Imported Upstream version 1.35
This commit is contained in:
parent
db065246e2
commit
3c1cc6eb3d
11 changed files with 1565 additions and 1684 deletions
|
|
@ -1,14 +1,18 @@
|
|||
<?xml version="1.0" ?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<title>postfwd - postfix firewall daemon</title>
|
||||
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
||||
<link rev="made" href="mailto:root@localhost" />
|
||||
</head>
|
||||
|
||||
<body style="background-color: white">
|
||||
|
||||
<p><a name="__index__"></a></p>
|
||||
|
||||
<!-- INDEX BEGIN -->
|
||||
<div name="index">
|
||||
<p><a name="__index__"></a></p>
|
||||
|
||||
<ul>
|
||||
|
||||
|
|
@ -37,9 +41,11 @@
|
|||
<li><a href="#license">LICENSE</a></li>
|
||||
<li><a href="#author">AUTHOR</a></li>
|
||||
</ul>
|
||||
|
||||
<hr name="index" />
|
||||
</div>
|
||||
<!-- INDEX END -->
|
||||
|
||||
<hr />
|
||||
<p>
|
||||
</p>
|
||||
<h1><a name="name">NAME</a></h1>
|
||||
|
|
@ -111,7 +117,8 @@
|
|||
--config_timeout <i> parser timeout in seconds
|
||||
--keep_rates do not clear rate limit counters on reload
|
||||
--save_rates <file> save and load rate limits on disk
|
||||
--fast_limit_evaluation evaluate rate limits before ruleset is parsed</pre>
|
||||
--fast_limit_evaluation evaluate rate limits before ruleset is parsed
|
||||
(please note the limitations)</pre>
|
||||
<pre>
|
||||
Plugins:
|
||||
--plugins <file> loads postfwd plugins from file</pre>
|
||||
|
|
@ -165,6 +172,8 @@ is not important. So the following would lead to the same result as the previous
|
|||
ITEM == VALUE true if ITEM equals VALUE
|
||||
ITEM => VALUE true if ITEM >= VALUE
|
||||
ITEM =< VALUE true if ITEM <= VALUE
|
||||
ITEM > VALUE true if ITEM > VALUE
|
||||
ITEM < VALUE true if ITEM < VALUE
|
||||
ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
|
||||
ITEM != VALUE false if ITEM equals VALUE
|
||||
ITEM !> VALUE false if ITEM >= VALUE
|
||||
|
|
@ -442,7 +451,7 @@ necessary. Of course this might increase the system load, so please use it with
|
|||
<pre>
|
||||
-- FILE /etc/postfwd/clients_west.cf --
|
||||
192.168.3.0/24</pre>
|
||||
<p>Remind that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
|
||||
<p>Note that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
|
||||
with postfwd1 v1.15 and postfwd2 v0.18 and higher.</p>
|
||||
<p>
|
||||
</p>
|
||||
|
|
@ -456,7 +465,7 @@ request attributes by preceeding $$ characters, like:</p>
|
|||
id=R-003; client_name = !!$$helo_name; action=WARN helo '$$(helo_name)' does not match DNS '$$(client_name)'</pre>
|
||||
<p><em>postfix actions</em></p>
|
||||
<p>Actions will be replied to postfix as result to policy delegation requests. Any action that postfix understands is allowed - see
|
||||
``man 5 access'' or <a href="http://www.postfix.org/access.5.html">http://www.postfix.org/access.5.html</a> for a description. If no action is specified, the postfix WARN action
|
||||
"man 5 access" or <a href="http://www.postfix.org/access.5.html">http://www.postfix.org/access.5.html</a> for a description. If no action is specified, the postfix WARN action
|
||||
which simply logs the event will be used for the corresponding rule.</p>
|
||||
<p>postfwd will return dunno if it has reached the end of the ruleset and no rule has matched. This can be changed by placing a last
|
||||
rule containing only an action statement:</p>
|
||||
|
|
@ -494,7 +503,7 @@ rule containing only an action statement:</p>
|
|||
this command creates a counter for the given <item>, which will be increased any time a request
|
||||
containing it arrives. if it exceeds <max> within <time> seconds it will return <action> to postfix.
|
||||
rate counters are very fast as they are executed before the ruleset is parsed.
|
||||
please note that <action> is currently limited to postfix actions (no postfwd actions)!
|
||||
please note that <action> was limited to postfix actions (no postfwd actions) for postfwd versions <1.33!
|
||||
# no more than 3 requests per 5 minutes
|
||||
# from the same "unknown" client
|
||||
id=RATE01 ; client_name==unknown
|
||||
|
|
@ -525,6 +534,11 @@ rule containing only an action statement:</p>
|
|||
# recipient count limit 3 per hour per client
|
||||
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
|
||||
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
|
||||
<pre>
|
||||
rate5321,size5321,rcpt5321 (<item>/<max>/<time>/<action>)
|
||||
same as the corresponding non-5321 functions, with the difference that the localpart of
|
||||
sender oder recipient addresses are evaluated case-sensitive according to rfc5321. That
|
||||
means that requests from bob@example.local and BoB@example.local will be treated differently</pre>
|
||||
<pre>
|
||||
ask (<addr>:<port>[:<ignore>])
|
||||
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
|
||||
|
|
@ -537,9 +551,15 @@ rule containing only an action statement:</p>
|
|||
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)</pre>
|
||||
<pre>
|
||||
mail(server/helo/from/to/subject/body)
|
||||
This command is deprecated. You should try to use the sendmail() action instead.
|
||||
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
|
||||
This basically performs a telnet. No authentication or TLS are available. Additionally it does
|
||||
not track notification state and will notify you any time, the corresponding rule hits.</pre>
|
||||
<pre>
|
||||
sendmail(sendmail-path::from::to::subject::body)
|
||||
Mail command, that uses an existing sendmail binary and sends a message with the given arguments.
|
||||
LIMITATIONS: The command does not track notification state and will notify you any time, the
|
||||
corresponding rule hits (which could mean 100 mails for a mail with 100 recipients at RCPT stage).</pre>
|
||||
<pre>
|
||||
wait (<delay>)
|
||||
pauses the program execution for <delay> seconds. use this for
|
||||
|
|
@ -680,6 +700,10 @@ will be used.</p>
|
|||
$myresult = ($myitem <= $val);
|
||||
} elsif ($cmp eq '=>') {
|
||||
$myresult = ($myitem >= $val);
|
||||
} elsif ($cmp eq '<') {
|
||||
$myresult = ($myitem < $val);
|
||||
} elsif ($cmp eq '>') {
|
||||
$myresult = ($myitem > $val);
|
||||
} elsif ($cmp eq '!=') {
|
||||
$myresult = not($myitem == $val);
|
||||
} elsif ($cmp eq '!<') {
|
||||
|
|
@ -709,15 +733,15 @@ continue or to stop parsing the ruleset.</p>
|
|||
# note(<logstring>) command
|
||||
"note" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
my($myaction) = 'dunno'; my($stop) = 0;
|
||||
log_info "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# skips next <myarg> rules
|
||||
"skip" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
my($myaction) = 'dunno'; my($stop) = 0;
|
||||
$index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
|
@ -725,8 +749,8 @@ continue or to stop parsing the ruleset.</p>
|
|||
# dumps current request contents to syslog
|
||||
"dumprequest" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
my($myaction) = 'dunno'; my($stop) = 0;
|
||||
map { log_info "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},</pre>
|
||||
<pre>
|
||||
|
|
@ -979,7 +1003,10 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
|
||||
before consulting the ruleset. This mode was the default behaviour until v1.30.
|
||||
With this mode rate limits will be faster, but also eventually set up
|
||||
whitelisting-rules within the ruleset might not work as expected.</pre>
|
||||
whitelisting-rules within the ruleset might not work as expected.
|
||||
LIMITATIONS: This option does not allow nested postfwd commands like
|
||||
action=rate(sender/3/60/wait(3))
|
||||
This option doe not work with the strict-rfc5321 rate() functions.</pre>
|
||||
<p><em>Informational arguments</em></p>
|
||||
<p>These arguments are for command line usage only. Never ever use them with postfix spawn!</p>
|
||||
<pre>
|
||||
|
|
@ -1193,7 +1220,7 @@ check the parser with the -C | --showconfig switch at the command line before ap
|
|||
Rule 0: id->"RBL001"; action->"REJECT listed on spamcop and bad rdns"; rbl->"bl.spamcop.net"; client_name->"^unknown$"</pre>
|
||||
<p><em>Request processing</em></p>
|
||||
<p>When a policy delegation request arrives it will be compared against postfwd`s ruleset. To inspect the processing in detail you should increase
|
||||
verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages to stdout.</p>
|
||||
verbority using use the "-v" or "-vv" switch. "-L" redirects log messages to stdout.</p>
|
||||
<p>Keeping the order of the ruleset in general, items will be compared in random order, which basically means that</p>
|
||||
<pre>
|
||||
id=R001; action=dunno; client_address=192.168.1.1; sender=bob@alice.local</pre>
|
||||
|
|
@ -1232,7 +1259,7 @@ to compare against the request attribute the parser will jump to the next rule i
|
|||
<p>If a rule matches, there are two options:</p>
|
||||
<p>* Rule returns postfix action (dunno, reject, ...)
|
||||
The parser stops rule processing and returns the action to postfix. Other rules will not be evaluated.</p>
|
||||
<p>* Rule returns postfwd action (jump(), note(), ...)
|
||||
<p>* Rule returns postfwd action (jump(), <code>note()</code>, ...)
|
||||
The parser evaluates the given action and continues with the next rule (except for the <code>jump()</code> or <code>quit()</code> actions - please see the <a href="#actions">ACTIONS</a> section
|
||||
for more information). Nothing will be sent to postfix.</p>
|
||||
<p>If no rule has matched and the end of the ruleset is reached postfwd will return dunno without logging anything unless in verbose mode. You may
|
||||
|
|
@ -1252,7 +1279,7 @@ it`s internal caching in that case. Start postfwd with the following parameters:
|
|||
postfwd -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S</pre>
|
||||
<p>For efficient caching you should check if you can use the options --cache-rdomain-only, --cache-no-sender
|
||||
and --cache-no-size.</p>
|
||||
<p>Now check your syslogs (default facility ``mail'') for a line like:</p>
|
||||
<p>Now check your syslogs (default facility "mail") for a line like:</p>
|
||||
<pre>
|
||||
Aug 9 23:00:24 mail postfwd[5158]: postfwd n.nn ready for input</pre>
|
||||
<p>and use `netstat -an|grep 10040` to check for something like</p>
|
||||
|
|
@ -1307,7 +1334,7 @@ I won`t discuss that here. If you plan to do so, just add the following line to
|
|||
disable = no
|
||||
}</pre>
|
||||
<p>and restart the xinetd daemon (usually a SIGHUP should be fine). If you experience problems
|
||||
you might want to check your system's log for xinetd errors like ``socket already in use''.</p>
|
||||
you might want to check your system's log for xinetd errors like "socket already in use".</p>
|
||||
<p>The integration with postfix is similar to the <em>Integration via daemon mode</em> section above.
|
||||
Reload postfix and watch your logs to see if everything works.</p>
|
||||
<p>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue