;. Let me know, if you have any suggestions.</p>
</body>
</html>

50
doc/postfwd.txt
View file

@ -15,6 +15,7 @@ SYNOPSIS
-d, --daemon run postfwd as daemon
-i, --interface <dev> listen on interface <dev>
-p, --port <port> listen on port <port>
--proto <proto> socket type (tcp or unix)
-u, --user <name> set uid to user <name>
-g, --group <name> set gid to group <name>
-R, --chroot <path> chroot the daemon to <path>
@ -38,12 +39,17 @@ SYNOPSIS
-t, --test testing, always returns "dunno"
-v, --verbose verbose logging, use twice (-vv) to increase level
-S, --summary <int> show some usage statistics every <int> seconds
--no-rulestats disables per rule statistics
--norulelog disbles rule logging
--norulestats disables per rule statistics
--noidlestats disables statistics when idle
-n, --nodns disable dns
--nodnslog disable dns logging
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
--dns_max_ns_lookups max names to look up with sender_ns_addrs
--dns_max_mx_lookups max names to look up with sender_mx_addrs
-I, --instantcfg re-reads rulefiles for every new request
Informational (use only at command-line!):
@ -179,6 +185,15 @@ DESCRIPTION
recipient_localpart, - the local-/domainpart of the recipient address
recipient_domain
helo_address - postfwd tries to look up the helo_name. use
helo_address=!!(0.0.0.0/0) to check for unknown.
sender_ns_names, - postfwd tries to look up the names/ip addresses
sender_ns_addrs of the nameservers for the sender domain part.
sender_mx_names, - postfwd tries to look up the names/ip addresses
sender_mx_addrs of the mx records for the sender domain part.
version - postfwd version, contains "postfwd n.nn"
this enables version based checks in your rulesets
(e.g. for migration). works with old versions too,
@ -204,6 +219,11 @@ DESCRIPTION
score=5.0 mask = maximum floating point value
rbl=zen.spamhaus.org mask = <name>/<reply>/<maxcache>[,...]
rblcount=2 mask = numeric, will match if rbl hits >= 2
helo_address=<a.b.c.d/nn> mask = CIDR[,CIDR,...]
sender_ns_names=some.domain.tld mask = PCRE
sender_mx_names=some.domain.tld mask = PCRE
sender_ns_addrs=<a.b.c.d/nn> mask = CIDR[,CIDR,...]
sender_mx_addrs=<a.b.c.d/nn> mask = CIDR[,CIDR,...]
# ------------------------------
# Postfix version 2.1 and later:
# ------------------------------
@ -351,6 +371,16 @@ DESCRIPTION
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size($$client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
ask (<addr>:<port>[:<ignore>])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
and the second argument (address and port) are mandatory. a third optional argument may be
specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
# example1: query postgrey and return it's answer to postfix
id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031)
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
# and continue parsing postfwd's ruleset
id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031:^dunno$)
wait (<delay>)
pauses the program execution for <delay> seconds. use this for
delaying or throtteling connections.
@ -492,6 +522,11 @@ DESCRIPTION
-p, --port <port>
postfwd listens on the specified port (default tcp/10040).
--proto <type>
The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
To use postfwd with a unix domain socket, run it as follows:
postfwd --proto=unix --port=/somewhere/postfwd.socket
-u, --user <name>
Changes real and effective user to <name>.
@ -618,6 +653,17 @@ DESCRIPTION
The dnsbl timeout counter will be cleaned after this interval in seconds. Use this
in conjunction with the --dns_timeout_max parameter.
--dns_async_txt
Perform dnsbl A and TXT lookups simultaneously (otherwise only for listings with at
least one A record). This needs more network bandwidth due to increased queries but
might increase throughput because the lookups can be parallelized.
--dns_max_ns_lookups (default=0)
maximum ns names to lookup up with sender_ns_addrs item. use 0 for no maximum.
--dns_max_mx_lookups (default=0)
maximum mx names to lookup up with sender_mx_addrs item. use 0 for no maximum.
-I, --instantcfg
The config files, specified by -f will be re-read for every request
postfwd receives. This enables on-the-fly configuration changes
@ -905,7 +951,7 @@ DESCRIPTION
If no rule has matched and the end of the ruleset is reached postfwd
will return dunno without logging anything unless in verbose mode. You
may simply place a last `catch-all´ rule to change that behaviour:
may simply place a last `catch-all´ rule to change that behaviour:
... <your rules> ...
id=DEFAULT ; action=dunno