debian/postfwd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Imported Upstream version 1.14

Browse source
This commit is contained in:
Jan Wagner 2013-11-05 17:32:43 +01:00
parent b5012c41b3
commit 2357dc9ae5
9 changed files with 1178 additions and 202 deletions
Download patch file Download diff file Expand all files Collapse all files

75
doc/postfwd.html
View file

@ -1,15 +1,13 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>postfwd - postfix firewall daemon</title>
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="postfwd a postfix firewall policy daemon">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:feedback@suse.de" />
</head>
<body>
<body style="background-color: white">
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
@ -64,6 +62,7 @@
-d, --daemon run postfwd as daemon
-i, --interface &lt;dev&gt; listen on interface &lt;dev&gt;
-p, --port &lt;port&gt; listen on port &lt;port&gt;
--proto &lt;proto&gt; socket type (tcp or unix)
-u, --user &lt;name&gt; set uid to user &lt;name&gt;
-g, --group &lt;name&gt; set gid to group &lt;name&gt;
-R, --chroot &lt;path&gt; chroot the daemon to &lt;path&gt;
@ -87,12 +86,17 @@
-t, --test testing, always returns &quot;dunno&quot;
-v, --verbose verbose logging, use twice (-vv) to increase level
-S, --summary &lt;int&gt; show some usage statistics every &lt;int&gt; seconds
--no-rulestats disables per rule statistics
--norulelog disbles rule logging
--norulestats disables per rule statistics
--noidlestats disables statistics when idle
-n, --nodns disable dns
--nodnslog disable dns logging
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
--dns_max_ns_lookups max names to look up with sender_ns_addrs
--dns_max_mx_lookups max names to look up with sender_mx_addrs
-I, --instantcfg re-reads rulefiles for every new request</pre>
<pre>
Informational (use only at command-line!):
@ -207,6 +211,15 @@ arguments. Please see the COMMAND LINE section below for more information on thi
<pre>
recipient_localpart, - the local-/domainpart of the recipient address
recipient_domain</pre>
<pre>
helo_address - postfwd tries to look up the helo_name. use
helo_address=!!(0.0.0.0/0) to check for unknown.</pre>
<pre>
sender_ns_names, - postfwd tries to look up the names/ip addresses
sender_ns_addrs of the nameservers for the sender domain part.</pre>
<pre>
sender_mx_names, - postfwd tries to look up the names/ip addresses
sender_mx_addrs of the mx records for the sender domain part.</pre>
<pre>
version - postfwd version, contains &quot;postfwd n.nn&quot;
this enables version based checks in your rulesets
@ -230,6 +243,11 @@ for details:</p>
score=5.0 mask = maximum floating point value
rbl=zen.spamhaus.org mask = &lt;name&gt;/&lt;reply&gt;/&lt;maxcache&gt;[,...]
rblcount=2 mask = numeric, will match if rbl hits &gt;= 2
helo_address=&lt;a.b.c.d/nn&gt; mask = CIDR[,CIDR,...]
sender_ns_names=some.domain.tld mask = PCRE
sender_mx_names=some.domain.tld mask = PCRE
sender_ns_addrs=&lt;a.b.c.d/nn&gt; mask = CIDR[,CIDR,...]
sender_mx_addrs=&lt;a.b.c.d/nn&gt; mask = CIDR[,CIDR,...]
# ------------------------------
# Postfix version 2.1 and later:
# ------------------------------
@ -352,6 +370,16 @@ rule containing only an action statement:</p>
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size($$client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
<pre>
ask (&lt;addr&gt;:&lt;port&gt;[:&lt;ignore&gt;])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
and the second argument (address and port) are mandatory. a third optional argument may be
specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
# example1: query postgrey and return it's answer to postfix
id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031)
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
# and continue parsing postfwd's ruleset
id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031:^dunno$)</pre>
<pre>
wait (&lt;delay&gt;)
pauses the program execution for &lt;delay&gt; seconds. use this for
@ -476,6 +504,11 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
-p, --port &lt;port&gt;
postfwd listens on the specified port (default tcp/10040).</pre>
<pre>
--proto &lt;type&gt;
The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
To use postfwd with a unix domain socket, run it as follows:
postfwd --proto=unix --port=/somewhere/postfwd.socket</pre>
<pre>
-u, --user &lt;name&gt;
Changes real and effective user to &lt;name&gt;.</pre>
@ -599,6 +632,17 @@ The following arguments will control it's behaviour in this case.</p>
--dns_timeout_interval (default=1200)
The dnsbl timeout counter will be cleaned after this interval in seconds. Use this
in conjunction with the --dns_timeout_max parameter.</pre>
<pre>
--dns_async_txt
Perform dnsbl A and TXT lookups simultaneously (otherwise only for listings with at
least one A record). This needs more network bandwidth due to increased queries but
might increase throughput because the lookups can be parallelized.</pre>
<pre>
--dns_max_ns_lookups (default=0)
maximum ns names to lookup up with sender_ns_addrs item. use 0 for no maximum.</pre>
<pre>
--dns_max_mx_lookups (default=0)
maximum mx names to lookup up with sender_mx_addrs item. use 0 for no maximum.</pre>
<pre>
-I, --instantcfg
The config files, specified by -f will be re-read for every request
@ -854,7 +898,7 @@ The parser stops rule processing and returns the action to postfix. Other rules
The parser evaluates the given action and continues with the next rule (except for the <code>jump()</code> or <code>quit()</code> actions - please see the <a href="#actions">ACTIONS</a> section
for more information). Nothing will be sent to postfix.</p>
<p>If no rule has matched and the end of the ruleset is reached postfwd will return dunno without logging anything unless in verbose mode. You may
simply place a last `catch-all´ rule to change that behaviour:</p>
simply place a last `catch-all´ rule to change that behaviour:</p>
<pre>
... &lt;your rules&gt; ...
id=DEFAULT ; action=dunno</pre>
@ -996,17 +1040,8 @@ POSSIBILITY OF SUCH DAMAGE.</p>
</p>
<hr />
<h1><a name="author">AUTHOR</a></h1>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info (AT) postfwd (DOT) org&gt;. Let me know, if you have any suggestions.</p>
<p><center>
<table border="1" color="black" frame="hsides" rules="none" width="100%">
<td width="33%" align="left"><small>http://www.postfwd.org/doc.html</small>
<td width="34%" align="center"><small>2007 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
</table>
</center></p>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info&nbsp;(AT)&nbsp;postfwd&nbsp;(DOT)&nbsp;org&gt;. Let me know, if you have any suggestions.</p>
</body>
</html>