debian/postfwd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Imported Upstream version 1.20

Browse source
This commit is contained in:
Jan Wagner 2013-11-05 17:33:35 +01:00
parent 80611ddc0e
commit 6a47d71615
11 changed files with 8688 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

15
doc/CHANGELOG
View file

@ -1,3 +1,18 @@
1.20
=====
- code: changed the default umask for the server socket to 0111
to support out-of-the-box postfix setup. Use the
--umask setting to change this
- bugfix: rbl check could fail on multiple dnsbl answers
- bugfix: rbl checks disabled for ipv6 addresses, cidr compare
will switch to default (regex/string)
1.19
=====
- code: Rate limit code rewritten
- code: new --umask setting allows to set filepermissions for pidfiles
and unix domain sockets. Default is 0117 (owner and group rw).
1.18
=====
- bugfix: Fixed bug when comparing sender and recipient addresses, like

173
doc/CHANGELOG2 Normal file
View file

@ -0,0 +1,173 @@
postfwd2 1.00
=============
- code: changed the default umask for the server socket to 0111
to support out-of-the-box postfix setup. Use the
--server_umask setting to change this
- code: --dumpcache command does not require debug mode anymore
- code: rate hits included to cache stats
- bugfix: rbl checks disabled for ipv6 addresses, cidr compare
will switch to default (regex/string)
postfwd2 0.22
=============
- feature: Rate limits are completely supported by postfwd2 now.
Please note that the cache daemon is required for reliable operation.
- bugfix: --syslog_facility could not be changed
- code: rate limit code rewritten
- code: new --umask, --cache_umask and --server_umask settings allow to set
filepermissions for pidfiles and unix domain sockets. New defaults are:
* master (pidfile): 0177 (owner rw)
* cache (socket): 0177 (owner rw)
* server (socket): 0117 (owner and group rw)
postfwd2 0.21
=============
- bugfix: Fixed bug when comparing sender and recipient addresses, like
"sender=$$recipient". This affects only postfwd2 version 0.20.
postfwd2 0.20
=============
- bugfix: Invalid characters in variable substitutions were not correctly catched when
the '=' operator was used, like "client_name=$$helo_name". If you can not
upgrade for some reason change your rule to "client_name=~$$helo_name"
- code: Net::DNS errors will now be handled gracefully
- code: default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of 100
postfwd2 0.19
=============
- bugfix: this is a bugfix release for 0.18. anyone affected is encouraged to upgrade.
detail: the default behavior for the '=' operator with numeric items
(size, recipient_count, ...) changed with version 0.18 to '==' (equals to).
now these items are compared '>=' (greater than) again.
note: if you are using 0.18 and you are not able upgrade for some reason,
please change '=' to '>=' in your ruleset where you mean 'greater than'.
postfwd2 0.18
=============
- feature: items may now be retrieved from files using "item=file:/some/where"
more information in the postfwd manual (FILES section)
- feature: helo_address, and sender_(ns|mx)_addrs can now be csv items
- feature: new rcpt() command counts recipients for rate limits (thanks to Sahil Tandon)
- code: redirect syslog to stdout for --kill, --reload, --showconfig and --dump(cache|stats)
- code: option --reload (HUP signal) now reloads config, if the file is unchanged
- code: new --debug classes 'config' and 'request'
- code: configuration parser improvements:
* rules without defined action will be skipped at configuration stage
* undefined ACLs will now be detected and skipped at configuration stage
* parser timeout skips loading a rule after 4s, to prevent problems with
large files or loops. use --config_timeout to override
- bugfix: documentation fixed (missing "action=" in ask() examples)
- bugfix: fixed logging of an uninitialized value in cache cleanups
postfwd2 0.17
=============
- feature: new compare operators *
====================================================================
ITEM == VALUE true if ITEM equals VALUE
ITEM => VALUE true if ITEM >= VALUE
ITEM =< VALUE true if ITEM <= VALUE
ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
*ITEM != VALUE false if ITEM equals VALUE
*ITEM !> VALUE false if ITEM >= VALUE
*ITEM !< VALUE false if ITEM <= VALUE
*ITEM !~ VALUE false if ITEM ~= /^VALUE$/i
ITEM = VALUE default behaviour (see ITEMS section)
====================================================================
- feature: added --nodaemon and --stdout options
- code: non dns items first: if a rule contains dns and non dns items, the
lookups will only be done if all non dns items matched
- bugfix: empty pcre with empty sender_(ns|mx)_names was parsed incorrectly.
this bug affects postfwd2 versions 0.15 - 0.16
- bugfix: negated pcre items with '~=' operator were parsed incorrectly.
this bug affects postfwd2 version 0.16
postfwd2 0.16
=============
- feature: enabled dns cache for sender(ns|mx) and helo address
- feature: new options --dns_max_ns_lookups and --dns_max_mx_lookups
- code: parent_dns_cache is now disabled by default. use
--parent_dns_cache if you have a slow nameserver
- bugfix: workaround: Net::Server died if a unix domain socket
filename without a dot ('.') was used (B. Frauendienst)
postfwd2 0.15
=============
- feature: new items sender_ns_names and sender_ns_addrs
- feature: new items sender_mx_names and sender_mx_addrs
- feature: new item helo_address, please see docs for more
- feature: new parent cache statistics. the command line option --dumpstats
uses the --daemons setting now (default: cache,server)
- feature: dnsbl txt lookups only for dnsbls with at least one a record.
use --dns_async_txt for the old behaviour (see docs for more).
- code: summary function went to postfwd::master (and will stay there ;)
- code: small performance improvement (5-10%) for pcre (~= or =~) items
- bugfix: network 0.0.0.0/0 did not work as expected on all platforms
postfwd2 0.14
=============
- code: summary function was moved from postfwd::cache to postfwd::policy.
the reduced policy <-> cache communication increases throughput
considerably and improves cpu balancing on multiprocessor systems
- bugfix: fixed potential division by zero in summary function
postfwd2 0.13
=============
- feature: new options --noidlestats and --norulestats
- feature: more informative --version
- feature: documentation updates
- bugfix: disabled parent_cache counters when --summary=0
postfwd2 0.12
=============
- feature: the ask() action allows to delegate the policy decision to another
policy service (like postgrey). a new parameter allows to specify
answer patterns which should be ignored by postfwd. please look
at the 'ACTIONS' section in the manual (postfwd2 -m) for details.
- feature: parent-request cache will now only be updated, if a rule matches.
if postfwd should cache all requests, you must place a last rule:
id=DEFAULT; action=dunno
- bugfix: reorganised some parent-cache loggings for -vv and *cache debug classes
postfwd2 0.11
=============
- bugfix: all postfwd settings are now detainted
- bugfix: cache-update used an uninitialized value when no rule had hit
postfwd2 0.10
=============
- bugfix: command line arguments --pidfile
postfwd2 0.09
=============
- bugfix: command line arguments --user and --group were not correctly de-tainted
postfwd2 0.08
=============
- bugfix: command line argument --pid_file was ignored
- bugfix: command line argument --manual (-m) did not work
postfwd2 0.07
=============
- first semi-public release of postfwd2
- full ruleset compatibility, no changes required when migrating from postfwd v1
- new architecture:
* Net::Server::PreFork
ruleset processor (server) forks new child for any request
* Net::Server::Multiplex for parent cache
offers a shared request, dns and rate cache for postfwd2 children
* Net::Server::Daemonize for master process
controls server and cache (watchdog function) and allows direct
access to statistics, cache-contents, ... from the command-line
- many new commandline options (see postfwd2 -h) for more information

24
doc/postfwd.html
View file

@ -64,6 +64,7 @@
--proto &lt;proto&gt; socket type (tcp or unix)
-u, --user &lt;name&gt; set uid to user &lt;name&gt;
-g, --group &lt;name&gt; set gid to group &lt;name&gt;
--umask &lt;mask&gt; set umask for file permissions
-R, --chroot &lt;path&gt; chroot the daemon to &lt;path&gt;
--pidfile &lt;path&gt; create pidfile under &lt;path&gt;
-l, --logname &lt;label&gt; label for syslog messages
@ -443,10 +444,11 @@ rule containing only an action statement:</p>
this command creates a counter for the given &lt;item&gt;, which will be increased any time a request
containing it arrives. if it exceeds &lt;max&gt; within &lt;time&gt; seconds it will return &lt;action&gt; to postfix.
rate counters are very fast as they are executed before the ruleset is parsed.
please note that &lt;action&gt; is currently limited to postfix actions (no postfwd actions)!
# no more than 3 requests per 5 minutes
# from the same &quot;unknown&quot; client
id=RATE01 ; client_name==unknown ; \
action==rate($$client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
<pre>
size (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
this command works similar to the rate() command with the difference, that the rate counter is
@ -454,7 +456,7 @@ rule containing only an action statement:</p>
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size($$client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
<pre>
rcpt (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
this command works similar to the rate() command with the difference, that the rate counter is
@ -463,7 +465,7 @@ rule containing only an action statement:</p>
check it within the ruleset:
# recipient count limit 3 per hour per client
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==rcpt($$client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
<pre>
ask (&lt;addr&gt;:&lt;port&gt;[:&lt;ignore&gt;])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
@ -609,6 +611,11 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
-g, --group &lt;name&gt;
Changes real and effective group to &lt;name&gt;.</pre>
<pre>
--umask &lt;mask&gt;
Changes the umask for filepermissions (unix domain sockets, pidfiles).
Attention: This is umask, not chmod - you have to specify the bits that
should NOT apply. E.g.: umask 077 equals to chmod 700.</pre>
<pre>
-R, --chroot &lt;path&gt;
Chroot the process to the specified path.
@ -805,9 +812,10 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
# 1. 30MB for systems in *.customer1.tld
# 2. 20MB for SASL user joejob
# 3. 10MB default
id=SZ001; state==END-OF-MESSAGE; action=REJECT message too large; size=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=REJECT message too large; size=20000000 ; sasl_username==joejob
id=SZ003; state==END-OF-MESSAGE; action=REJECT message too large; size=10000000</pre>
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size&lt;=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size&lt;=20000000 ; sasl_username==joejob
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size&lt;=10000000
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large</pre>
<pre>
## Selective Greylisting
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
@ -856,9 +864,9 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
# 1. exceeded 30 requests per hour or
# 2. tried to send more than 1.5mb within 10 minutes
id=RATE01 ; client_name==unknown ; state==RCPT ; \
action==rate($$client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
action==size($$client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
<pre>
## Macros
# definition

24
doc/postfwd.txt
View file

@ -18,6 +18,7 @@ SYNOPSIS
--proto <proto> socket type (tcp or unix)
-u, --user <name> set uid to user <name>
-g, --group <name> set gid to group <name>
--umask <mask> set umask for file permissions
-R, --chroot <path> chroot the daemon to <path>
--pidfile <path> create pidfile under <path>
-l, --logname <label> label for syslog messages
@ -464,10 +465,11 @@ DESCRIPTION
this command creates a counter for the given <item>, which will be increased any time a request
containing it arrives. if it exceeds <max> within <time> seconds it will return <action> to postfix.
rate counters are very fast as they are executed before the ruleset is parsed.
please note that <action> is currently limited to postfix actions (no postfwd actions)!
# no more than 3 requests per 5 minutes
# from the same "unknown" client
id=RATE01 ; client_name==unknown ; \
action==rate($$client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
size (<item>/<max>/<time>/<action>)
this command works similar to the rate() command with the difference, that the rate counter is
@ -475,7 +477,7 @@ DESCRIPTION
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size($$client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
rcpt (<item>/<max>/<time>/<action>)
this command works similar to the rate() command with the difference, that the rate counter is
@ -484,7 +486,7 @@ DESCRIPTION
check it within the ruleset:
# recipient count limit 3 per hour per client
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==rcpt($$client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
ask (<addr>:<port>[:<ignore>])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
@ -648,6 +650,11 @@ DESCRIPTION
-g, --group <name>
Changes real and effective group to <name>.
--umask <mask>
Changes the umask for filepermissions (unix domain sockets, pidfiles).
Attention: This is umask, not chmod - you have to specify the bits that
should NOT apply. E.g.: umask 077 equals to chmod 700.
-R, --chroot <path>
Chroot the process to the specified path.
Test this before using - you might need some libs there.
@ -847,9 +854,10 @@ DESCRIPTION
# 1. 30MB for systems in *.customer1.tld
# 2. 20MB for SASL user joejob
# 3. 10MB default
id=SZ001; state==END-OF-MESSAGE; action=REJECT message too large; size=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=REJECT message too large; size=20000000 ; sasl_username==joejob
id=SZ003; state==END-OF-MESSAGE; action=REJECT message too large; size=10000000
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large
## Selective Greylisting
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
@ -898,9 +906,9 @@ DESCRIPTION
# 1. exceeded 30 requests per hour or
# 2. tried to send more than 1.5mb within 10 minutes
id=RATE01 ; client_name==unknown ; state==RCPT ; \
action==rate($$client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
action==size($$client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
## Macros
# definition

1182
doc/postfwd2.html Normal file
View file

File diff suppressed because it is too large Load diff

1270
doc/postfwd2.txt Normal file
View file

File diff suppressed because it is too large Load diff